Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
Eric Rescorla <ekr@rtfm.com> Tue, 12 September 2017 16:03 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F386A133075 for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 09:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0eKocjIIesM for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 09:03:09 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA0BA133076 for <tls@ietf.org>; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id j141so50003545ioj.4 for <tls@ietf.org>; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ozm1MGam5aglHcUOcYD7NfL9blcJX+FYkT4Dna3xUmQ=; b=he3Wx1WajCXMaYR1ctgUJcz4ddnK8Td3q3TmtZJel/+dVunrT/6YAqS91qrtTDq7xB d9ODbWNRww42tJgunPG7BVlrQWlpbykg0FaKoQHTVaXIvKiH8A4t97hioTORr/uZWfBb NxDkK9AQHy0kn+XUBJDgoCG2lqWQJcp0ZTtoeDrCjvAHaG6nZu/lUMyRmmG+vYDl6Fg8 estPZm3Mk5GohE0EFzSB9eGbFKObCYjlzWJZySnKoAF72zvMXpgKWkloxU+Kk8sCU9iy S/8HTSBd3mmJZfkpJSV0415mex2nrIMmp22kFOWnkZz/zdAkKkWV6diTXgB7wP2PhT4j qMCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ozm1MGam5aglHcUOcYD7NfL9blcJX+FYkT4Dna3xUmQ=; b=MpSqK7Z6cI6gXtsNT6t24dx1oXAzbyaGYW9hUrS8xVZAj8XrLZDk31c7/icn6kxH+P wq+naeEE1nbWoEm11JcO64SdVbbuSZGo3oRh8JlUasHZbIMXGjmIPys0mwRm2e0IC/0Y N8+2+CA7DmsmHFCRM7kZfyetjPlVOBg0NtFSvoLzBm/8G41ZKm0XYncGPtNwbV74qSwD ZQrnfNbnTWR4JIbhsvoTwBXwU4yNef9TB5jKtPtGG2fpCr79j8g37hQ6L9mQEECw/1NA EOj4Q/UTbL43z0yOXdUgSBk0tcYwc8vLTBu5xB1KGUSt0NfFcxfQ5zoJZagqkxIqTLsJ +fwA==
X-Gm-Message-State: AHPjjUhtFO9UUvaxstTTsPkckHkxBAZqeFRySiJLSwd8JE9EK9r14tsZ n6jnSh4ligyi/8emd0t8GCMsoZDfGLC7
X-Google-Smtp-Source: AOwi7QBRb6B2Oe0abIIsAZ3du4E06/m2bb7VwD6A3YwJiruIBL6CUl4kXAvNp64kYXuUtCLWX7yO+KrMrRD59p442DY=
X-Received: by 10.202.224.130 with SMTP id x124mr14089428oig.100.1505232188069; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.168.10.71 with HTTP; Tue, 12 Sep 2017 09:02:27 -0700 (PDT)
In-Reply-To: <68691b3c-3496-527c-e211-2a17a7c7b555@drh-consultancy.co.uk>
References: <20170908225948.GC31695@al> <CABcZeBNYoqpWx_3V42wut3FUUt3xELv5J5YayvcrhwzJKqgcyg@mail.gmail.com> <cafe5f94-f2f8-98d7-c536-fbc59e94fb97@drh-consultancy.co.uk> <1505225444.4161.35.camel@redhat.com> <68691b3c-3496-527c-e211-2a17a7c7b555@drh-consultancy.co.uk>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Sep 2017 09:02:27 -0700
Message-ID: <CABcZeBO8iar+BwfPf9sUH=cTAar+W6cUXYqfB1z2410MLPSHrg@mail.gmail.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Cc: Nikos Mavrogiannopoulos <nmav@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d376adfeedf0559002dd9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LFYZr4Y9CWHLqTPwCYtWtoZjcCE>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 16:03:11 -0000
On Tue, Sep 12, 2017 at 8:42 AM, Dr Stephen Henson < lists@drh-consultancy.co.uk> wrote: > On 12/09/2017 15:10, Nikos Mavrogiannopoulos wrote: > > > > That is, because a TLS server would typically sign with whatever > > algorithm the client supports and would very rarely be interested to > > utilize the security advantages of including the parameters (which, > > advantages, are quite unclear even to a crypto expert). Otherwise, a > > certificate restricted to SHA-384 and 48-bytes of salt, will not be > > able to serve a client which only supports RSASSA-PSS with SHA-256. > > > > As such, it would make sense for TLS 1.3 to recommend no parameters for > > such RSASSA-PSS certificates, to ease their deployment. > > > > Well restrictions in CA keys would be handled by the PKI verifier: if > there is a > violation the chain should be rejected and it's a problem with the chain > itself > and an error by the CA that issued it. A different case is where the > restrictions are legal from a PKIX standpoint but not allowed by TLS 1.3, > though > again it's a CA error issuing such a chain for TLS 1.3 use. > > A restriction on the EE key isn't quite the same. There are two cases. > > One is that the parameters are not permitted by TLS 1.3 at all (e.g. MGF1 > digest > doesn't match signing digest or minimum salt length exceeds digest > length). In > this case a server should never present the chain or if it does a client > would > justifiably reject it and abort the handshake. Again this is an error by > the > issuing authority which should be corrected. > > The second case is that the parameter restriction is permitted by TLS 1.3 > and > this limits the digest which the key can sign with. Say the restriction is > SHA384 and the client only supports rsa_pss_sha256. The server might then > use to > a different PSS key (and certificate chain) that supports rsa_pss_sha256 > or fall > back to an RSA key to use rsa_pss_sha256. Again if a client sees a TLS > message > signed with parameters that violate the restrictions it could (with some > justification) abort the handshake. > > This could get pretty messy: it requires a logic not used in any other > algorithm. I'd be more than happy to have an outright prohibition on EE > PSS key > parameter restrictions in TLS 1.3 so implementers don't have to bother > with this. This sounds plausible to me. Would you be willing to send a PR? -Ekr > > Steve. > -- > Dr Stephen N. Henson. > Founder member of the OpenSSL project: http://www.openssl.org/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] RSASSA-PSS in certificates and "signature_a… Peter Wu
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nick Sullivan
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Ilari Liusvaara
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Martin Rex
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Nikos Mavrogiannopoulos
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Dr Stephen Henson
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Eric Rescorla
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] RSASSA-PSS in certificates and "signatu… Hubert Kario