IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 March 2017 01:29 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6CC129BDB for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 18:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzRTDDJ0juIF for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 18:29:57 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BE71129B10 for <tls@ietf.org>; Thu, 23 Mar 2017 18:29:57 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id B93247A32F1 for <tls@ietf.org>; Fri, 24 Mar 2017 01:29:56 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <1490317199552.71745@cs.auckland.ac.nz>
Date: Thu, 23 Mar 2017 21:29:55 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <52C6D0EF-D6AC-484A-9096-BDAE5C870F82@dukhovni.org>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <1490317199552.71745@cs.auckland.ac.nz>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/F13NTGTTBpBvOeDG9Z5TNyGe2fM>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 01:30:00 -0000

> On Mar 23, 2017, at 9:00 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> See several previous discussions on the rationale behind
> this (hmm, if you can find them :-).

See, for example, the thread that contains:

  https://www.ietf.org/mail-archive/web/tls/current/msg17977.html

I chose that message because it was easy to find.  This particular
topic has been a bit of a focus of mine on this list, so searching
for my posts with a few of the related keywords pretty quickly
messages on this topic.

Given that TLS is opportunistic in SMTP, I strive to find ways to
achieve as much as security as one can get and not end up with
less by dogmatically insisting on more than is possible.  Hence
RFC7435, and more recently the dose of pragmatism that made it
possible to convince the group to avoid repeating the error in
the TLS 1.3 spec.

The net effect is that in practice you simply ignore the signature
algorithms when it comes to the certificate chain.  I've never seen
a TLS server that has multiple chains to choose from for the same
server identity.  This applies also to TLS 1.2, despite RFC 5246.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email