Re: [TLS] Possible TLS 1.3 erratum

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 19 July 2021 12:06 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9B33A316C for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 05:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jryxap_d9Yzx for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 05:06:52 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8DE63A316B for <tls@ietf.org>; Mon, 19 Jul 2021 05:06:51 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2232.outbound.protection.outlook.com [104.47.71.232]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-16-QtA3oyfoNVGiM0ncfWyHpQ-2; Mon, 19 Jul 2021 22:06:47 +1000
X-MC-Unique: QtA3oyfoNVGiM0ncfWyHpQ-2
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYXPR01MB0765.ausprd01.prod.outlook.com (2603:10c6:0:c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.24; Mon, 19 Jul 2021 12:06:42 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%4]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021 12:06:42 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible TLS 1.3 erratum
Thread-Index: AQHXeWfZVoV1kD9i3UmF8KiMIWESdatEADMAgAGM1TeAABZcgIAEloO3
Date: Mon, 19 Jul 2021 12:06:41 +0000
Message-ID: <SY4PR01MB6251452C5CD94479D34112DBEEE19@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <ME3PR01MB624282F25AA6983F9CEFDCD2EE129@ME3PR01MB6242.ausprd01.prod.outlook.com> <CABcZeBNajvtG8pebcrD2dgmP+Pb4+gTQMfB6NDOMH7hpqNSS-w@mail.gmail.com> <SY4PR01MB62513B6545E754DC00C09D80EE119@SY4PR01MB6251.ausprd01.prod.outlook.com>, <YPGRRZVx1DbhEJ+x@LK-Perkele-VII2.locald>
In-Reply-To: <YPGRRZVx1DbhEJ+x@LK-Perkele-VII2.locald>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8c3d2677-e5ef-4491-7554-08d94aadabca
x-ms-traffictypediagnostic: SYXPR01MB0765:
x-microsoft-antispam-prvs: <SYXPR01MB07653E55A2EB03FF4EEFA10EEEE19@SYXPR01MB0765.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: c9cr3m+836mjFw2iYmvsFGvpbEffvAd11+FHZk+O6J1SJj+pGQSrHs7SQiCHig9vg+CWFo1lf4xZyKZa9XygoMSBnsJcZv3JKCE0DHMyydxD9c4VCRLMrovoxifihIiGqSvmHdgmlrFYszRGU+7LHX0w813YJFHKwNidbRzDU5WdSOGf3VZ5xNOEQD+5xZ+HoF8yGGWACO2wzGPgE8b9N4HueQSRaaypydRn+9Zr69QqxsTUdoeP5AbN0tsvRAW2EpCIwq4ASae+Pkxxz6UYwr+jItL0whvUsKHGkMVcESV0P/WxkN4QpoPDeLrxmz8+HO913sE4IZUB8idocimV4U1XBDTwx1+EfsGmczJLVzGtge2vzug3dqqZiqrTYsfgDbgFhK5I5f0f/nxFNIE55XbbRBjYFnT24GoeaqzNGwJuGBbadBjOLQaQIZZgEjO1mqR9bJ+zp6w6ve9aejCC8sTIUmyaljMLKdnFqOjxLvwtBXpfXiPxmL689OuTDSzhKNffMWHaRzzYavMYFk3qLmPe8deRnX0zixgwP2Rp4CtccE92ojdYERWoWm/5QlrT2A3bKUvKyvlvXgbHc0Xw7cj0zPB/+JoCzRr7x5LPidZH3cceeJT2k62Le3i7FXH0Si36nhUyTxBDSd7TRGBLRXLBPi199lgC+pr0+c23yTFBAS/5cSjF4IROS2wZUKru/zljy7DTfh8rdF+t5K8vuwUaXh5e6e/c85d43Yo6jzE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(346002)(366004)(376002)(136003)(7696005)(478600001)(786003)(316002)(71200400001)(55016002)(6506007)(186003)(38100700002)(110136005)(33656002)(8676002)(52536014)(5660300002)(76116006)(2906002)(9686003)(122000001)(86362001)(66946007)(8936002)(66476007)(66446008)(66556008)(26005)(64756008)(21314003)(38070700004); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WeTSDM5kZOI/ebz+8gAp97nKJ3bPLvpvc0AwY/Ga6USqOfUcbCH8sfsi4dlDTfBe4rq3FpUm59+wRa1Cp33xv+8RHtWQSB3DczCC4DhnedyFXxYUjTVmZimsLIUOUZzTqlawYzm5Yk+VEegjbzGV2rPXTDZ+ltNu8AV/h+Wv1eM3NftLGERPbB5rivAqIHf+52KmRpTsAIz4q9VB+g67RwFwrGUR0Iuyx2040d2F9bGUnix8jSXnDJuJlr69dU1mVV7lTtn05UuS2Ws/uWsoXWA67sbVi+uDtwNDF+HyLx/KJmStqLfF1Lk4p/D1RGdBTz0NNbWVjTKeILprgTwlLRRgsuQmWWs77YTKCyK2U1duur73lrVQWckxlejJfZyna2nByw5RdEiQBM4Fv9CVxy++kcyUvPpGSvMo3k9D/JIE3FHhihv0b8I+yWmBTppZ/B1n6jlY4qjBtw8BhI+1JptbO91qmdtpzeo7kyWtHV8NaOSyu+tkVfaC/c6UeuVv8u5rLN5JzwbOV7Uk6kb/W5XHljQuADo5r4P7nEJgCHk3HzF+CH7QOS7ty5SJB4EDmcdNf+9dzLRwxHX2SzgTMp7xwHJqPNqBadOWKlDkDxcVuiq7z3AnEoCWJQdjwdq9WrrJFn1RlRTYdxPFR2U9EhMfXHAUqz8iwHCaQ7fHbzoD0ydnFKfRjCRC2ImpxOVBqPumUFaminBx4v8lq/m8oACydDe3JcT/MkZWrHQsKA1ZThAc5xQO+9yoltAqYC0UFL8ACe3Biigsg7RGYgwAgh9YAhvtgNFs+zc+bn/oh4ggh03kEhXPb3XQnug92m96JvEXGPwdT4wfUJdJecxqx3vw3s2+fSeKg+S/m8fWP7lppLUVDBIWab/xtwRNASBqg331MTazxlwY+RlErsQTPslICiH6nk6yEY7zmHDNPSWmmHlvot3eQl/nazP+GdOZqTtPjEEXoOIczJ9Nc5Cpw9+z59d6sQBi4jR70YtrTRwoqD8/1XYQZXxX9/R7hN8TlKAJACU8rMBb5LnUf7H3KsBuHyiQCjbZV3d8pK384w6g60VbgNrMIgB5+jZQPHcfV8SvzstXpt4JYr8rbbeQPeDDdcQc3jbTFj+RraEikYsdAdBrsuC1EFkY+JfSWQfJF0EqGg0fr3TszsJLm2VJBik/FZE8hmxWzy5msm1AXVn1qL4HAxK9eyTy9goH49gG2bG7Ol1itUIP54Jh/dK/5b3TmOtofnxXvvjkcLF+yvN7sI336USvzXzmNARbdlC099qJlfn1OFfu8kKwdzWGX3mcS/FE+I9BFGoIp+bXupA=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c3d2677-e5ef-4491-7554-08d94aadabca
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2021 12:06:41.9146 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /HQEC0J4UVODUWqmFPjjVWsy124QGV1H5qyJ4RZvrjeRBjmQVdaDsmTTK7WOXH+aYO4twh+Va6IwY420XK/aS/0sKwDZ8OxzPfjhPmFKF0c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB0765
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GbD8OuylHtHwB8tffCRSkfOToHk>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 12:06:59 -0000

Ilari Liusvaara <ilariliusvaara@welho.com> writes:

>Actually, I think this is quite messy issue:

It certainly is.

>Signature schemes 0x0403, 0x0503 and 0x0603 alias signature algoritm 3 hash
>4, 5 and 6. However, those two things are not the same, because the former
>have curve restriction, but the latter do not.

That and the 25519/448 values are definitely the weirdest of the lot.  In
particular the value 0x03 means P256 when used with SHA256, P384 when used
with SHA384, and P521 when used with SHA512.

>So one algorithm one could use is:
>
>- Handle anything with signature 0-3/224-255 and hash 0-6/224-255 as
>  signature/hash pair.
>- Display schemes 0x0840 and 0x0841 specially.
>- Handle anything else as signature scheme.

I think an easier, meaning with less special cases, way to handle it is for a
TLS 1.2 implementation to treat the values defined in 5246 as { hash,
signature } pairs and for TLS 1.3 and newer implementations to treat all
values as 16-bit cipher suites, combined with a reworking of the definitions,
e.g. to define the "ed25519" suite in terms of the curve and hash algorithm,
not just "Ed25519 and you're supposed to know the rest".

>The reason is that some TLS implementations have very hard time supporting
>RSA-PSS certificates.

But why should the TLS layer care about what OID is used to represent an RSA
key in a certificate?  The signature at the TLS level is either a PSS
signature or it isn't, it doesn't matter which OID is used in the certificate
that carries the key.

More to the point, the TLS layer may have no way to determine which OID is
used in the certificate, it's either an RSA key or not, not "it's an RSA key
with OID A" or "it's an RSA key with OID B".

So I think for bis the text should rename rsa_pss_rsae_xxx to just rsa_pss_xxx
and drop rsa_pss_pss_xxx, which I assume has never been used anyway because I
don't know of any public CA that'll issue a certificate with a PSS OID.

Peter.