IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Eric Rescorla <ekr@rtfm.com> Sat, 11 July 2015 23:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B791A00C1 for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 16:19:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZdqVugV6vVT for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 16:19:44 -0700 (PDT)
Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3BBF1A00C3 for <tls@ietf.org>; Sat, 11 Jul 2015 16:19:43 -0700 (PDT)
Received: by labgy5 with SMTP id gy5so130888124lab.2 for <tls@ietf.org>; Sat, 11 Jul 2015 16:19:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=s1OnINk7yGO5rVh2v+oN+WrRmJw8oq1+ls/h0HpVOME=; b=Qz2zPRSUMMiBxfLDpCwrhDenNldguZ+35rjpYWENeY2dc3l8F5fbiQgj6xWJeag7bS Od3OqcEsfxSbCeHVL1X+UONiRrRNQXWjjC/UJDisoFNU/qTGE84xx0la2CkaA4tvI0Kq FBlFHipRHpwBXQn4X1lmDzNDCrysY4uBk7U8GDF69i3Fz98bSolUuGZy8ar37uH1mvhT nfHVnaNqSa7qn4iswUpZa4X5JLVXRIazfkXULYZFk3+YMgMTt9k54JlVPslQNo6NQ2bc qOZUBeIdz6+gJC7MG68BfB4XcgFiipdowy2DAyPL3eQKHnjr4PGv/QRLoLFcKkGCjJow db6g==
X-Gm-Message-State: ALoCoQkQpE+PmG4rss1t0UbxaA574S2zZGBwzCcflNnB7wd5fj75sK+tWGGwOAxjNRyNGIWtPGva
X-Received: by 10.152.244.170 with SMTP id xh10mr20233938lac.23.1436656782171; Sat, 11 Jul 2015 16:19:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.99.103 with HTTP; Sat, 11 Jul 2015 16:19:02 -0700 (PDT)
In-Reply-To: <20150711211403.GB19435@LK-Perkele-VII>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <20150711190040.GS28047@mournblade.imrryr.org> <201507111536.50433.davemgarrett@gmail.com> <201507111605.01407.davemgarrett@gmail.com> <20150711204810.GU28047@mournblade.imrryr.org> <20150711211403.GB19435@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 11 Jul 2015 19:19:02 -0400
Message-ID: <CABcZeBMU2VpHfGy5Pbx26MdRM-or53RCs6BwbONDyvRKMgkj3w@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="001a1134b65e2a7845051aa1b951"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NdTwDTUoPTkZLdEI2h8dDlOz7ZI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 23:19:46 -0000

On Sat, Jul 11, 2015 at 5:14 PM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi> wrote:

> On Sat, Jul 11, 2015 at 08:48:10PM +0000, Viktor Dukhovni wrote:
> >
> >     The public key in the leaf certificate must of course be
> >     compatible with the chosen cipher-suite, and the subsequent
> >     ServerKeyExchange message must be signed via a mutually supported
> >     hash/signature algorithm pair.
>
> Actually, it only needs to be compatible with ciphersuite if client
> did not send signature_algorithms. If it did, then it needs to be
> compatible with any algorithm pair signaled in that.
>
> It also worked this way in TLS 1.2.
>
>
> E.g. if client advertised {sha256, ecdsa} + <others> in its
> signature_algorithms and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> + others in its ciphersuites, then the server MAY pick
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and then proceed to
> sign the handshake with ECDSA/SHA-256. Despite there being
> no DHE_ECDSA ciphersuites.
>
>
> Also, it occurs to me that analogous situation occurs with client
> certificates. But there the rules are much less clear to me:
>
> There are two fields that control supported certificate algorithms:
> certificate_types and supported_signature_algorithms, both in
> CertificateRequest.
>
> Here's what TLS 1.2 says about interplay of those fields (and
> TLS 1.3 wg-07 has very similar language, quite possibly exactly
> the same):
>
> "The end-entity certificate provided by the client MUST contain a
> key that is compatible with certificate_types. If the key is a
> signature key, it MUST be usable with some hash/signature
> algorithm pair in supported_signature_algorithms."
>
> Is say ECDSA key "compatible" with rsa_sign?
>
>
> Also, it seems like TLS 1.3 draft allows fixed_dh certificate_types.
> How would those even work?


This is just editor error.



> I thought only signature-capable ones
> do. Which would mean that certificate_types could be deprecated
> entierely.


Yes, I think i observed this before but just haven't gotten around to
updating
the spec to remove it.

-Ekr



>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email