IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Eric Rescorla <ekr@rtfm.com> Sat, 11 July 2015 23:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B4B1A00C1 for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 16:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QAv_7rTd5Be for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 16:18:43 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59DDB1A00C3 for <tls@ietf.org>; Sat, 11 Jul 2015 16:18:43 -0700 (PDT)
Received: by lblf12 with SMTP id f12so38959150lbl.2 for <tls@ietf.org>; Sat, 11 Jul 2015 16:18:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rqUGFMlE9a87PVLYb7P1ZuBCfcE7Xa/qeeu5C8FbEAg=; b=GePnGt7yXGoPD3seNFu2fmOWTxZBGz5Olh49yAZbz/Z0wogf2zpXuGVBzT966qdqeG LoX1RNrRDfAjVgBerTuKCZEZCebn8Gz/9T9HjmiSLkB3rpXeOZSOKdEsbC/eIhnghU8D cIiB8GTwrCWoGPIRaZkhwFbDHHF2yZqzE83HJsXcX6MbhUjWSwf/pHY/5m/sJj5VqOll B5C+CWy4yB/cdcxikfzpxtzC1HSvvpGWgosrlrf6krqCiTGGUqixiGJjiu9MIIKusQit z0P8mfjewmpcWlhRvQYP5OCm4VgDTxqCxmT/h+svWH89Lw+Bul/vaQNHTBy1z8kyOBSl Df1A==
X-Gm-Message-State: ALoCoQl4yYjzAc5n4fRdXj0GexAgLA9D3aH3DvSLiI20sXEGax6k2MHuPFOjtcwu7xI+vc3xDO1C
X-Received: by 10.152.30.4 with SMTP id o4mr25060441lah.74.1436656721552; Sat, 11 Jul 2015 16:18:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.99.103 with HTTP; Sat, 11 Jul 2015 16:18:01 -0700 (PDT)
In-Reply-To: <201507111709.27725.davemgarrett@gmail.com>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <201507111605.01407.davemgarrett@gmail.com> <20150711204810.GU28047@mournblade.imrryr.org> <201507111709.27725.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 11 Jul 2015 19:18:01 -0400
Message-ID: <CABcZeBNCBrNeMKm5hCLQ741zFRpcXQ321onofH2EWJbiQrSs6w@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="089e0160b4368d8010051aa1b595"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Dpeqk7-ZsamhHEhsfbpMG52j99I>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 23:18:45 -0000

On Sat, Jul 11, 2015 at 5:09 PM, Dave Garrett <davemgarrett@gmail.com>
wrote:

> On Saturday, July 11, 2015 04:48:10 pm Viktor Dukhovni wrote:
> > Largely close enough.  Feel free to borrow any text from the below
> > that you find to be an improvement.
> >
> >     ========================================
> >
> >     Whenever possible, all certificates provided by the server
> >     SHOULD be signed by a hash/signature algorithm pair indicated
> >     by the client's supported algorithms extension (or the defaults
> >     assumed in its absence).  If the server cannot produce a
> >     certificate chain that is signed via only the indicated supported
> >     pairs, then it SHOULD continue the handshake by sending the
> >     client a certificate chain of its choice that may include
> >     hash/signature algoriths that are not known to be supported by
> >     the client.
> >
> >     The public key in the leaf certificate must of course be
> >     compatible with the chosen cipher-suite, and the subsequent
> >     ServerKeyExchange message must be signed via a mutually supported
> >     hash/signature algorithm pair.
> >
> >     If the client cannot construct a satisfactory chain using the
> >     provided certificates and decides to abort the handshake, then
> >     it MUST send an "unsupported_certificate" alert message and
> >     close the connection.
> >
> >     ========================================
>
> The middle bit is already in existing text above the section in question.
>
> New version with a little rewording and a typo fix.
>
> \/
>
> ========================================
> All certificates provided by the server SHOULD be signed by a
> hash/signature algorithm pair indicated by the client's
> "signature_algorithms" extension (or the defaults assumed in
> its absence), where possible. If the server cannot produce a
> certificate chain that is signed only via the indicated supported
> pairs, then it SHOULD continue the handshake by sending the
> client a certificate chain of its choice that may include algorithms
> that are not known to be supported by the client. If the client
> cannot construct an acceptable chain using the provided certificates
> and decides to abort the handshake, then it MUST send an
> "unsupported_certificate" alert message and close the connection.
> =======================================
>

I'm not happy with this. There should be a MUST-level requirement to provide
a conformant chain if possible.

-Ekr



>
> Dave
>

v2.23.0 | Report a Bug | By Email