IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 10 July 2015 16:39 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26CB91B29D9 for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 09:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9wkHn4Sok-m for <tls@ietfa.amsl.com>; Fri, 10 Jul 2015 09:39:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D9C1B29B7 for <tls@ietf.org>; Fri, 10 Jul 2015 09:39:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 89067284D69; Fri, 10 Jul 2015 16:39:38 +0000 (UTC)
Date: Fri, 10 Jul 2015 16:39:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150710163938.GX28047@mournblade.imrryr.org>
References: <201507101137.44703.davemgarrett@gmail.com> <20150710161705.BD6C71A1D5@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150710161705.BD6C71A1D5@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KXjdrPVcQRhNCGJz7qFn2B0emSc>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 16:39:41 -0000

On Fri, Jul 10, 2015 at 06:17:05PM +0200, Martin Rex wrote:

> Was TLSv1.2 really meant to be backwards-incompatible to TLSv1.0 and TLSv1.1
> and create new problems for the migration from sha1-signed server certs
> to sha256-signed server certificates, considering that sha1-signed certs
> had already been officially been deprecated (e.g. by NIST) more than a
> year before TLSv1.2 (rfc5246) was published.

Martin, I think that focusing on a fine-grained scholarly analysis
of the specification is a distraction.  Even if the specification
unequivocally requires servers to do as Schannel does (and there
is some evidence that it does even if not univerally convincing),
the specification is wrong.

There are many situations where the server has little choice of
what chains it can present, and the client is perfectly happy with
chains that bear signatures it does not recognize.

There is no reason for the server to abort the handshake on the
unjustified presumption that the chains it has are unacceptable to
the client.  

Lawyering the RFCs is not worth the effort, concede the law
and go for jury nullification.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email