IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

mrex@sap.com (Martin Rex) Fri, 08 November 2013 07:21 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A331321E81A7 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 23:21:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.153
X-Spam-Level:
X-Spam-Status: No, score=-10.153 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1z1UQem+akne for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 23:21:12 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 4920D11E8145 for <tls@ietf.org>; Thu, 7 Nov 2013 23:21:11 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rA87L9bH013518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Nov 2013 08:21:10 +0100 (MET)
In-Reply-To: <CALCETrVff+YE8xhDF21LAMQ15xjEoFwnkkRh=DMGhPmQmYOs4g@mail.gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Nov 2013 08:21:09 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131108072109.CA6061AA6A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 07:21:17 -0000

Andy Lutomirski wrote:
> 
> FWIW, there's precedent for using new TLS versions to expand the set
> of allowable certificates.  If I"m reading it correctly, TLS 1.2
> allows ECDSA certificates that are signed with RSA; TLS 1.1 and below
> will reject those.

TLSv1.1 will certainly not reject those.
It is only rfc4492 that incorrectly alleges that those should be rejected.

And an implementation of TLSv1.2 client that would accept an ECDSA
EE server cert signed by an RSA cert when TLSv1.2 is negotiated,
but would reject the very same server certificate when TLSv1.1 is
negotiated (but would accept it with TLSv1.1 when a pure ECC
cert path is present) would yield "seriously broken" on my scorecard.

A number of TLS specs are plastered with rfc2119-violating
and therefore bogus and void requirements.

I somewhat optimistic that a number of implementations ignore
those bogus requirements already.  Fixing the remaining implementations
to ignore those bogus requirements might turn out to be easier than
fixing the documents, though...


What I find confusing about rfc4492 is how the hash for digitally-signed
is selected & signalled for TLSv1.0 and TLSv1.1--that seems somewhat
undefined in the document.


But then, using ECDSA with TLS would be pretty suicidal.  (EC)DSA are
an extremly brittle algorithms, i.e. "cryptoglycerin", and while
rfc6979 might help in producing k in constant time, the algorithm
for computing the inverse of k as specified in FIPS 186-4 Appendix C.1
is not a constant-time algorithm, and might leak sufficient "implicit hint"
about k that it makes the signing process "vulnerable to catastrophic
failures" when it is performed inband/online, such as in TLS, where
the server must sign each ServerKeyExchange handshake message inband.


-Martin

v2.23.0 | Report a Bug | By Email