Re: [TLS] which alert for TLS client cert w/o keyUsage digitalSignature

mrex@sap.com (Martin Rex) Fri, 20 September 2013 13:51 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6CC21F943C for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 06:51:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.197
X-Spam-Level:
X-Spam-Status: No, score=-10.197 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugjqZCr+zezt for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 06:51:17 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 6B40C21F93F8 for <tls@ietf.org>; Fri, 20 Sep 2013 06:51:17 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8KDp4QR003906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 20 Sep 2013 15:51:04 +0200 (MEST)
In-Reply-To: <523B6A3F.7000003@comodo.com>
To: Rob Stradling <rob.stradling@comodo.com>
Date: Fri, 20 Sep 2013 15:51:04 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130920135104.1EE501A98B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] which alert for TLS client cert w/o keyUsage digitalSignature
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 13:51:24 -0000

Rob Stradling wrote:
> On 19/09/13 18:01, Michael D'Errico wrote:
> >>> Wan-Teh Chang wrote:
> >>>> Note: I don't understand why RFC 4492 says "It MUST be signed with
> >>>> RSA."
> <snip>
> > Page 47 of RFC 5246 hints at these rules:
> <snip>
> 
> RFC 5246 relaxes the "It MUST be signed with RSA" rule, doesn't it?
> 
> Appendix A.7 (Changes to RFC 4492) says:
>    "As described in Sections 7.4.2 and 7.4.6, the restrictions on the
>     signature algorithms used to sign certificates are no longer tied to
>     the cipher suite (when used by the server) or the
>     ClientCertificateType (when used by the client).  Thus, the
>     restrictions on the algorithm used to sign certificates specified in
>     Sections 2 and 3 of RFC 4492 are also relaxed."
 

Not really.  Actually, it makes things worse,

because rather than the "hidden" backwards-incompatible self-imposed
limitiation from TLSv1.0, rfc5246 now contains a very explicit limitation
to those algorithms negotiated by the signature algorithms TLS extension,
and stupidly asks TLS implementations to enforce this for the entire
certificate chain up to the root.  In TLSv1.0 this limitiation, for
anyone who actually noticed it, was clearly limited to the signature
algorithm on the EE cert itself, but not signature algorithms of
any intermediate and cross-CA certificates further up the chain.


-Martin