Re: [TLS] TLS 1.3 draft-07 sneak peek

[Jeffrey Walton <noloader@gmail.com>]

On Tue, Jul 7, 2015 at 10:34 AM, Ilari Liusvaara
<ilari.liusvaara@elisanet.fi> wrote:
> On Fri, Jul 03, 2015 at 07:25:04PM -0400, Dave Garrett wrote:
>> On Friday, July 03, 2015 07:13:15 pm Eric Rescorla wrote:
>> > I think we probably need to have WG consensus for the SHA-1 thing.
>>
>> Yes, that's why I left it out of that changeset. I don't think the
>> topic of what to do in the TLS 1.3 spec with SHA1 has been discussed
>> on this list. (if it has, please point me to the thread if someone
>> can)
>>
>> The simplest thing would be to have a MUST NOT offer or negotiate
>> in 2017 or later and a NOT RECOMMENDED to use until then. Or, we
>> could go deeper into the weeds and talk about expiration dates.
>> Banning it totally for TLS 1.3+ is also an option, but probably not
>> wanted yet.
>
> No, the simplest thing would be to ban it entierely:
> - MUST ignore entries with MD5 or SHA1 hash in
>   supported_signature_algorithms, even if those are the only
>   ones (which will cause handshake failure).
> - MUST terminate connection with insufficient_security if MD5 or
>   SHA1 is seen in DigitallySigned.algorithm.

The browsers have already independently moved to do the same:

* https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
* https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
* http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Other user agents could probably get on a similar schedule with little
to no hardship. I've noticed the OS (like Windows) and Frameworks
(like .Net) seem to be driven by the web security model, so its not a
leap at all. Its kind of like the tail wagging the dog - folks get the
weaker security model by default, and have to do extra work to close
gaps.

Jeff