Re: [TLS] TLS 1.2 and CertificateRequest message

Michael D'Errico <mike-list@pobox.com> Thu, 22 October 2009 22:06 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73A8E3A67DA for <tls@core3.amsl.com>; Thu, 22 Oct 2009 15:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCM2nBgaUxAl for <tls@core3.amsl.com>; Thu, 22 Oct 2009 15:06:25 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 6F05D3A67C0 for <tls@ietf.org>; Thu, 22 Oct 2009 15:06:25 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 11F4382020 for <tls@ietf.org>; Thu, 22 Oct 2009 18:06:35 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=O+99f9kc8AM4 4JPoCEojKoT2144=; b=aIuNyTMlQ60D2nYy3d6opGngldHY2OotmnH8mkingzV4 Cqk+jDr8xD1zpNfV+q+ZBVt0UWSmLSwU2b5RavMNXYQ8YKhnWnWUI+JwgFMHm4nb G0yWATfyGC4JKBPEbusbXYNc9EnD2qSP+Q3buHdNHciEhzylyEGDKmWC1fQ9pNE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=R60dbH rfyUt9jNSubG+ZbOEmyrdhslshu0GE9y6GJvykREBIljix+N0xgTu5KpAwIXQosl dY29Ngd9prl74HuuAJpXyWHpFg2dU481DgLmfQ8/gsS4qPAYliiPOwUbY/SO/is1 6h03UltqgKxc/5tfsmrukZ+JUQKKhOBFEiV5Q=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 0E09F8201F for <tls@ietf.org>; Thu, 22 Oct 2009 18:06:35 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 55C8E8201E for <tls@ietf.org>; Thu, 22 Oct 2009 18:06:33 -0400 (EDT)
Message-ID: <4AE0D79A.5060608@pobox.com>
Date: Thu, 22 Oct 2009 15:07:22 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <4AE0CD8F.6000508@gnutls.org>
In-Reply-To: <4AE0CD8F.6000508@gnutls.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 29AFF3DC-BF57-11DE-B468-A67CBBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] TLS 1.2 and CertificateRequest message
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 22:06:26 -0000

I remember participating in the discussion that led to this design.  I
argued that since we added a signature algorithms extension to allow
negotiation of the client's preferred algorithms, it made the most
sense to make the extension symmetric so the server could notify the
client of its preferred algorithms in its hello message as well.

There was opposition to my argument, that the list of algorithms belongs
where it is needed, in the certificate request message.  The term
"locality of reference" was thrown around as a justification.  Not being
an official member of the working group, and since nobody else seemed to
prefer my idea, I forfeited the point.

To solidify this design choice the definition of the signature algorithms
extension states that the server MUST NOT send it.

My own implementation holds onto all the handshake messages and calculates
the hashes of them when needed.  If you'd like to test interoperability
with my server, https://www.mikestoolbox.net will ask you for a client
certificate.

Mike


Nikos Mavrogiannopoulos wrote:
> Hello,
>  I've been taking a look at TLS 1.2 and it seems that there is some new
> negotiation added at the CertificateRequest message. At this message the
> server is supposed to send a list of allowed algorithm for signature
> calculation, and the client should respond with a signature that depends
> on the previously exchanged handshake messages.
> 
> In previous versions of TLS a client could just start the hash
> calculation for this signature during the exchange to avoid storing the
> actual messages up to this point. However with this negotiation at this
> point it is quite impossible to do that approach and as far as I
> understand needs to follow the store approach.
> 
> My questions now are:
> 1. How is this implemented in compliant software today?
> 
> 2. Why this negotiation was added? I see no added value of having such
> negotiation at a so late point.
> 
> regards,
> Nikos