Re: [TLS] TLS 1.2 hash agility

Eric Rescorla <ekr@networkresonance.com> Fri, 14 September 2007 22:59 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWK8W-00023F-V8; Fri, 14 Sep 2007 18:59:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IWK8U-00022e-TJ for tls@ietf.org; Fri, 14 Sep 2007 18:59:42 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IWK8T-0006nW-NL for tls@ietf.org; Fri, 14 Sep 2007 18:59:42 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 9E9B433C21; Fri, 14 Sep 2007 15:56:06 -0700 (PDT)
Date: Fri, 14 Sep 2007 15:56:05 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] TLS 1.2 hash agility
In-Reply-To: <46EB102E.2070900@pobox.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070914225606.9E9B433C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Fri, 14 Sep 2007 15:50:22 -0700,
Mike wrote:
> 
> >>> I think the solution we need is to specifically list each supported
> >>> signature algorithm, e.g.
> >>>
> >>>      enum {
> >>>        rsa_with_md5(0),    rsa_with_sha1(1),
> >>>        rsa_with_sha256(2), rsa_with_sha384(3),
> >>>        rsa_with_sha512(4), dsa_with_sha1(5),
> >>>        (65535)
> >>>      };
> >>
> >> And then we could change Signature structure to
> >>
> >>    struct {
> >>       SignatureAlgorithm signature_algorithm;
> >>       opaque signature_value<0..2^16-1>;
> >>    } Signature;  
> >>
> >> Eric, what's your opinion?
> > 
> > OK, I started trying to wire this into TLS and it's messy.
> > There are three contexts we have to think about:
> > 
> > - Certs (from either side)
> > - CertificateVerify
> > - ServerKeyExchange
> > 
> > The difficulty is that the latter two already have signals indicating
> > what acceptable signature algorithms are, in the ClientCertificateType,
> > and the ciphersuite respectively. So, we either need to significantly
> > reconstruct those or have duplication of information, with the 
> > result that you have to potentially deal with mismatched information,
> > e.g., only offering RSA in the SKE, but offering RSA and DSA in the
> > new value.
> 
> I think this information is disjoint. For example, you can have a DSA
> key in a certificate that is signed by RSA/SHA-1.

Yes, that's why I separated certificates from the other two situations.

Currently (in TLS 1.1) there are basically no restrictions on what
algorithms are used to sign the certs.

The ciphersuite and the ClientCertificateType indicate only the 
public key algorithm and not the hash algorithm.

So, we need to extend all three cases, to indicate the hash algorithms
that are supported.

-Ekr

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls