IETF Logo Mail Archive

Re: [TLS] TLS 1.3 certificate delegation?

mrex@sap.com (Martin Rex) Fri, 08 November 2013 16:34 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D4E21F9FF6 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:34:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.161
X-Spam-Level:
X-Spam-Status: No, score=-10.161 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uitFOY5ErXhp for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 08:34:42 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8778811E8165 for <tls@ietf.org>; Fri, 8 Nov 2013 08:34:40 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rA8GYWHn000355 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Nov 2013 17:34:32 +0100 (MET)
In-Reply-To: <527CF53B.7010908@secunet.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Date: Fri, 08 Nov 2013 17:34:32 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131108163432.AE6371AA71@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>, Andy Lutomirski <luto@amacapital.net>
Subject: Re: [TLS] TLS 1.3 certificate delegation?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 16:34:55 -0000

Johannes Merkle wrote:
> 
> >>
> >> FWIW, there's precedent for using new TLS versions to expand the set
> >> of allowable certificates.  If I"m reading it correctly, TLS 1.2
> >> allows ECDSA certificates that are signed with RSA; TLS 1.1 and below
> >> will reject those.
> > 
> > TLSv1.1 will certainly not reject those.
> > It is only rfc4492 that incorrectly alleges that those should be rejected.
> 
> I think you are wrong: Section 7.4.2 of RFC 4346 states
> 
>                               Unless otherwise specified, the signing
>       algorithm for the certificate MUST be the same as the algorithm
>       for the certificate key.

The history of this obvious defect starts in rfc2246.

There exists no such artificial limitation in SSLv3, and when I looked
at implementations I've been using for interop testing a few
years ago (Microsoft SChannel, OpenSSL, Firefox), they would
happily interoperate with an RSA server cert signed by a CA with a
DSA key.  To me it looks like most implementors were either not
aware of this bogus, backwards-incompatible requirement,
or they applied common sense and deliberately ignored it.

One can not "violate" rfc2119 Section 6 more than with the above
statement, so it is null and void.

Not only is this method "must be the same algorithm" not required
for interop, it is the the worst possible way to impair interop
without a cause.


-Martin

v2.23.0 | Report a Bug | By Email