Re: [TLS] Consistency for Signature Algorithms?
Dr Stephen Henson <lists@drh-consultancy.co.uk> Fri, 21 July 2017 20:21 UTC
Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0910124E15 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 13:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wXZI91FAlDE for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 13:21:15 -0700 (PDT)
Received: from claranet-outbound-smtp08.uk.clara.net (claranet-outbound-smtp08.uk.clara.net [195.8.89.41]) by ietfa.amsl.com (Postfix) with ESMTP id 2085312009C for <tls@ietf.org>; Fri, 21 Jul 2017 13:21:15 -0700 (PDT)
Received: from host86-161-69-224.range86-161.btcentralplus.com ([86.161.69.224]:25438 helo=[192.168.1.75]) by relay08.mail.eu.clara.net (relay.clara.net [81.171.239.38]:10465) with esmtpa (authdaemon_plain:drh) id 1dYeQB-0000xY-SB for tls@ietf.org (return-path <lists@drh-consultancy.co.uk>); Fri, 21 Jul 2017 20:21:13 +0000
To: tls@ietf.org
References: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com> <20a46494-8fd2-2cbf-556d-070b48056d4d@drh-consultancy.co.uk> <20170721150055.7gn2twhlz7ocu7tn@LK-Perkele-VII>
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <5a5ec21c-5b8a-08d9-dfb1-cd78d3054339@drh-consultancy.co.uk>
Date: Fri, 21 Jul 2017 21:21:08 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170721150055.7gn2twhlz7ocu7tn@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LvdJ82d-FDepU3-O49mO23QUihE>
Subject: Re: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 20:21:17 -0000
On 21/07/2017 16:00, Ilari Liusvaara wrote: > > I suppose some new dual-version TLS 1.2/1.3 libraries might have the > same issue as mine: supported groups is just plain ignored for ECDSA, > and siganture algorithms have the TLS 1.3 meanings, even in TLS 1.2. > That is potentially a problem yes. Suppose a server has an EE certificate with a P-256 public key and the client preference order is ecdsa_secp384r1_sha384, ecdsa_secp256r1_sha256. For TLS 1.3 it will use ecdsa_secp256r1_sha256 and sign TLS messages using P-256+SHA256. In TLS 1.2 the same preference list means sha384+ecdsa, sha256+ecdsa without the curve restriction. In this case the server might sign the message using P-256+SHA384 because the client prefers it. That isn't allowed in TLS 1.3 but is in TLS 1.2. A client which enforces the TLS 1.3 signature algorithm rules for TLS 1.2 might abort the connection at that point. >> I agree though that there is an anomaly here. For example AFAICS in >> certificates for TLS1.3 you're allowed (with some caveats) to use a >> P-256+SHA-1 signature (which has security concerns) but P-256 + SHA512 is not >> allowed at all. Is that likely to be a problem in practice? Are there many >> such certificates about in the wild? > > Actually, P-256+SHA512 is allowed with a caveat, even if the > certificate is not self-signed. And with the same caveat, server can > send a certificate signed with P-256+SHA3-512, despite TLS > codepoint for it having never existed (not many clients can validate it > through). > Yes you're right, the caveat of not otherwise having any suitable chain allows that case. Steve. -- Dr Stephen N. Henson. Founder member of the OpenSSL project: http://www.openssl.org/
- [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Ilari Liusvaara
- Re: [TLS] Consistency for Signature Algorithms? Watson Ladd
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Viktor Dukhovni
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Eric Rescorla
- Re: [TLS] Consistency for Signature Algorithms? Blumenthal, Uri - 0553 - MITLL