IETF Logo Mail Archive

Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"

Eric Rescorla <ekr@rtfm.com> Tue, 12 September 2017 16:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F386A133075 for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 09:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0eKocjIIesM for <tls@ietfa.amsl.com>; Tue, 12 Sep 2017 09:03:09 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA0BA133076 for <tls@ietf.org>; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id j141so50003545ioj.4 for <tls@ietf.org>; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ozm1MGam5aglHcUOcYD7NfL9blcJX+FYkT4Dna3xUmQ=; b=he3Wx1WajCXMaYR1ctgUJcz4ddnK8Td3q3TmtZJel/+dVunrT/6YAqS91qrtTDq7xB d9ODbWNRww42tJgunPG7BVlrQWlpbykg0FaKoQHTVaXIvKiH8A4t97hioTORr/uZWfBb NxDkK9AQHy0kn+XUBJDgoCG2lqWQJcp0ZTtoeDrCjvAHaG6nZu/lUMyRmmG+vYDl6Fg8 estPZm3Mk5GohE0EFzSB9eGbFKObCYjlzWJZySnKoAF72zvMXpgKWkloxU+Kk8sCU9iy S/8HTSBd3mmJZfkpJSV0415mex2nrIMmp22kFOWnkZz/zdAkKkWV6diTXgB7wP2PhT4j qMCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ozm1MGam5aglHcUOcYD7NfL9blcJX+FYkT4Dna3xUmQ=; b=MpSqK7Z6cI6gXtsNT6t24dx1oXAzbyaGYW9hUrS8xVZAj8XrLZDk31c7/icn6kxH+P wq+naeEE1nbWoEm11JcO64SdVbbuSZGo3oRh8JlUasHZbIMXGjmIPys0mwRm2e0IC/0Y N8+2+CA7DmsmHFCRM7kZfyetjPlVOBg0NtFSvoLzBm/8G41ZKm0XYncGPtNwbV74qSwD ZQrnfNbnTWR4JIbhsvoTwBXwU4yNef9TB5jKtPtGG2fpCr79j8g37hQ6L9mQEECw/1NA EOj4Q/UTbL43z0yOXdUgSBk0tcYwc8vLTBu5xB1KGUSt0NfFcxfQ5zoJZagqkxIqTLsJ +fwA==
X-Gm-Message-State: AHPjjUhtFO9UUvaxstTTsPkckHkxBAZqeFRySiJLSwd8JE9EK9r14tsZ n6jnSh4ligyi/8emd0t8GCMsoZDfGLC7
X-Google-Smtp-Source: AOwi7QBRb6B2Oe0abIIsAZ3du4E06/m2bb7VwD6A3YwJiruIBL6CUl4kXAvNp64kYXuUtCLWX7yO+KrMrRD59p442DY=
X-Received: by 10.202.224.130 with SMTP id x124mr14089428oig.100.1505232188069; Tue, 12 Sep 2017 09:03:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.168.10.71 with HTTP; Tue, 12 Sep 2017 09:02:27 -0700 (PDT)
In-Reply-To: <68691b3c-3496-527c-e211-2a17a7c7b555@drh-consultancy.co.uk>
References: <20170908225948.GC31695@al> <CABcZeBNYoqpWx_3V42wut3FUUt3xELv5J5YayvcrhwzJKqgcyg@mail.gmail.com> <cafe5f94-f2f8-98d7-c536-fbc59e94fb97@drh-consultancy.co.uk> <1505225444.4161.35.camel@redhat.com> <68691b3c-3496-527c-e211-2a17a7c7b555@drh-consultancy.co.uk>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Sep 2017 09:02:27 -0700
Message-ID: <CABcZeBO8iar+BwfPf9sUH=cTAar+W6cUXYqfB1z2410MLPSHrg@mail.gmail.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Cc: Nikos Mavrogiannopoulos <nmav@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d376adfeedf0559002dd9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LFYZr4Y9CWHLqTPwCYtWtoZjcCE>
Subject: Re: [TLS] RSASSA-PSS in certificates and "signature_algorithms"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 16:03:11 -0000

On Tue, Sep 12, 2017 at 8:42 AM, Dr Stephen Henson <
lists@drh-consultancy.co.uk> wrote:

> On 12/09/2017 15:10, Nikos Mavrogiannopoulos wrote:
> >
> > That is, because a TLS server would typically sign with whatever
> > algorithm the client supports and would very rarely be interested to
> > utilize the security advantages of including the parameters (which,
> > advantages, are quite unclear even to a crypto expert). Otherwise, a
> > certificate restricted to SHA-384 and 48-bytes of salt, will not be
> > able to serve a client which only supports RSASSA-PSS with SHA-256.
> >
> > As such, it would make sense for TLS 1.3 to recommend no parameters for
> > such RSASSA-PSS certificates, to ease their deployment.
> >
>
> Well restrictions in CA keys would be handled by the PKI verifier: if
> there is a
> violation the chain should be rejected and it's a problem with the chain
> itself
> and an error by the CA that issued it. A different case is where the
> restrictions are legal from a PKIX standpoint but not allowed by TLS 1.3,
> though
> again it's a CA error issuing such a chain for TLS 1.3 use.
>
> A restriction on the EE key isn't quite the same. There are two cases.
>
> One is that the parameters are not permitted by TLS 1.3 at all (e.g. MGF1
> digest
> doesn't match signing digest or minimum salt length exceeds digest
> length). In
> this case a server should never present the chain or if it does a client
> would
> justifiably reject it and abort the handshake. Again this is an error by
> the
> issuing authority which should be corrected.
>
> The second case is that the parameter restriction is permitted by TLS 1.3
> and
> this limits the digest which the key can sign with. Say the restriction is
> SHA384 and the client only supports rsa_pss_sha256. The server might then
> use to
> a different PSS key (and certificate chain) that supports rsa_pss_sha256
> or fall
> back to an RSA key to use rsa_pss_sha256. Again if a client sees a TLS
> message
> signed with parameters that violate the restrictions it could (with some
> justification) abort the handshake.
>
> This could get pretty messy: it requires a logic not used in any other
> algorithm. I'd be more than happy to have an outright prohibition on EE
> PSS key
> parameter restrictions in TLS 1.3 so implementers don't have to bother
> with this.


This sounds plausible to me. Would you be willing to send a PR?

-Ekr


>


> Steve.
> --
> Dr Stephen N. Henson.
> Founder member of the OpenSSL project: http://www.openssl.org/
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email