Re: [TLS] TLS 1.3 certificate delegation?
mrex@sap.com (Martin Rex) Fri, 08 November 2013 07:21 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A331321E81A7 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 23:21:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.153
X-Spam-Level:
X-Spam-Status: No, score=-10.153 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1z1UQem+akne for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 23:21:12 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 4920D11E8145 for <tls@ietf.org>; Thu, 7 Nov 2013 23:21:11 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rA87L9bH013518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Nov 2013 08:21:10 +0100 (MET)
In-Reply-To: <CALCETrVff+YE8xhDF21LAMQ15xjEoFwnkkRh=DMGhPmQmYOs4g@mail.gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Nov 2013 08:21:09 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131108072109.CA6061AA6A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 07:21:17 -0000
Andy Lutomirski wrote: > > FWIW, there's precedent for using new TLS versions to expand the set > of allowable certificates. If I"m reading it correctly, TLS 1.2 > allows ECDSA certificates that are signed with RSA; TLS 1.1 and below > will reject those. TLSv1.1 will certainly not reject those. It is only rfc4492 that incorrectly alleges that those should be rejected. And an implementation of TLSv1.2 client that would accept an ECDSA EE server cert signed by an RSA cert when TLSv1.2 is negotiated, but would reject the very same server certificate when TLSv1.1 is negotiated (but would accept it with TLSv1.1 when a pure ECC cert path is present) would yield "seriously broken" on my scorecard. A number of TLS specs are plastered with rfc2119-violating and therefore bogus and void requirements. I somewhat optimistic that a number of implementations ignore those bogus requirements already. Fixing the remaining implementations to ignore those bogus requirements might turn out to be easier than fixing the documents, though... What I find confusing about rfc4492 is how the hash for digitally-signed is selected & signalled for TLSv1.0 and TLSv1.1--that seems somewhat undefined in the document. But then, using ECDSA with TLS would be pretty suicidal. (EC)DSA are an extremly brittle algorithms, i.e. "cryptoglycerin", and while rfc6979 might help in producing k in constant time, the algorithm for computing the inverse of k as specified in FIPS 186-4 Appendix C.1 is not a constant-time algorithm, and might leak sufficient "implicit hint" about k that it makes the signing process "vulnerable to catastrophic failures" when it is performed inband/online, such as in TLS, where the server must sign each ServerKeyExchange handshake message inband. -Martin
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Carl Wallace
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Bill Frantz
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Salz, Rich
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Johannes Merkle
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Michael D'Errico
- Re: [TLS] TLS 1.3 certificate delegation? Rob Stradling
- Re: [TLS] TLS 1.3 certificate delegation? Andy Lutomirski
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester
- Re: [TLS] TLS 1.3 certificate delegation? Martin Rex
- Re: [TLS] TLS 1.3 certificate delegation? Peter Sylvester