IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

"Salz, Rich" <rsalz@akamai.com> Wed, 08 July 2015 01:55 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B71D1B2D0C for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 18:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGmRzPPWohSR for <tls@ietfa.amsl.com>; Tue, 7 Jul 2015 18:55:39 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3C0661B2D09 for <tls@ietf.org>; Tue, 7 Jul 2015 18:55:37 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 5620C28DFE; Wed, 8 Jul 2015 01:55:36 +0000 (GMT)
Received: from prod-mail-relay07.akamai.com (prod-mail-relay07.akamai.com [172.17.121.112]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id 383BA28DFC; Wed, 8 Jul 2015 01:55:36 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=akamai.com; s=a1; t=1436320536; bh=oFN5roheE+4Z+kWwMx+TFKwIABNPDCBlfDl9Fb3L5vA=; h=From:To:Subject:Date:References:In-Reply-To:From; b=RAzN4Q+ppjtitOKdXKhg2zQtfW4tZIE633ZYrjGg91q9qByAL+PrN5CWQy8meHRt8 QKT2D4uoRl77CUaulzocJHyf4c7vrSWuOED/LhJzH7CXPkL8zjrRIFwh6xfJpjlAkT M5rPBARqr/fA/a5HsGw0xzU9nTROW8+YEfuD7cg4=
Received: from email.msg.corp.akamai.com (ustx2ex-cas1.msg.corp.akamai.com [172.27.25.30]) by prod-mail-relay07.akamai.com (Postfix) with ESMTP id 218FB80084; Wed, 8 Jul 2015 01:55:36 +0000 (GMT)
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb2.msg.corp.akamai.com (172.27.27.102) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 7 Jul 2015 20:55:35 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.1076.000; Tue, 7 Jul 2015 20:55:35 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
Thread-Index: AQHQuMqBnytZJHwlb02fn+qYqTOau53QgQ6AgAAI+QCAAAQ0gIAADWqAgAA2FYCAACIfgP//3B2w
Date: Wed, 08 Jul 2015 01:55:35 +0000
Message-ID: <a774e57216864bbebefa3b38bb65c183@ustx2ex-dag1mb2.msg.corp.akamai.com>
References: <CABcZeBOWK_WnHAefsZUBr4UyEkyiZqi1mhoZH8ZeGFftdOqTTw@mail.gmail.com> <CABcZeBMPsopxV=mu+MJAwJC6w=iuytA3ueyXKpg1QFdV=JWirw@mail.gmail.com> <201507071242.23235.davemgarrett@gmail.com> <201507071257.26088.davemgarrett@gmail.com> <CABcZeBNxW6jaf=HZFvm56K5pKeLD4GyNXOimUHUCt34r_76Vzw@mail.gmail.com> <20150707205858.GH21534@mournblade.imrryr.org> <CABkgnnXZ9HmW2BHrda3s9LMVUzZbdbdD2yKU84w2W8roycJ-xg@mail.gmail.com>
In-Reply-To: <CABkgnnXZ9HmW2BHrda3s9LMVUzZbdbdD2yKU84w2W8roycJ-xg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.46.107]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ihu1N-mky-36lM3gGRKuNiuWgM8>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 01:55:40 -0000


> On 7 July 2015 at 13:58, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> > Which SSL libraries allow server administrators to configure multiple
> > chains based on the signature algorithm?
> 
> I just investigated this earlier today.  NSS maintains separate certificates

boringSSL does it, too.  They have an early callback that presents the entire parsed clientHello message, and allows the server to unify SNI, cipher-suite, and cert assignment all at once.  I'm going to bring that feature into the next OpenSSL release, along with unified extension handling.

Agreed, nobody cares much about the client side.

v2.23.0 | Report a Bug | By Email