IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate

Christopher Wood <caw@heapingbits.net> Sun, 10 May 2020 00:03 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC0D3A0C99 for <tls@ietfa.amsl.com>; Sat, 9 May 2020 17:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=kjZxv843; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=W1ddHlF9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIWYBtofdq_M for <tls@ietfa.amsl.com>; Sat, 9 May 2020 17:03:13 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 469193A0C98 for <tls@ietf.org>; Sat, 9 May 2020 17:03:13 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 87F1C3E1 for <tls@ietf.org>; Sat, 9 May 2020 20:03:12 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Sat, 09 May 2020 20:03:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=FJwsd6FZtq9X15wQ8RTcqso5rmjrFpZ tc/mz8IDZrTQ=; b=kjZxv843zpLxH0bl8K+jSZ1g4F4JgJ2PklLWWjuCdxzVP7R Z7pwMFTROL9Molnr6eEZLLheFIExcyXQWXW8KLNQ+ph09KYfHGUrzdQr57zy2+va bse86msJFLrkBMT60K+8o2fKCs/yFbX1Gdu9b31cOtEIPl1a1BeHZAbYhSE2Z/OX 75tvmc3+iqJc6+tpjMtBp0KmsZpKl98Scsa3XiMl1xTYN2aIH4lG4vmTqdsPDAQv 1LJGvbMRKHDM8LytTRWOEjZyBTpRHKQxg51eoRMRx4F0Q0Mz8e7m55tydEAdn3bf +40eqmHNW0tHXX1d1xfYbnuYaRlAhy7TupShCUA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=FJwsd6 FZtq9X15wQ8RTcqso5rmjrFpZtc/mz8IDZrTQ=; b=W1ddHlF9VEuP32HF8VmHix z147u/sH2fy7JnYNwlYYTOlrcNwjHZ+Df3Fo506EdtK7m7nGBtDNUPisQhrjOfa9 qDujZGneL5qkO4gtbF0q63jGwB5cJuJDsM2J+vpxEd50/P7gmFwrooOuYZXrKiKn K9wBNPp2l40nHZRj8KyGnzXMWh+qUKc6T7DATAgwTxzJdA7ZNEbrvTI5kSKEoaT7 q3KX/wqhCr9jmQqlafOcTDTPIvIGMaEyp4eXkthXpoAy62/9Q5lG8GSZo0oQKLvj wVWuoiPlZ+sXZGJWba1qo8YYGdEa1Nw+Sha0ycsG2T1i0ci8fku6i1WNqgAOrkpA ==
X-ME-Sender: <xms:v0S3Xjalp675txSdxV_A19G9wK4NXI1VWu4SeLttNIPI2QIpJQlpWg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrkeeigddvjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnheptdffueelveefle ehlefffffgleffjefhkeetudfhueelheetjeehvdffgffhueelnecuffhomhgrihhnpehg ihhthhhusgdrtghomhdpihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:v0S3XmrRvL686T-okbO7o-fwicjslkPXFzxRx7hxbyBpjQUZfkolZw> <xmx:v0S3Xg9T7ZU1lB3EuiSqzFfFHC66vpoTUIBtcNJh-AsE4mWpsoX3ug> <xmx:v0S3Xt_gfrHIhaSdJqN97gXTZclfERvzqQlVdUPjj79oLuvlqy3RTQ> <xmx:wES3XkwgejNlIPyzNgk0B2OK1Jh5dmoXJdgtsO1bRj4XAktZovYRSQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BE9EB3C00A1; Sat, 9 May 2020 20:03:11 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-413-g750b809-fmstable-20200507v1
Mime-Version: 1.0
Message-Id: <21d86181-f9ca-4f07-a0c7-1e3db1a48b46@www.fastmail.com>
In-Reply-To: <a1a9acae-2e74-498f-9844-fd7f3e3aa14e@www.fastmail.com>
References: <508EEDF7-73D2-4BE6-AFBA-710E5A5AB41F@sn3rd.com> <315F2BCF-11E0-4FBD-8420-865F29A66AD1@akamai.com> <CAF8qwaDoLGm+SjPE8T3UaQ0HY_M+EuU=GuWGaxGaPwvqCDKxgQ@mail.gmail.com> <fe0d54d8-a923-4a77-be9a-3b263d7efeb7@redhat.com> <20191123134005.GA1224585@LK-Perkele-VII> <CAF8qwaBbhpYz+LoUJ-6wrbj=bB-MMkT4vjLmx7UScK42eB=1qg@mail.gmail.com> <20200423174513.GA11390@sokka.flat11.house> <a1a9acae-2e74-498f-9844-fd7f3e3aa14e@www.fastmail.com>
Date: Sat, 09 May 2020 17:02:51 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MxW-aUJKmWpcyaU88ubxnvZNU7Y>
Subject: Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 May 2020 00:03:17 -0000

FYI: This PR has been merged.

Best,
Chris, on behalf of the chairs

On Mon, May 4, 2020, at 10:08 AM, Christopher Wood wrote:
> Thanks, Alessandro! We'll aim to merge this PR on Friday. We ask that 
> folks review it before then. 
> 
>    https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/5
> 
> Thanks,
> Chris, on behalf of the chairs
> 
> On Thu, Apr 23, 2020, at 10:45 AM, Alessandro Ghedini wrote:
> > On Sun, Nov 24, 2019 at 11:27:26AM -0500, David Benjamin wrote:
> > > On Sat, Nov 23, 2019 at 8:40 AM Ilari Liusvaara <ilariliusvaara@welho.com>
> > > wrote:
> > > 
> > > > On Fri, Nov 22, 2019 at 08:18:47PM +0100, Hubert Kario wrote:
> > > > > On Friday, 22 November 2019 03:25:24 CET, David Benjamin wrote:
> > > > > > On Fri, Nov 22, 2019 at 8:35 AM Salz, Rich <rsalz@akamai.com> wrote:
> > > > > >
> > > > > > > > ...
> > > > > > > SHA-1 signature hashes in TLS 1.2" draft available
> > > > > > > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/.
> > > > > > > Please review the document and send your comments to the list by
> > > > 2359 UTC
> > > > > > > on 13 December 2019.
> > > > > > >
> > > > > > > I just re-read this.  Looks good. Perhaps a sentence of rationale in
> > > > ...
> > > > > >
> > > > > > To that end, the combination of client advice in sections 2 and 4 is a
> > > > bit
> > > > > > odd. Section 2 uses SHOULD NOT include MD5 and SHA-1, but section 4
> > > > says
> > > > > > the client MUST NOT accept the MD5 SHA-1, even if it included it. Why
> > > > would
> > > > > > the client include it in that case? It seems the two should either
> > > > both be
> > > > > > MUST NOT or both be SHOULD NOT.
> > > > >
> > > > > because it also influences certificate selection, and getting a
> > > > certificate
> > > > > signed with SHA-1 isn't an automatically disqualifying property?
> > > > > (it may be an intermediate CA that's not used, it may be an explicitly
> > > > > trusted
> > > > > certificate, etc.)
> > > >
> > > > If you don't want SHA-1 exchange signatures, you darn sure do not want
> > > > actual SHA-1 certificates that are not trust anchors anyway. And because
> > > > TLS 1.2 does not have separate lists for exchange signatures and
> > > > certificate signatures, the client needs to withdraw advertisment for
> > > > both in order to not send a misleading offer.
> > > >
> > > 
> > > Right, I had a longer discussion of the certificate-but-not-TLS case but
> > > omitted it. :-) Basically what Ilari said. In particular, I believe older
> > > versions of Schannel will, despite being able to sign SHA-256,
> > > preferentially sign SHA-1 if the client offers it. This is inconvenient
> > > when it comes to predicting breakage but is perfectly consistent with the
> > > client's offer. When I last looked at this a few years ago, this accounted
> > > for a nontrivial portion of SHA-1-negotiating servers on the web, so
> > > rejecting SHA-1 while still advertising it is probably not the best
> > > strategy.
> > > 
> > > Fortunately, we've already distrusted SHA-1 X.509 signatures on the web, so
> > > hopefully that will simplify things. There is a risk that some servers'
> > > trust anchors' (otherwise irrelevant) signatures are SHA-1 and they are
> > > trying to match it against the signature algorithms list, but I expect the
> > > SHA-1-preferring servers to be the deciding concern. Issues with
> > > trust-anchor-checking servers can likely be worked around by configuring
> > > the server to not send the trust anchor, which is desirable anyway.
> > > 
> > > (All of this may not apply to non-web deployments, of course.)
> > > 
> > > 
> > > > And I expect that in practice, not sending SHA-1 in
> > > > signature_algorithms would cause very little breakage on top of what
> > > > is already broken due to using SHA-1 exchange signatures.
> > > 
> > > 
> > > 
> > > So I think both should be MUST NOT.
> > 
> > So, based on this discussion, I made the following PR to change this to MUST NOT
> > https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/5
> > 
> > Thanks for the review!
> > 
> > Cheers
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email