IETF Logo Mail Archive

Re: [TLS] Draft 18 certificate signature algorithm requirements

Eric Rescorla <ekr@rtfm.com> Thu, 01 December 2016 03:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B9112943B for <tls@ietfa.amsl.com>; Wed, 30 Nov 2016 19:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjWtPVuveqBn for <tls@ietfa.amsl.com>; Wed, 30 Nov 2016 19:51:42 -0800 (PST)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 296A4126579 for <tls@ietf.org>; Wed, 30 Nov 2016 19:51:42 -0800 (PST)
Received: by mail-yw0-x231.google.com with SMTP id t125so174948272ywc.1 for <tls@ietf.org>; Wed, 30 Nov 2016 19:51:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=WOS/+SfOmmLodf1U4d45K0uyxqkuVHvx7eBPCr27EMM=; b=uRT69CvXBWEjd2r16bynF713aj5oCLOkfWeP7gpSX0r9vR22yLvg2nnmfbsshWiNQJ TVpCBP2elWK+VRAOM9wBMikQPWpNis1vvMfOVyedNIMrfsJ7ALuVrSAdbrnEswpg053C PtwsIxCBkC8g9HEsO88C0jgg6JciegbMXqXs9gp+XsY70VPk+gKCA8d2/Z5VP0/K0DNe AqWo1rLQGyrMXYczO9u5MxMJJTj8MKKQE4As+7mj8mbFeJsAEOHFnIVnfYexmmRF48f0 e7pZozvCYOE8Fbe6At/hyN7HK5yNzFc/N1S0GJW51etQXyO+CboLRwqprUGFVJUX+L0r dq6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=WOS/+SfOmmLodf1U4d45K0uyxqkuVHvx7eBPCr27EMM=; b=i8D1BZxhWpKqy2oVELNYxoYUF1Hc61TtfDcMQi4EZUv/db7zyvDubIlxu5CI18pDbN h3iF5w4Ie9jxTyOw3+yd0W6SiLQBQgP/k8+EyG4jcXcLImRubp9kiMKUb+dNfw/8tjR7 +Rxj7TpDnLJSDkUfUvnvGRonuFrCmLt1ksWlehXWSWN9Nof0262uZCQDp9JG5Oxx0zv2 nxCo2O08O3aeIIbTzRTJWqipvW1tOHoWfUwoB1WXvB3EhA/hjDMOXeBdl8By+/lu8InC oRpnnpTQbfU5P9mX+Zp12G/gBWMyxboWGVdZaHYCNyMDGqxhseuKpTjBB0Mf33Ckxtwu Hm2g==
X-Gm-Message-State: AKaTC00KDL7J/NoZkex55SyNfbzPT9Jk7s4TxGRJgZaKKAlDIbZEHvOPVm4ihDfMPf0ilQaFxbOIQ+7tJp0Kvw==
X-Received: by 10.129.108.216 with SMTP id h207mr39572680ywc.52.1480564301177; Wed, 30 Nov 2016 19:51:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.164.210 with HTTP; Wed, 30 Nov 2016 19:51:00 -0800 (PST)
In-Reply-To: <20161201025025.GP26244@mournblade.imrryr.org>
References: <20161201025025.GP26244@mournblade.imrryr.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 30 Nov 2016 22:51:00 -0500
Message-ID: <CABcZeBNtOcd0UkUgR+dYCZVPP0k2ueHLzMZtAskpdws3VXi5Qw@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dd36e3d6daf054290bd8c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OgqlfLY_4PDSSEmZZXRE9LoPYW0>
Subject: Re: [TLS] Draft 18 certificate signature algorithm requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 03:51:44 -0000

On Wed, Nov 30, 2016 at 9:50 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> We've discussed this before, and the current state of the text is
> certainly much improved.  I'd like to touch on one final point.
>
> The current text reads:
>
>    Section 4.4.1.2 ( https://tools.ietf.org/html/
> draft-ietf-tls-tls13-18#page-56 )
>
>    All certificates provided by the server MUST be signed by a signature
>    algorithm that appears in the "signature_algorithms" extension
>    provided by the client, if they are able to provide such a chain (see
>    Section 4.2.3).  Certificates that are self-signed or certificates
>    that are expected to be trust anchors are not validated as part of
>    the chain and therefore MAY be signed with any algorithm.
>
>    If the server cannot produce a certificate chain that is signed only
>    via the indicated supported algorithms, then it SHOULD continue the
>    handshake by sending the client a certificate chain of its choice
>    that may include algorithms that are not known to be supported by the
>    client.  This fallback chain MAY use the deprecated SHA-1 hash
>    algorithm only if the "signature_algorithms" extension provided by
>    the client permits it.  If the client cannot construct an acceptable
>    chain using the provided certificates and decides to abort the
>    handshake, then it MUST abort the handshake with an
>    "unsupported_certificate" alert.
>
> The first and second paragraph are in conflict, unless the first
> paragraph's MUST is changed to a SHOULD, or a "MUST if at all
> possible", ...  That is it fine to require the server to send a
> compatible rather than an incompatible certificate when it has at
> least one of each, but if the only choice is to fail, the second
> paragraph says that the server "SHOULD" send what it has, thus
> the first is not really a MUST as written.
>

It's "MUST if... ". That's different from SHOULD unless because it
means that the unless clause is that only reason for violating it, and then
if that condition obtains it SHOULD do X but could presumably do
other things.


The onus is correctly placed on the client (not on the server) to
> abort the connection, if the client's security requirements are not
> met by the server's certificate chain.
>
> So I'd like to see the text in the first paragraph changed to a
> SHOULD or worst-case a qualified "MUST whenever possible".
>

I don't see any difference between "MUST whenever possible"
and the current language.


On a related note, is there in the current draft anything that
> requires ECDSA certificates to bear ECDSA issuer signatures?


No. Nor has that been true since TLS 1.2. See:
https://tools.ietf.org/search/rfc5246#section-7.4.2

   If the client provided a "signature_algorithms" extension, then all
   certificates provided by the server MUST be signed by a
   hash/signature algorithm pair that appears in that extension.  Note
   that this implies that a certificate containing a key for one
   signature algorithm MAY be signed using a different signature
   algorithm (for instance, an RSA key signed with a DSA key).  This is
   a departure from TLS 1.1, which required that the algorithms be the
   same.  Note that this also implies that the DH_DSS, DH_RSA,
   ECDH_ECDSA, and ECDH_RSA key exchange algorithms do not restrict the
   algorithm used to sign the certificate.  Fixed DH certificates MAY be
   signed with any hash/signature algorithm pair appearing in the
   extension.  The names DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are
   historical.





> Or
> has that finally been relaxed, allowing the transmission of EE
> ECDSA certs bearing RSA signatures (ideally the client also signals
> support for RSA signatures)?  This would lift the restriction
> imposed by:
>
>    https://tools.ietf.org/search/rfc4492#section-2.2
>
>    In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA-
>    capable public key and be signed with ECDSA.
>
> My impression is that the text in the last paragraph of 4.4.1.4:
>
>    https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.4.1.4
>
>    Note that a certificate containing a key for one signature algorithm
>    MAY be signed using a different signature algorithm (for instance, an
>    RSA key signed with an ECDSA key).
>
> seems to have the desired effect.  Is that correct?  If so, should
> the change from 4492 be stated more emphatically, making it clear
> that the older restriction no longer applies?
>

Given that ECDHE_ECDSA is not even a concept in TLS 1.3, I don't see
that this text is relevant.


-Ekr


>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email