Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sat, 04 May 2019 13:00 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C60C12008A for <tls@ietfa.amsl.com>; Sat, 4 May 2019 06:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYjsMI1eJMjO for <tls@ietfa.amsl.com>; Sat, 4 May 2019 06:00:54 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1FB4120074 for <tls@ietf.org>; Sat, 4 May 2019 06:00:54 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id y64so6463699oia.7 for <tls@ietf.org>; Sat, 04 May 2019 06:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=H9ch/3ogWZEfV0+6uArBrSugq3FJEQCFxnJKAYOiuQE=; b=RZLJqBKFfxbYX/h7sMK1IWPrH8hGUVb9LiyvP565N2hwdfKpXscLNt4s6l05O6qxnh 8sBYjSFMFE4A2hnwZu21fhXij71jy/LRHLQEVtYNos/xT4Kz4l1reO2D0pKkZG6ABRjf V948qK3tgc8WovIGLd4QZbAR+t3cnOkDSWfIvl7+llF2ceMsBfzuym+WUaelqUf3+3Bv Sw0OdeRmj0K2lATvQ4wFZ9lwW7BvMcvpUjvYa5XZZA/zd2YgYzA7EgPJtpACuCE324sC c5q36PORww2+IBoUnuQ6dYBKdPJB9+pwLKnenDbsnbNwC7p+UFJvAN6iRGCybwUKeEsr 0Nng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=H9ch/3ogWZEfV0+6uArBrSugq3FJEQCFxnJKAYOiuQE=; b=F9ceEMeksFKmy7e/MnT6YoFgYWpBlAg/Wl+KZos32OpT1OgxM8T241//g6H5G8u+yo Vyu9/4wWXfLbRmUGAmcJbmvSs/7q6Lf3A7m5ss0lYf/Benv7NMhRV3GQimnYd9v34NAd l4vHX23aiYNP2G5dZhCnNjvmKX42zz+1m3bOwACpsjMiaTbm2DrGUy4iEdsi6Ghyrvlc 0H+8PwtTO0pallllek5CU4yewUDSwOl/Ys0ipFeKaOIL7ezY+oQt0zlY7eenLMMkc+2l aDqKEkQHcoJfhedhi6XOp2FoVhE7WYchYoAuAwdTysY1hbblKs+AzmZVBskZArsqaXVz 6HOw==
X-Gm-Message-State: APjAAAUJWU4Hn5E570DXTp+fJBZ7GSiP8VPFccLrzNJuEag7tMc78MDs TQ94KXDqByw5XbL7BwbN/ZfxBihsa0elrrxpklGrqWpw4tg=
X-Google-Smtp-Source: APXvYqyg2X5fExP6gKGfJ8bQq77owMs1OC4BlD7SmzD3RUFviaYHMRU/g/MPAWU256vXknYHjsYgnWIgQAgF4yeECIY=
X-Received: by 2002:aca:3e56:: with SMTP id l83mr2325530oia.111.1556974854030; Sat, 04 May 2019 06:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <7d37f7ca-e253-4c95-9cf7-2d16b0b6a0aa@www.fastmail.com> <20190430234952.21F5C404C@ld9781.wdf.sap.corp> <5441930.X76MtM1CnQ@pintsize.usersys.redhat.com> <1556902416424.28526@cs.auckland.ac.nz> <20190503172022.GH4464@akamai.com> <1556904629782.23087@cs.auckland.ac.nz> <CABcZeBNKgSFYg7gm-4ZibHSzDxO9qSjM5UGQXo81Rv7_r+m9gw@mail.gmail.com> <1F7FC950-358D-4D5C-963B-B7B837AE49DA@gmail.com> <CAHbuEH4Y6PJDhoHPnCkBgsAkOhvSTHFpew3V1d9iSQs_bknYSQ@mail.gmail.com> <1556937973484.34949@cs.auckland.ac.nz>
In-Reply-To: <1556937973484.34949@cs.auckland.ac.nz>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Sat, 4 May 2019 09:00:17 -0400
Message-ID: <CAHbuEH7y8gFrVjDPY2AFRH_QQQUtaB8-SqKAmgjcGO+ksM3UTw@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001948d905880f75bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O3HbFaTxXfLtn1RbhL4H7OpKbO8>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 May 2019 13:00:57 -0000

On Fri, May 3, 2019 at 10:46 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes:
>
> >MD5 is not discussed in the current version of RFC7525.
>
> I would add it, if this is guidance for general use then it should cover
> all
> the bases, if SHA-1 is a MUST NOT then MD5 is a REALLY REALLY REALLY MUST
> NOT.
>
> (Technically SHA-1 is still safe for ephemeral signing, i.e. locations
> where
> an attacker can't spend arbitrary amounts of time working on precomputed
> data,
> which is most of TLS because of the nonces in the handshake and the fact
> that
> connections will quickly time out if nothing arrives, but since TLS 1.2 has
> SHA-2 built in already there's probably little point in separating out
> where
> SHA-1 is safe vs. where it isn't).
>

Sure, I agree, but needed to look through prior documents first.  Since it
wasn't in RFC7525 as a recommendation and the minimum baseline was above
MD5, I suspect that is why it is not mentioned.   If there is support (and
no disagreements) the text above could be added and include SHA-1 and MD5
MUST NOT be used.  The minimum baseline is already set above it though in
the statement.

WG decision is appreciated on this point and proposed text for RFC 7525.

Proposed:

   When using RSA, servers SHOULD authenticate using certificates with
   at least a 2048-bit modulus for the public key.  In addition, the use
   of the SHA-256 hash algorithm is the minimum requirement, SHA-1 and
MD5 MUST not be used (see [CAB-Baseline
<https://tools.ietf.org/html/rfc7525#ref-CAB-Baseline>] for
   more details).  Clients SHOULD indicate to servers that they request
   SHA-256, by using the "Signature Algorithms" extension defined in
   TLS 1.2.


Best regards,
Kathleen

>
> Peter.
>


-- 

Best regards,
Kathleen