IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

mrex@sap.com (Martin Rex) Mon, 13 July 2015 21:21 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9989E1A8991 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 14:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qA-V4l1sh1qB for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 14:21:01 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D631A898D for <tls@ietf.org>; Mon, 13 Jul 2015 14:21:01 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 8385344307; Mon, 13 Jul 2015 23:20:59 +0200 (CEST)
X-purgate-ID: 152705::1436822459-0000413A-7EF01667/0/0
X-purgate-size: 1972
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 75D46406A1; Mon, 13 Jul 2015 23:20:59 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6D2091A1DD; Mon, 13 Jul 2015 23:20:59 +0200 (CEST)
In-Reply-To: <CABcZeBNs9+h9UWfu=eDC3JBQ1ULCcuBSOK8B9JdDsiX-Ne5g2g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 13 Jul 2015 23:20:59 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150713212059.6D2091A1DD@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/D4K4z7ji0fCNtbxF05wxevQqKrA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 21:21:03 -0000

Eric Rescorla wrote:
> I'm not necessarily opposed to relaxing this requirement on the server,
> but given that:
> 
> 1. SHA-1 is on its way out.
> 2. Future versions of TLS seem very likely to explicitly indicate which
> hash algorithms the clients support.
> 
> I'm kind of confused about the principle being espoused here. In general,
> when the client has told the server what's acceptable and the server
> doesn't have it, we abort the handshake. What makes this case different
> from (say) the client only supporting P256 and the server only supporting
> Curve25519 but deciding to send Curve25519 anyway?

The choice of Curve25519 for an ECDHE_RSA or ECDHE_DSA key exchange is a
transform at the _TLS_ protocol level that a client's _TLS_ implementation
must support in order to perform the TLS handshake.

Algorithms for the signature on the server certifcate or signatures
higher up the certificate path conveyed by the server are

  -   *NOT* part of the TLS handshake, they're instead performed
      by what is usally a totally different software module (PKIX)
      from the TLS protocol implementation

  -   *NOT* predictable to be used to get used (and verified) by the
      client's certificate path validation function after whatever
      fancy "certificate path discovery" the client might be performing
      before validating the server's certificate.  The client might
      also be directly trusting the server's key (cert pinning,
      DANE usage 3 and other possibilities), where it is not clear
      whether the the signature on the certificate presented by the
      server needs to be verified at all.


So the difference here is HUGE.

Btw., TLSv1.2 implementations that do not support multiple server
certificates that differ only by algorithms, are probably skipping the
entire TLSv1.2 cert signature algorithms fandango and exhibit a highly
interoperable behaviour quite naturally.


-Martin

v2.23.0 | Report a Bug | By Email