IETF Logo Mail Archive

Re: [TLS] TLS RSA-PSS and various versions of TLS

Dr Stephen Henson <lists@drh-consultancy.co.uk> Sat, 18 February 2017 02:31 UTC

Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9929B1295F7 for <tls@ietfa.amsl.com>; Fri, 17 Feb 2017 18:31:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYi3m_oNWBv8 for <tls@ietfa.amsl.com>; Fri, 17 Feb 2017 18:31:30 -0800 (PST)
Received: from claranet-outbound-smtp00.uk.clara.net (claranet-outbound-smtp00.uk.clara.net [195.8.89.33]) by ietfa.amsl.com (Postfix) with ESMTP id 74279129449 for <tls@ietf.org>; Fri, 17 Feb 2017 18:31:29 -0800 (PST)
Received: from host86-133-224-58.range86-133.btcentralplus.com ([86.133.224.58]:15148 helo=[192.168.1.64]) by relay00.mail.eu.clara.net (relay.clara.net [81.171.239.30]:10465) with esmtpa (authdaemon_plain:drh) id 1ceuo1-0007wo-1U for tls@ietf.org (return-path <lists@drh-consultancy.co.uk>); Sat, 18 Feb 2017 02:31:26 +0000
To: tls@ietf.org
References: <E521BA5F-4563-44D2-B186-B11B7B214A15@mobileiron.com> <20170208211738.GB17727@LK-Perkele-V2.elisa-laajakaista.fi>
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Message-ID: <53320524-0da9-2b59-c348-e1d585572c03@drh-consultancy.co.uk>
Date: Sat, 18 Feb 2017 02:31:19 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <20170208211738.GB17727@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O5ZA5q7Ua7O3MmNHI9eaBTsDfWI>
Subject: Re: [TLS] TLS RSA-PSS and various versions of TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2017 02:31:32 -0000

On 08/02/2017 21:17, Ilari Liusvaara wrote:
> On Wed, Feb 08, 2017 at 07:34:16PM +0000, Timothy Jackson wrote:
>> I have a question on RFC5246 (TLS 1.2) and how it’s going to interact with
>> RSASSA-PSS as we roll out TLS 1.3. Does the prohibition against RSASSA-PSS
>> apply only to the signatures that can be used for signing handshakes or
>> does it apply to the entire certificate chain as well? I ask because while
>> I think the latter may have been the intent I have not found anything that
>> indicates the former is not actually what the RFCs require.
>>
>> The relevant section of RFC4056 reads:
>>
>> 7.4.2 Server Certificate
>> …
>> Note that there are certificates that use algorithms and/or algorithm
>>    combinations that cannot be currently used with TLS.  For example, a
>>    certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in
>>    SubjectPublicKeyInfo) cannot be used because TLS defines no
>>    corresponding signature algorithm.
>>
>> I don’t see anything here that restricts which signatures can be used on
>> the certificates themselves. Is that accurate? If so, then I think the
>> relevant restrictions are not in TLS RFCs at all, but rather are in RFCs
>> such as 4055, 4056, and 5756. These RFCs allow RSASSA-PSS. Is it
>> therefore permissible to have a CA that is signed with RSASSA-PSS with
>> TLS 1.0, 1.1, or 1.2.
>>
>> Is this what was intended?
> 
> My interpretation:
> 
> If client includes RSA-PSS codepoints in its signature_algorithms,
> then:
> 
> - The server handshake signature MAY be signed using RSA-PSS in TLS
>   1.2 or later. Yes, 1.2, not 1.3.
> - The certificate chain MAY contain certificates signed with RSA-PSS
>   in any TLS version (however, the salt length must match hash length).
> 
> In converse case:
> 
> - The server MUST NOT sign handshake using RSA-PSS in any TLS
>   version
> - The certificate chain SHOULD NOT contain certificates signed with
>   RSA-PSS in any TLS version.
> 

Does this apply to RSASSA-PSS (RSA-PSS signing only) keys in end entity
certificates too?

For example could a TLS 1.2 server legally present a certificate containing an
RSASSA-PSS key for an appropriate ciphersuite? Similarly could a client present
a certificate contain an RSASSA-PSS key?

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

v2.23.0 | Report a Bug | By Email