IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

Eric Rescorla <ekr@rtfm.com> Tue, 07 July 2015 16:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A47391ACDBF for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 09:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cL0oS6wFtZg for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 09:09:11 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 962AF1ACDB2 for <tls@ietf.org>; Tue, 7 Jul 2015 09:09:11 -0700 (PDT)
Received: by widjy10 with SMTP id jy10so193344763wid.1 for <tls@ietf.org>; Tue, 07 Jul 2015 09:09:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=oupd/q2CYXLqW1Qte4ki6mVkvL1JmtUXVrtHP55znxc=; b=Cqirqni1cYrAsi7sXUAdixXn5LeWe+uplS/53xSS92AdFwrSsj+RzBu5T/GqvT+Dfu GHDLrwA6mXZ0kDyhgsomndhs9dl7u/ht4pW1519z0ZQl0RsPt5tZXRPNAw6r4wfm4cB1 yfowSIfZCxx1x8QHcFsmKxayaVajYS8JfuA+dL3SYxiOdWscLVA6jbSN4kaJO0S/0chJ 2CIVUoimzBt3PwtamaRLpIZu3ipVKWBlHzQQteGBoDspwQ11r+r7erLMIzeCq0aldOtm Ivt6Ue6pW8zCMM+b9Pq/JbnjICaJg9ItJmxwW22+Rn1wimB9d5jOfvMuqRAFS5ztmxEA Cdtw==
X-Gm-Message-State: ALoCoQnJsdi+fIJJgdlWWMzCoQjY+PaxNy4DCV8Bk6/J1kdERGurpY9EhXivkW/op5+2rGYgxeXN
X-Received: by 10.180.83.137 with SMTP id q9mr107740902wiy.68.1436285350393; Tue, 07 Jul 2015 09:09:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.95.211 with HTTP; Tue, 7 Jul 2015 09:08:30 -0700 (PDT)
In-Reply-To: <201507071054.57330.davemgarrett@gmail.com>
References: <CABcZeBOWK_WnHAefsZUBr4UyEkyiZqi1mhoZH8ZeGFftdOqTTw@mail.gmail.com> <201507031925.04809.davemgarrett@gmail.com> <20150707143431.GA853@LK-Perkele-VII> <201507071054.57330.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Jul 2015 09:08:30 -0700
Message-ID: <CABcZeBMTphBYmJtxvdUTbdwx6VkXUNfTYh7Xh7JkvcQtts4CjQ@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="f46d044401961b5261051a4b3e6c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/GZo_M-RiOsl-qX9puhX3jN6lQpk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 16:09:13 -0000

Let's distinguish between two different uses of SHA-1:

1. In certificates.
2. In TLS signatures.

I have no problem with insisting that TLS 1.3 not do SHA-1 for signatures in
the protocol. However, given that there are lots of SHA-1 certificates in
the
field and the world is bigger than browsers, it seems like forbidding use of
SHA-1 in certificates for TLS 1.3 (while it's still available to TLS 1.2)
acts
mostly as a disincentive to adoption for TLS 1.3, so I'm currently not in
favor of that.

-Ekr



On Tue, Jul 7, 2015 at 7:54 AM, Dave Garrett <davemgarrett@gmail.com> wrote:

> On Tuesday, July 07, 2015 10:34:31 am Ilari Liusvaara wrote:
> > On Fri, Jul 03, 2015 at 07:25:04PM -0400, Dave Garrett wrote:
> > > On Friday, July 03, 2015 07:13:15 pm Eric Rescorla wrote:
> > > > I think we probably need to have WG consensus for the SHA-1 thing.
> > >
> > > Yes, that's why I left it out of that changeset. I don't think the
> > > topic of what to do in the TLS 1.3 spec with SHA1 has been discussed
> > > on this list. (if it has, please point me to the thread if someone
> > > can)
> > >
> > > The simplest thing would be to have a MUST NOT offer or negotiate
> > > in 2017 or later and a NOT RECOMMENDED to use until then. Or, we
> > > could go deeper into the weeds and talk about expiration dates.
> > > Banning it totally for TLS 1.3+ is also an option, but probably not
> > > wanted yet.
> >
> > No, the simplest thing would be to ban it entierely:
> > - MUST ignore entries with MD5 or SHA1 hash in
> >   supported_signature_algorithms, even if those are the only
> >   ones (which will cause handshake failure).
> > - MUST terminate connection with insufficient_security if MD5 or
> >   SHA1 is seen in DigitallySigned.algorithm.
> >
> > SHA-1 is known to be seriously broken. That is way more than
> > enough reason to completely remove it. Especially from new
> > standards.
> >
> > If one wants those to also apply to TLS 1.2, plus:
> > - MUST send signature_algorithms extension in TLS 1.2+,
> >   server MUST terminate connections without it.
> > - MUST NOT send MD5 or SHA1 entries in
> >   supported_signature_algorithms.
>
> I very much agree that banning it entirely is the ideal route, but there
> were indications given that we didn't want to do this, unfortunately.
>
> Again I'll state: by the time TLS 1.3 is done and actually being adopted,
> an assumption of no SHA1 will be even more expected. Servers that are
> playing chicken with browsers planning on dropping support for them in a
> matter of months can stick to TLS 1.2.
>
>
> Dave
>

v2.23.0 | Report a Bug | By Email