IETF Logo Mail Archive

Re: [TLS] AD Review of draft-ietf-tls-tls13

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 23 May 2017 09:29 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D19D6129A9A for <tls@ietfa.amsl.com>; Tue, 23 May 2017 02:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gK13J1sN-6yZ for <tls@ietfa.amsl.com>; Tue, 23 May 2017 02:29:27 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id E5B51129A99 for <tls@ietf.org>; Tue, 23 May 2017 02:29:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 559EA24074; Tue, 23 May 2017 12:29:24 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 1pWvHvL5QzHC; Tue, 23 May 2017 12:29:23 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id E8E23C4; Tue, 23 May 2017 12:29:23 +0300 (EEST)
Date: Tue, 23 May 2017 12:29:22 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Eric Rescorla <ekr@rtfm.com>, TLS WG <tls@ietf.org>
Message-ID: <20170523092921.GA13966@LK-Perkele-V2.elisa-laajakaista.fi>
References: <35E448DD-7F74-4563-9707-DFAB66125FAA@dukhovni.org> <89704888-5f4d-0021-74cb-4cea28c773bd@akamai.com> <ac704db142c04e7b8a836df711e9bc7f@usma1ex-dag1mb1.msg.corp.akamai.com> <1A619330-282A-44F0-871B-DF6D15850394@dukhovni.org> <CABcZeBOvRGar9ZLTo=tu+oUxRWtMucwr5Bk1dPY8C1mAa9asTg@mail.gmail.com> <20170522201729.GO10188@localhost> <CABcZeBMx5wbfchzonxQ5E6N2cOSAXSFX5JpEdTQMMaTnoCb7Dg@mail.gmail.com> <20170522204326.GP10188@localhost> <CABcZeBM1SWnganpX_VyDRiVm+ZFSoA6tZpCWX+Ec-D6So6RUGw@mail.gmail.com> <20170522210018.GQ10188@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20170522210018.GQ10188@localhost>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JSOud1XkEKy0yQeHSbr6S5rHsug>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 09:29:38 -0000

On Mon, May 22, 2017 at 04:00:20PM -0500, Nico Williams wrote:
> On Tue, May 23, 2017 at 05:49:47AM +0900, Eric Rescorla wrote:
> > On Tue, May 23, 2017 at 5:43 AM, Nico Williams <nico@cryptonector.com>
> > wrote:
> > > On Tue, May 23, 2017 at 05:26:28AM +0900, Eric Rescorla wrote:
> > > > On Tue, May 23, 2017 at 5:17 AM, Nico Williams <nico@cryptonector.com>
> > > > wrote:
> > > > > > In any case, I think there are two issues:
> > > > > > 1. Forbid TLS 1.3 implementations from accepting MD5 and SHA-1.
> > > > > > 2. Require a specific failure if the peer presents such a
> > > certificate.
> > > > > >
> > > > > > There was pretty strong consensus to do #1 and I don't support
> > > removing
> > > > > > it. That seems like a pretty modest layering violation. If people
> > > think
> > > > > that
> > > > > > the mandate for this specific alert is too onerous, I could live with
> > > > > > removing
> > > > > > that.
> > > > >
> > > > > I don't understand how you can have (1) and not (2).
> > > >
> > > > As Ilari suggests, you could just treat the algorithms as unknown.
> > >
> > > How does that square with (1)?
> > >
> > 
> > I don't understand the question. If you treat them as unknown then
> > either your path construction code will route around them or once you
> > try to verify, it will fail.
> 
> That *really* seems like a layer violation!

The code I have tries to route around (with equivalent to exhaustive
search of all paths).

And altough the code I have has the TLS and certificate code more
tightly bound togethe than most libraries, the certificate validation
algorithm handling is wholly inside the certificate handling part.

The algorithm handling being inside certificate code is even true for
SHA-1 signatures, which have nontrivial validity rules (only allowed
for dedicated OCSP responders).

The certificate code does not concern itself about TLS version it
is running on. The exchange signature (which has differences between
TLS versions) is direct signature validation and does not involve
certificate code.


BTW:

Section 4.4.3. seemingly allows use of unadvertised exchange signature
schemes if advertised one can't be used. This should be fixed: There
is no way that can actually work (even pinning the server's key doesn't
make that work, unlike say EE certificate being signed with something
unknown).




-Ilari

v2.23.0 | Report a Bug | By Email