Re: [TLS] Simplifying signature algorithm negotiation

Ilari Liusvaara <> Sat, 16 January 2016 07:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C9BFA1A1A27 for <>; Fri, 15 Jan 2016 23:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zaUpzCMoGA2w for <>; Fri, 15 Jan 2016 23:47:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E512C1A1A25 for <>; Fri, 15 Jan 2016 23:47:55 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57CE1501; Sat, 16 Jan 2016 09:47:54 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id 44pCxDbnPqJ0; Sat, 16 Jan 2016 09:47:53 +0200 (EET)
Received: from LK-Perkele-V2 ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 703E8230D; Sat, 16 Jan 2016 09:47:53 +0200 (EET)
Date: Sat, 16 Jan 2016 09:47:49 +0200
From: Ilari Liusvaara <>
To: David Benjamin <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Simplifying signature algorithm negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Jan 2016 07:47:59 -0000

On Sat, Jan 16, 2016 at 01:10:06AM +0000, David Benjamin wrote:
> On Fri, Jan 15, 2016 at 7:08 PM Brian Smith <> wrote:
> Hrm. That hadn't occurred to me, no. Fewer values sounds good, if we can
> lose them. I just wrote out all 9 without thinking about it much. Apart
> from "please don't cause me interop pain", I don't have strong opinions
> about how aggressively we prune the list.

Also, only the matching-size 3 of those 9 combinations tend to be
properly (as in, computing correct results most of the time)
implemented. Other 6 can easily be busted, especially the 3 where
hash is larger than curve, as that hits the hash truncation
special case.
> My main worry is, for better or worse (I realize this is a point of
> contention), some servers apply sigalgs to both CertificateVerify and
> certificates. If someone has an ECDSA-P384-SHA256 certificate, changing the
> definition of { ecdsa, sha256 } between TLS 1.2 and TLS 1.3 could be a
> nuisance.

I would think that any case where meanings are different (except for
case where use in TLS 1.3 is restricted) is a nuisance.

Avoiding these differences with restriction of server signatures to
RSA-PSS would imply that if client signals TLS 1.3 with only the only
RSA algorithms being the v1.5 ones, then server can't sign using RSA
if selecting TLS 1.3.

And it would also imply that if TLS 1.2 server gets TLS 1.3 client
hello with the new RSA-PSS algorithms, it can sign using RSA-PSS,
even after having downnegotiated TLS 1.2.

> Or maybe it won't? Such servers wouldn't be using TLS 1.3 right now. Though
> it would prevent them from adopting TLS 1.3 without switching certificates.
> Alternatively, if people decide that sigalgs and certificates officially
> have nothing to do with each other in TLS 1.3, then things are fine but we
> wouldn't have a way to negotiate such algorithms. I was hoping to avoid
> that issue for this proposal, but there is some interaction.

The ECDSA nasty case can only occur for certificate-to-certificate
linkages, since EE SPKI does not contain hash algorithm, and server is
always able to choose matching one.

Then TLS 1.3 AFAIK does not deprecate Brainpool, so Brainpool ECDSA can
also be seen...

Then RSA might be nastier: do normal RSA certificates work with RSA-
PSS? If not, then the TLS 1.3 servers can't use them.

> If changing the existing meaning is a nuisance, another option is to
> continue to allocate new values but only define ecdsa_p256_sha256,
> ecdsa_p384_sha384, and ecdsa_p521_sha512 (or whatever your favorite subset
> is) for TLS 1.3 and later.

If one does not want to change too much, then one would have to sup-
port those for TLS 1.2 as well (not breaking signature verification
if such algorithm is first advertised and then selected with connection
downnegotiated to TLS 1.2).
> > 3. You get better interoperability with TLS 1.2's NSA Suite B profile [1].
> > (I don't have any particular affinity for that profile other than it seems
> > to have made choices that have historically been shown to be above average,
> > and it might be a good idea to avoid interop failure with other
> > implementations that might have a special affinity for it.)
> >
> What interop faliures are you worried about here?

Things like: Trying to use ECDSA-P256-SHA384 and then one end not imp-
lementing it correctly (e.g. missing truncation).

Apparently ECDSA-P256-SHA384 failure rate is much higher than
ECDSA-P256-SHA256 and ECDSA-P384-SHA384.

> I don't think it makes sense to strategically assign the second byte for
> new numbers. Either we believe TLS 1.2 implementations are unlikely to
> react to 0x0703 and not worry about it, or we believe they will and we
> reserve all numbers ending in 00-03. (Or we decide that this (u8, u8) to
> u16 hack is too silly and don't do it at all.)

I think it is fairly unlikely that TLS 1.2 endpoints react to things
like 0x0703 or 0x0404. Since even known signature algorithms are un-
usable with unknown hashes, ServerKeyExchange is temporally localized
and CertificateRequest comes too late to be useful for filtering.