Re: [TLS] Require deterministic ECDSA

Dave Garrett <davemgarrett@gmail.com> Sun, 24 January 2016 07:04 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A2E1A9006 for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 23:04:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qiN01Wi2_npz for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 23:04:31 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A12901A9005 for <tls@ietf.org>; Sat, 23 Jan 2016 23:04:31 -0800 (PST)
Received: by mail-yk0-x232.google.com with SMTP id v14so130710862ykd.3 for <tls@ietf.org>; Sat, 23 Jan 2016 23:04:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=YPAGBcWPq04jmqcsTlUHsVq6f/00w5JeHxnVyVjb/ic=; b=L/2W3jhnN1eD/nNszg2sfbaNK5llRDQIQ2Z4l+cNeKsqaMUW6oPSZpPie/dUCrB7bT FoAaDAf2BctToaVnb6gn60EL/09HOUPz9aooaPfkA0nq6Svj9iOjCilrXpsnXV+RxvGZ zpFYXNk56AClBnCnjMZR/Ng8XXtxzGCYNgfGWSMsisk/vmbduRNQ56/uAtfdXdsIuvUP ehZch5B6EBRDSQiZiMVD7e2oCWNGPYaZVAyedaUjVDuRfu4/eQsdG9eAAK3MBxNsnCc7 DR3gWGXCFQLIhpgeFwiGSAuYd9nX7a61FBF/drudNH1ELU5HDmsWV3hPKUtBejaALZ5D wHDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=YPAGBcWPq04jmqcsTlUHsVq6f/00w5JeHxnVyVjb/ic=; b=iRj4ZcE6eLjZPM2tVQYociKmep7jyYZkgueGDrTmWDH9TElZvNzJ1u4+8WM0ddKA5/ NDNSiDesRo6h91gET2HLY3mr6PknSU0KBv72GZNN+rFoVTHjnFBN9P/Oo5/VphR6gFS1 aa+TjdfPQ0DPXC80033uC6ze7d3G5R3jPS3YSHKNQsEc3pqzk8T8YZrgHyQnQa/J8ynS ebE+FkqyV7fnPtOEudcE1VKE7E+Vft6rwJO0QIhwtEWxH9/zgsr0bllhes0JoA23DrkA 9YY6cWBnKBE7vOup6RboHTu/7j0KDo39ehGepyK20AdP9ZBOx7GLXd84fcJTiRh35zyM sZWA==
X-Gm-Message-State: AG10YOQW8APg9XLDUHKP0blNsQVCDE+nOlj25cW80OZ1BsS6UWKP6atRdjP6MA2yB2vgRg==
X-Received: by 10.129.137.193 with SMTP id z184mr6301734ywf.257.1453619070922; Sat, 23 Jan 2016 23:04:30 -0800 (PST)
Received: from dave-laptop.localnet (pool-71-175-20-227.phlapa.fios.verizon.net. [71.175.20.227]) by smtp.gmail.com with ESMTPSA id u190sm10086372ywd.17.2016.01.23.23.04.30 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 23 Jan 2016 23:04:30 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Sun, 24 Jan 2016 02:04:28 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <56A41F0F.70609@nthpermutation.com>
In-Reply-To: <56A41F0F.70609@nthpermutation.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201601240204.29009.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/F4CEaVWqigJ1WUuQkVTRN0bSU7I>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 07:04:33 -0000

On Saturday, January 23, 2016 07:47:11 pm Michael StJohns wrote:
> 1) A receiver of an deterministic ECDSA signature verifies it EXACTLY 
> like they would a non-deterministic signature.
> 2) A receiver of an ECDSA signature cannot determine whether or not the 
> signer did a deterministic signature.
> 3) A TLS implementation has no way (absent repeating signatures over 
> identical data) of telling whether or not a given signature using the 
> client or server private key is deterministic.
> 
> All that suggests that this is a completely unenforceable requirement 
> with respect to TLS.

We can have unverifiable & unenforceable MUSTs. A SHOULD might be more appropriate, however, if we want to acknowledge this limitation to some degree.

> The above is a long way of saying that this is a WG overreach on 
> internal security module behavior that is not central, cognizable or 
> identifiable to a TLS implementation.

As far as I'm concerned, anything that directly affects the security of TLS is not an overreach. Beyond scope of control, yes, but it's not an overreach to lay out how to do things properly that commonly result in vulnerabilities with TLS. Like everything else in an RFC, it can of course be ignored, but I think it's worth it to make an official statement in the spec on how to do things properly.


Dave