IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 24 March 2017 01:00 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3967F129A8C for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 18:00:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7TfxqHawtCw2 for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 18:00:35 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3193124B0A for <tls@ietf.org>; Thu, 23 Mar 2017 18:00:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1490317235; x=1521853235; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=noQtfqbDOvKPgLR6w0NvCwYU9Si5EdgjL0xAHr0pkJg=; b=U6/qkvXX1gKIpsInqr5/DwupHwuhmvql2yKkcusJxOYwN/BuWBbqSsLy St46SMcciY/p5LZfpHRbfOv50nOTbF+QJhelQL/noX8flL4Wrypt4TQIW KvBeRv24hWhPYXUBDvtCOXorAlNzj1HJYVy1jjEGld2lFopOgC7DAOHsk 3sLoQo/C728t3GhXw6wnQ/Hr/w8SDs4WvEy+q1YFN7ghcGqE+3Jg5dCn2 IgCgkPQHTxNQLVnH228zqUjxqawBfJlj9bo3ayOfDWdCDJhi0ejcv7SjU cL1o88fhE38Rbe8xor3StcqmDZoc62oW5q/OpDVVaxFa4ndNH2MtLI4kN A==;
X-IronPort-AV: E=Sophos;i="5.36,212,1486378800"; d="scan'208";a="145115810"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.4 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-c.UoA.auckland.ac.nz) ([10.6.3.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 24 Mar 2017 14:00:08 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.24) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 24 Mar 2017 14:00:08 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Fri, 24 Mar 2017 14:00:08 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Fries, Steffen" <steffen.fries@siemens.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
Thread-Index: AdKj4jdTMGBzllsXQzCZ8vwWateOaAAV7P7y
Date: Fri, 24 Mar 2017 01:00:07 +0000
Message-ID: <1490317199552.71745@cs.auckland.ac.nz>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net>
In-Reply-To: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/E66lvHWtUYGLiaNDHxRokc5_9qs>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 01:00:37 -0000

Fries, Steffen <steffen.fries@siemens.com> writes:

>I looked through the mailing list but did not find an immediate answer to my
>question, but I guess, it must have been discussed already. 

It's been discussed several times, but I'm not sure which search terms you'd
have to apply to find the threads... the general consensus was that even
though the text says it applies to certificates as well, you ignore this
because it serves no obvious purpose but breaks functionality and
interoperability.  See several previous discussions on the rationale behind
this (hmm, if you can find them :-).

Peter.
 

v2.23.0 | Report a Bug | By Email