Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
mrex@sap.com (Martin Rex) Wed, 07 November 2018 14:48 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C37B130DD1 for <tls@ietfa.amsl.com>; Wed, 7 Nov 2018 06:48:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXP05Fw1xIhF for <tls@ietfa.amsl.com>; Wed, 7 Nov 2018 06:48:29 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0FA7130DCA for <tls@ietf.org>; Wed, 7 Nov 2018 06:48:28 -0800 (PST)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 42qq6L5xkfz10QP; Wed, 7 Nov 2018 15:48:26 +0100 (CET)
X-purgate-ID: 152705::1541602106-00000213-34309069/0/0
X-purgate-size: 2094
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 42qq6L1HfPzGqL6; Wed, 7 Nov 2018 15:48:26 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 207DC404C; Wed, 7 Nov 2018 15:48:26 +0100 (CET)
In-Reply-To: <m236seg80v.fsf@localhost.localdomain>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org> <m236seg80v.fsf@localhost.localdomain>
To: Geoffrey Keating <geoffk@geoffk.org>
Date: Wed, 07 Nov 2018 15:48:26 +0100
CC: tls@ietf.org
Reply-To: mrex@sap.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20181107144826.207DC404C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I__RPR0Lay0kiUnu9cSkixNVFPA>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 14:48:31 -0000
Geoffrey Keating <geoffk@geoffk.org> wrote: > Viktor Dukhovni <ietf-dane@dukhovni.org> writes: >> >> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer >> certificate that *only* lists: >> >> X509v3 Key Usage: >> Key Encipherment, Data Encipherment > > Yes, because in DHE-RSA, the RSA key is used for signing, and this is > an encryption-only key. There is *ZERO* security problem associated with TLS client allowing a TLS server to do this, but it makes it harder to catch defective CA software and bogus CA issuing practices when clients do not complain here -- and the TLS specification says this KeyUsage DigitalSignature is a MUST for DHE/ECDHE key exchange: TLSv1.2: https://tools.ietf.org/html/rfc5246#page-49 DHE_RSA RSA public key; the certificate MUST allow the ECDHE_RSA key to be used for signing (the digitalSignature bit MUST be set if the key usage extension is present) with the signature scheme and hash algorithm that will be employed in the server key exchange message. Note: ECDHE_RSA is defined in [TLSECC]. TLSv1.0: https://tools.ietf.org/html/rfc2246#page-38 CAs and CA software that issues certificates as TLS server certificates (i.e. with ExtKeyUsage id-kp-serverAuth, id-kp-clientAuth or both) and forgets to assert DigitalSignature, prove their own royal brokenness. Using an RSA key for PKCS#1 v1.5 signatures is *NO* security problem. Do not get confused by the FUD and snake-oil that resulted in the needless additional complexity of RSA-PSS in TLSv1.3, that adds ZERO security value. https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html https://eprint.iacr.org/2018/855 There is some security risk with using an RSA signing-only key for PKCS#1 v1.5 encryption, i.e. the equivalent of using a keyUsage without keyEncipherment for static-RSA key exchange -Martin
- [TLS] Certificate keyUsage enforcement question (… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Geoffrey Keating
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Martin Rex
- Re: [TLS] Certificate keyUsage enforcement [whose… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… David Benjamin
- Re: [TLS] Certificate keyUsage enforcement questi… Geoffrey Keating
- Re: [TLS] Certificate keyUsage enforcement [whose… Peter Gutmann
- Re: [TLS] Certificate keyUsage enforcement [whose… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Certificate keyUsage enforcement questi… Peter Gutmann
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Peter Gutmann
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Yoav Nir
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Tony Putman
- Re: [TLS] Certificate keyUsage enforcement questi… Viktor Dukhovni
- Re: [TLS] Certificate keyUsage enforcement questi… Andrei Popov
- Re: [TLS] Certificate keyUsage enforcement questi… Nikos Mavrogiannopoulos