Re: [TLS] DSS with other than SHA-1 algorithms
Juho Vähä-Herttua <juhovh@iki.fi> Wed, 04 May 2011 10:41 UTC
Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC8AE0719 for <tls@ietfa.amsl.com>; Wed, 4 May 2011 03:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3027Uqg4Uvpb for <tls@ietfa.amsl.com>; Wed, 4 May 2011 03:41:26 -0700 (PDT)
Received: from jenni1.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id 254C9E070D for <tls@ietf.org>; Wed, 4 May 2011 03:41:25 -0700 (PDT)
Received: from mail.visino.fi (84.251.121.70) by jenni1.inet.fi (8.5.133) id 4DC043D300082CB5; Wed, 4 May 2011 13:41:17 +0300
Received: from [130.233.194.202] (tko-add-202.cs.hut.fi [130.233.194.202]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: juhovh) by mail.visino.fi (Postfix) with ESMTPSA id ACD4D201C5; Wed, 4 May 2011 13:41:12 +0300 (EEST)
Message-ID: <4DC12D35.1040805@iki.fi>
Date: Wed, 04 May 2011 13:40:53 +0300
From: Juho Vähä-Herttua <juhovh@iki.fi>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fi; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1QHXsH-0002L9-SA@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QHXsH-0002L9-SA@login01.fos.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 10:41:27 -0000
4.5.2011 11:56, Peter Gutmann kirjoitti: >> I think this what makes this worse is that existing TLS 1.0/1.1 >> implementations haven't necessarily prepared well for such complicated >> cipher suite selection ECC and TLS 1.2 introduce and that makes the >> transition a bit difficult. > That's quite possible. At the moment both TLS-ECC and TLS 1.2 deployment is > so vanishingly small that we have little data to go on, and as an implementer > you really can't see how problematic things get until you do implement and > deploy something. One of the reasons for getting the draft out there is to > try and both point out, and then address the problem before it becomes a real > issue. I think the deployment is very small on the server side, but I would say it is quite common on the client side. I know at least Firefox has had ECC cipher suites enabled by default for quite a long time (3 years or so), and I think that attributes to somewhere close to one third of all browsers globally. (according to Mozilla more than 350 million users) Calling TLS-ECC deployment vanishingly small is a bit of an understatement, don't you think? Should at least carefully consider what implications the draft has on interoperability with existing implementations, especially if the handshake methods are made mutually exclusive. >> Should it be added to the draft that for example implementations using >> mentioned SHA-256 cipher suites must also send signature_algorithms >> extension with corresponding hash and ECDSA pair? Right now it only points >> out the used hash functions, but TLS 1.2 specification quite clearly says >> that one should default to the {sha1,ecdsa} combination if no extension is >> sent. I think this draft doesn't make it clear enough if it overrides that >> requirement or not. > Hmm, it should already say that: > > ECDSA signature in Server Key Exchange message: P256 or P384 curve > as for ECDH with uncompressed points and SHA1, SHA256 or SHA384 as > indicated in the suite name. > > And for client auth: > > Client authentication in Certificate Request/Certificate Verify > messages: SHA1, SHA256, or SHA384 as indicated in the suite name. > > In other words "if you're using SHA256 at location X then you should use it > at location Y as well" (I can't imagine why you'd want to use, say SHA-1 at > point X but then SHA256 at point Y, and if anyone really does want this they > can still do it using the existing Chinese-menu option). That's exactly the parts of the draft I am referring to. This should be combined with the RFC 5246 text: If the client does not send the signature_algorithms extension, the server MUST do the following: ... - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}. Your draft does not mandate sending the signature_algorithms extension, but at the same time it does say one should use the SHA256 or SHA386 for signatures. Does it override the above clause of TLS 1.2 or does it implicate signature_algorithms have to be always sent in case any of those cipher suites are to be offered? > I used the term "Chinese menu" because it's common usage in the US for a mix- > and-match selection of items, the "one from column A, one from column B" > selection, and figured using "table d'hote" and "a la carte" might be going a > bit too far :-). I'll add a rationale section that discusses the naming (see > e.g. > http://www.barrypopik.com/index.php/new_york_city/entry/one_from_column_a_one_from_column_b_chinese_menu_ordering/, > from a quick Google search, perhaps it's a US-only colloquialism), and also > more on why there's a problem and why it's a good idea to address it fairly > soon. That explains it much better, I tried to google it before but didn't really get any sensible results. Looks like searching for "chinese menu column" gives more hits, although I wonder how common knowledge it is, because most search results seem to be explaining it to readers even though they are not technical specifications. But I can confirm at least it is not the common way to order food in China. If we go into slight nitpicking, in Chinese menu the choice from column A doesn't affect the choice from column B and the two choices are independent. In case of TLS and ECC cipher suites, the choice from column A enables making the choice from column B making them mutually dependent. I just don't like the term very much, I think referring to the two options as simplified ECC parameter selection and extension based parameter selection or something similar should suffice. But I can wait for the rationale section, I think it's a good idea to add. Juho
- [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Dr Stephen Henson
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Hovav Shacham
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Simon Josefsson
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Geoffrey Keating
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Daniel Kahn Gillmor
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Jack Lloyd
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Paul Hoffman
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann