Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1

David Benjamin <davidben@chromium.org> Mon, 21 October 2019 16:20 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0CD51200B6 for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 09:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.251
X-Spam-Level:
X-Spam-Status: No, score=-9.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLCB5stHa_8D for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 898BF120071 for <TLS@ietf.org>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id r1so8085978pgj.12 for <TLS@ietf.org>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SrH5Ju/5X+9bT/WeSXbfLe8JRuFzjIzZ9zg0//rPh4k=; b=Oat39a9j6LKIKfO8BjObG5tk8Q3Kj0l/PCcWDBVxCMJefw30ZIEKnTFzN58TjXnpY0 498p6Za8MMhLG7vf/rKL5xC1P/TERXa3oR3FmxconBsmZzAqQXIIuXxkh3TrLhMF9bp6 JBGVgtN0s8aJ6s2LWVafAlf2y5DmD9PiPLoUk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SrH5Ju/5X+9bT/WeSXbfLe8JRuFzjIzZ9zg0//rPh4k=; b=dqOebuclXQE2JLaH6vApKHxGliHESJhZhdRI1VY/qGCjeGRrjep5ONaS4QiQn6GYFw DiyhIiBF4wggWjsVaACb7MMsRTpPnd52+ZvnsD/3iabRtcchi20EsMpj/Dlksr2qqa7z AZotezjRPS9Z1Du4kPpNwdEmj9XTDzN3DrPypVDFK1LFJScNRhRuVUm32GqDfNyVd6LV CcfHHWMNR8+KxgRlxO7MN7U4xchXx8HnR4tN9k9rUQdlI0KdbWiuotDRA08aovO0Kdc+ 6GmuKh7S/rmrh0RV2/EQgdp6VyIJgHFzt6Jx4cqhgFjTOGrdE0n+fG8QkIerPqXyOJq0 1LkA==
X-Gm-Message-State: APjAAAVx6g0QFKx20WUMEZXyaac/xSrN8fCghZhKKYEkC5zl1HNZg58u 7P0dEUyY742zRljbKvDkswmjUMH0l5PW2RRxFFCyfU5W4g==
X-Google-Smtp-Source: APXvYqyAf++QE2b5OLb8izEvH6cqO41eHJcsKf1/NYEWOLobPtpuof0baLAE0IoAKdlPsd6CQ+g1105TOZtUWvmoTRA=
X-Received: by 2002:a65:6201:: with SMTP id d1mr26039171pgv.182.1571674813786; Mon, 21 Oct 2019 09:20:13 -0700 (PDT)
MIME-Version: 1.0
References: <843cc437-4c6d-43ce-b634-527a287c4e27@www.fastmail.com> <2641069.fcJi2IyA6W@pintsize.usersys.redhat.com> <CAF8qwaArxgaKOM-m6ee+DJwn0mfckOt=qc+M7zksec0HR-gLLw@mail.gmail.com> <CAL02cgQC9743xRBk++JhnGxwmNhvUM86sGpae-zPLKUT0VCkzg@mail.gmail.com>
In-Reply-To: <CAL02cgQC9743xRBk++JhnGxwmNhvUM86sGpae-zPLKUT0VCkzg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 21 Oct 2019 12:19:57 -0400
Message-ID: <CAF8qwaAczV=fh9YuHVAyO7YHhGhgiejTt7T8vaFJ_oUuOcnj7g@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fafa1105956e0e5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IQw3Kdqrd5L5O5XKIjgOB_gGjJk>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 16:20:17 -0000

On Mon, Oct 21, 2019 at 12:11 PM Richard Barnes <rlb@ipv.sx>; wrote:

> On Mon, Oct 21, 2019 at 11:44 AM David Benjamin <davidben@chromium.org>;
> wrote:
>
>> On Mon, Oct 21, 2019 at 9:42 AM Hubert Kario <hkario@redhat.com>; wrote:
>>
>>> On Friday, 18 October 2019 20:44:03 CEST Christopher Wood wrote:
>>> > This email starts a call for adoption of draft-davidben-tls13-pkcs1-00,
>>> > which can be found here:
>>> >
>>> >    https://tools.ietf.org/html/draft-davidben-tls13-pkcs1-00
>>> >
>>> > It will run until November 1, 2019. Please indicate whether or not you
>>> would
>>> > like to see this draft adopted and whether you will review and provide
>>> > feedback on it going forward.
>>>
>>> Yes, requiring RSA-PSS causes interoperability issues with smartcards
>>> that
>>> don't implement this 16 year old algorithm. But being able to say "if
>>> you're
>>> using TLS 1.3 that means you are not using legacy crypto" has non
>>> insignificant value too.
>>>
>>> This document erodes that.
>>>
>>
>> The document goes into the rationale here under Security Considerations.
>> I'm unhappy about this too, but our experience is that devices without PSS
>> support are fairly common in client certificates. The negotiation order
>> means that accounting for such devices effectively means servers hold back
>> TLS 1.3 for *all* their clients, not just those that are affected.
>> Additionally, even if one could get the negotiation order correct, TLS 1.3
>> fixes a serious privacy leak with client certificates. Keeping those
>> clients on TLS 1.2 means they continue to leak their identity over the
>> network.
>>
>> To mitigate the second-order effects, the document intentionally makes
>> the code points client-only (the above motivations don't apply for server
>> keys), as well as allocating separate code points from the existing PKCS#1
>> values. If a client or server wishes to not use[*] PKCS#1 signatures in TLS
>> 1.3, it doesn't need to advertise/accept those code points. TLS libraries
>> probably should also disable them by default.
>>
>> Given all that, I think adding code points for deployments that need them
>> is the right tradeoff.
>>
>
> I think I agree with both of you here.  Eroding the modernity of TLS 1.3
> makes me sad, but the draft does a good job of scoping the change to be
> minimal.
>
> The latter points you make here could be stronger in the document.  Where
> you talk about the signature_algorithms in the CertificateRequest, you
> could also note that if a PKCS#1 signature is received using an algorithm
> not in that list, then the server MUST reject it (even though this is
> probably duplicative of RFC 8446).  You could probably also say that server
> implementations SHOULD disable these code points by default.
>

Sounds good to me.  I'll include something to that effect in the next
revision.

(What's the usual order of operations here? It seems weird to change a
document mid-adoption-call, and, if the document is adopted, it also seems
weird to make the first TLSWG revision different from the document from the
adoption call. That suggests tabling this for a little while.)