Re: [TLS] Consistency for Signature Algorithms?
Dr Stephen Henson <lists@drh-consultancy.co.uk> Fri, 21 July 2017 19:58 UTC
Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4394E129B25 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 12:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgcLdfsOuKEd for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 12:58:15 -0700 (PDT)
Received: from claranet-outbound-smtp02.uk.clara.net (claranet-outbound-smtp02.uk.clara.net [195.8.89.35]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1E01296C9 for <tls@ietf.org>; Fri, 21 Jul 2017 12:58:15 -0700 (PDT)
Received: from host86-161-69-224.range86-161.btcentralplus.com ([86.161.69.224]:16224 helo=[192.168.1.75]) by relay02.mail.eu.clara.net (relay.clara.net [81.171.239.32]:10465) with esmtpa (authdaemon_plain:drh) id 1dYe3q-0006qP-9K (return-path <lists@drh-consultancy.co.uk>); Fri, 21 Jul 2017 19:58:08 +0000
To: Dr Benjamin Kaduk <bkaduk@akamai.com>, tls@ietf.org
References: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com> <20a46494-8fd2-2cbf-556d-070b48056d4d@drh-consultancy.co.uk> <b345a560-9d7b-ca04-7940-886a814f1907@akamai.com>
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <96e9b9b8-bd22-6898-8a4e-c80a98996e48@drh-consultancy.co.uk>
Date: Fri, 21 Jul 2017 20:58:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <b345a560-9d7b-ca04-7940-886a814f1907@akamai.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GlSPltnaVs-Y8JHTuQMGdoAZg04>
Subject: Re: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 19:58:17 -0000
-- Dr Stephen N. Henson. Founder member of the OpenSSL project: http://www.openssl.org/ On 21/07/2017 20:45, Dr Benjamin Kaduk wrote: > On 07/21/2017 08:41 AM, Dr Stephen Henson wrote: >> On 21/07/2017 14:23, Hubert Kario wrote: >>> Signature Algorithms for ECDSA now define both the curve and the hash >>> algorithm: >>> >>> ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), >>> ecdsa_secp521r1_sha512(0x0603), >>> >>> This is in contrast to the TLS 1.2 protocol, where any hash can be used >>> with any curve. >>> >>> There are good reasons for that change: - less combinations to test - >>> establishes the low water mart for security >>> >>> I see few problems with that though: 1). there are not insignificant number >>> of clients that advertise support for all (at least P-256 and P-384) >>> curves, but don't advertise support for hashes stronger than SHA-256 with >>> ECDSA[1] 2). This is inconsistent with RSA-PSS behaviour, where key size is >>> completely detached from the used hash algorithm. 3). This is not how ECDSA >>> signatures in X.509 work, so it doesn't actually limit the signatures on >>> certificates (in other words, as an implementer you need to support all >>> hashes with all curves either way) >>> >> There is another and significant problem with the change. In TLS 1.2 support >> for a curve was indicated in the supported curves extension and it implied >> support for ECDH and ECDSA. This has changed in TLS 1.3: curves in the >> supported groups extension are for ECDH only. Support for a curve for ECDSA is >> indicated in the signature algorithms extension. > > Could you say a bit more about why you believe this to be a problem? On the > face of it, it seems that the previous state overloaded a single field to mean > multiple only semi-related things, whereas the new formulation keeps things more > orthogonal and easier to implement in a modular way. That is, groups are for > key exchange, and signature algorithms are for signing, and there is no muddy > overlap between them. > I didn't mean there was a problem with the current spec, I meant there was a problem with the proposed change: i.e. to remove the curve requirement from signature algorithms. Steve. -- Dr Stephen N. Henson. Founder member of the OpenSSL project: http://www.openssl.org/
- [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Ilari Liusvaara
- Re: [TLS] Consistency for Signature Algorithms? Watson Ladd
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Viktor Dukhovni
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Eric Rescorla
- Re: [TLS] Consistency for Signature Algorithms? Blumenthal, Uri - 0553 - MITLL