Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
Martin Rex <mrex@sap.com> Fri, 04 March 2011 23:40 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 196963A6A44 for <tls@core3.amsl.com>; Fri, 4 Mar 2011 15:40:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.436
X-Spam-Level:
X-Spam-Status: No, score=-9.436 tagged_above=-999 required=5 tests=[AWL=-0.787, BAYES_00=-2.599, GB_AFFORDABLE=1, HELO_EQ_DE=0.35, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJlExeX8gxls for <tls@core3.amsl.com>; Fri, 4 Mar 2011 15:40:27 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 705A73A69DA for <tls@ietf.org>; Fri, 4 Mar 2011 15:40:27 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p24NfWw9016153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 5 Mar 2011 00:41:32 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
To: geoffk@geoffk.org
Date: Sat, 05 Mar 2011 00:41:31 +0100
In-Reply-To: <m2r5amh76n.fsf@localhost.localdomain> from "Geoffrey Keating" at Mar 4, 11 02:06:24 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2011 23:40:29 -0000
Geoffrey Keating wrote: > > Martin Rex <mrex@sap.com> writes: > > > Michael D'Errico wrote: > > > > > > Matt DeMoss wrote: > > > > I'd encourage consideration of client certificates also. If the client > > > > has certificate chains for SHA1 and SHA2 or for SHA2 and SHA3, it > > > > needs a way to choose which chain to send during periods of transition > > > > where some servers will reject SHA2 and others will reject SHA3. > > > > > > Isn't this already in TLS 1.2? When the server requests a client > > > certificate, the CertificateRequest includes a list of acceptable > > > signature algorithms. The client can then check each of its > > > certificate chains to find the best one the server can handle. > > > > It is *MUCH* worse than that. > > > > TLSv1.2 goes as far as _requiring_ that if the signature_algorithm > > extension is sent, that the receiver MUST ensure that all certificates > > in the chain are from the signature_algorithm set. > > That's in the server's chain, though, not the client's. For the > client, the possible certificate algorithms and types are listed in the > CertificateRequest, not in an extension, and the list is not optional. http://tools.ietf.org/html/rfc5246#section-7.4.4 7.4.4. Certificate Request struct { ClientCertificateType certificate_types<1..2^8-1>; SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>; DistinguishedName certificate_authorities<0..2^16-1>; } CertificateRequest; supported_signature_algorithms A list of the hash/signature algorithm pairs that the server is able to verify, listed in descending order of preference. - Any certificates provided by the client MUST be signed using a hash/signature algorithm pair found in supported_signature_algorithms. Adding support for sha256WithRsaEncryption in X.509 certs to the PKI module of an existing implementation of SSLv3 or TLSv1.0 in your installed base is an almost trivial software change. About a magnitude(!) less work&testing than implementing rfc-5746 (TLS extension RI). It is so easy that even Microsoft did it for XP & Win2K3 (unfortunately they only included it in XPsp3 -- for XPsp2 and XP 64-bit/Win2K3 it is manual work to download and install hotfix KB968730.) rfc5246 is a failed specification, because it adds several undue limitations and interop problems to the protocol that did not exist in TLSv1.0 and v1.1, that are technically inappropriate, completely unnecessary and in massive conflict with rfc-2119 section 6. The TLS spec should not mess around with PKI and X.509 issues. Negotiation of the algorithm used for the "digitally signed" struct ought to be _completely_ seperate from characteristics of certificates. A TLS extension to convey hints about digital signature algorithms ought to be a fairly black box to TLS, containing a list of ASN.1 AlgIds, and with the semantic of a "hint to the PKI software for selecting the most appropriate certificates", i.e. "MAY" not "MUST". Having the prerequisite for a signature algorithm to be used with TLSv1.2 that first official code points must be assigned by the IETF and then all TLS implementation must be updated to know how to translate a particular AlgId() into a newly defined TLS SignatureAlgorithm codepoint before a client certificate with a different crypto algorithm can be used looks like a pretty deep rathole with lots of huge and nasty rats at the bottom. Even Microsoft managed to design their TLSv1.0 protocol stack in Microsoft Windows XP in a fashion that it can be used with completely different cryptoalgorithms (like entirely from the GOST suite) with the installation of a CryptoCSP. Changing TLS in a fashion that makes this _much_ harder to get working is the wrong direction for the evolution of the TLS protocol. Personally, I consider several aspects of TLSv1.2 _unimplementable_ (i.e. it would break functionality we use and have shippped). But I believe it is possible to fix TLSv1.2, and in a fashion that remains interoperable with implementations of rfc-5246 (i.e. without breaking them). I also think there is a necessity for smoothing the transition to certificates with sha-2 based signatures for the installed base of pre-TLSv1.2. A transition that comes about 1/4 of the cost of RFC-5746 in terms of implementation and testing effort. Something that is so affordable that even Microsoft could ship it for WindowsXP. -Martin
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex