Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
David Benjamin <davidben@chromium.org> Mon, 21 October 2019 16:20 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0CD51200B6 for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 09:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.251
X-Spam-Level:
X-Spam-Status: No, score=-9.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLCB5stHa_8D for <tls@ietfa.amsl.com>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 898BF120071 for <TLS@ietf.org>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id r1so8085978pgj.12 for <TLS@ietf.org>; Mon, 21 Oct 2019 09:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SrH5Ju/5X+9bT/WeSXbfLe8JRuFzjIzZ9zg0//rPh4k=; b=Oat39a9j6LKIKfO8BjObG5tk8Q3Kj0l/PCcWDBVxCMJefw30ZIEKnTFzN58TjXnpY0 498p6Za8MMhLG7vf/rKL5xC1P/TERXa3oR3FmxconBsmZzAqQXIIuXxkh3TrLhMF9bp6 JBGVgtN0s8aJ6s2LWVafAlf2y5DmD9PiPLoUk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SrH5Ju/5X+9bT/WeSXbfLe8JRuFzjIzZ9zg0//rPh4k=; b=dqOebuclXQE2JLaH6vApKHxGliHESJhZhdRI1VY/qGCjeGRrjep5ONaS4QiQn6GYFw DiyhIiBF4wggWjsVaACb7MMsRTpPnd52+ZvnsD/3iabRtcchi20EsMpj/Dlksr2qqa7z AZotezjRPS9Z1Du4kPpNwdEmj9XTDzN3DrPypVDFK1LFJScNRhRuVUm32GqDfNyVd6LV CcfHHWMNR8+KxgRlxO7MN7U4xchXx8HnR4tN9k9rUQdlI0KdbWiuotDRA08aovO0Kdc+ 6GmuKh7S/rmrh0RV2/EQgdp6VyIJgHFzt6Jx4cqhgFjTOGrdE0n+fG8QkIerPqXyOJq0 1LkA==
X-Gm-Message-State: APjAAAVx6g0QFKx20WUMEZXyaac/xSrN8fCghZhKKYEkC5zl1HNZg58u 7P0dEUyY742zRljbKvDkswmjUMH0l5PW2RRxFFCyfU5W4g==
X-Google-Smtp-Source: APXvYqyAf++QE2b5OLb8izEvH6cqO41eHJcsKf1/NYEWOLobPtpuof0baLAE0IoAKdlPsd6CQ+g1105TOZtUWvmoTRA=
X-Received: by 2002:a65:6201:: with SMTP id d1mr26039171pgv.182.1571674813786; Mon, 21 Oct 2019 09:20:13 -0700 (PDT)
MIME-Version: 1.0
References: <843cc437-4c6d-43ce-b634-527a287c4e27@www.fastmail.com> <2641069.fcJi2IyA6W@pintsize.usersys.redhat.com> <CAF8qwaArxgaKOM-m6ee+DJwn0mfckOt=qc+M7zksec0HR-gLLw@mail.gmail.com> <CAL02cgQC9743xRBk++JhnGxwmNhvUM86sGpae-zPLKUT0VCkzg@mail.gmail.com>
In-Reply-To: <CAL02cgQC9743xRBk++JhnGxwmNhvUM86sGpae-zPLKUT0VCkzg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 21 Oct 2019 12:19:57 -0400
Message-ID: <CAF8qwaAczV=fh9YuHVAyO7YHhGhgiejTt7T8vaFJ_oUuOcnj7g@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fafa1105956e0e5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IQw3Kdqrd5L5O5XKIjgOB_gGjJk>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 16:20:17 -0000
On Mon, Oct 21, 2019 at 12:11 PM Richard Barnes <rlb@ipv.sx> wrote: > On Mon, Oct 21, 2019 at 11:44 AM David Benjamin <davidben@chromium.org> > wrote: > >> On Mon, Oct 21, 2019 at 9:42 AM Hubert Kario <hkario@redhat.com> wrote: >> >>> On Friday, 18 October 2019 20:44:03 CEST Christopher Wood wrote: >>> > This email starts a call for adoption of draft-davidben-tls13-pkcs1-00, >>> > which can be found here: >>> > >>> > https://tools.ietf.org/html/draft-davidben-tls13-pkcs1-00 >>> > >>> > It will run until November 1, 2019. Please indicate whether or not you >>> would >>> > like to see this draft adopted and whether you will review and provide >>> > feedback on it going forward. >>> >>> Yes, requiring RSA-PSS causes interoperability issues with smartcards >>> that >>> don't implement this 16 year old algorithm. But being able to say "if >>> you're >>> using TLS 1.3 that means you are not using legacy crypto" has non >>> insignificant value too. >>> >>> This document erodes that. >>> >> >> The document goes into the rationale here under Security Considerations. >> I'm unhappy about this too, but our experience is that devices without PSS >> support are fairly common in client certificates. The negotiation order >> means that accounting for such devices effectively means servers hold back >> TLS 1.3 for *all* their clients, not just those that are affected. >> Additionally, even if one could get the negotiation order correct, TLS 1.3 >> fixes a serious privacy leak with client certificates. Keeping those >> clients on TLS 1.2 means they continue to leak their identity over the >> network. >> >> To mitigate the second-order effects, the document intentionally makes >> the code points client-only (the above motivations don't apply for server >> keys), as well as allocating separate code points from the existing PKCS#1 >> values. If a client or server wishes to not use[*] PKCS#1 signatures in TLS >> 1.3, it doesn't need to advertise/accept those code points. TLS libraries >> probably should also disable them by default. >> >> Given all that, I think adding code points for deployments that need them >> is the right tradeoff. >> > > I think I agree with both of you here. Eroding the modernity of TLS 1.3 > makes me sad, but the draft does a good job of scoping the change to be > minimal. > > The latter points you make here could be stronger in the document. Where > you talk about the signature_algorithms in the CertificateRequest, you > could also note that if a PKCS#1 signature is received using an algorithm > not in that list, then the server MUST reject it (even though this is > probably duplicative of RFC 8446). You could probably also say that server > implementations SHOULD disable these code points by default. > Sounds good to me. I'll include something to that effect in the next revision. (What's the usual order of operations here? It seems weird to change a document mid-adoption-call, and, if the document is adopted, it also seems weird to make the first TLSWG revision different from the document from the adoption call. That suggests tabling this for a little while.)
- [TLS] Adoption call for draft-davidben-tls13-pkcs1 Christopher Wood
- Re: [TLS] Adoption call for draft-davidben-tls13-… Salz, Rich
- Re: [TLS] Adoption call for draft-davidben-tls13-… David Benjamin
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… David Benjamin
- Re: [TLS] Adoption call for draft-davidben-tls13-… Richard Barnes
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… David Benjamin
- Re: [TLS] Adoption call for draft-davidben-tls13-… Sean Turner
- Re: [TLS] Adoption call for draft-davidben-tls13-… Christopher Wood
- Re: [TLS] Adoption call for draft-davidben-tls13-… Adam Langley
- Re: [TLS] Adoption call for draft-davidben-tls13-… Darin Pettis
- Re: [TLS] Adoption call for draft-davidben-tls13-… Ilari Liusvaara
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… Ilari Liusvaara
- Re: [TLS] Adoption call for draft-davidben-tls13-… David Benjamin
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… Filippo Valsorda
- Re: [TLS] Adoption call for draft-davidben-tls13-… Ryan Sleevi
- Re: [TLS] Adoption call for draft-davidben-tls13-… David Benjamin
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario
- Re: [TLS] Adoption call for draft-davidben-tls13-… Nick Harper
- Re: [TLS] Adoption call for draft-davidben-tls13-… Hubert Kario