IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Hubert Kario <hkario@redhat.com> Thu, 09 July 2015 10:43 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C961AD068 for <tls@ietfa.amsl.com>; Thu, 9 Jul 2015 03:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-XUYH5uPZI0 for <tls@ietfa.amsl.com>; Thu, 9 Jul 2015 03:43:12 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B9271AD067 for <tls@ietf.org>; Thu, 9 Jul 2015 03:43:12 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 99B922CD84C; Thu, 9 Jul 2015 10:43:11 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-167.brq.redhat.com [10.34.0.167]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t69Ah9GB000576 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 9 Jul 2015 06:43:11 -0400
From: Hubert Kario <hkario@redhat.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Thu, 09 Jul 2015 12:43:09 +0200
Message-ID: <1972429.03AREYRsAB@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.7 (Linux/4.0.4-202.fc21.x86_64; KDE/4.14.7; x86_64; ; )
In-Reply-To: <201507081523.03733.davemgarrett@gmail.com>
References: <20150708174549.336B51A1C7@ld9781.wdf.sap.corp> <4168412.YzbFrOzRpF@pintsize.usersys.redhat.com> <201507081523.03733.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2299335.WxHEuByXsK"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QN4c2JLy7XS5CiO4bIampO8ZZjw>
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 10:43:13 -0000

On Wednesday 08 July 2015 15:23:03 Dave Garrett wrote:
> On Wednesday, July 08, 2015 02:15:40 pm Hubert Kario wrote:
> > The IIS is behaving as the RFC requires it to (with the exception of TLS
> > alerts) - according to section 7.4.2 of RFC 5246 - bottom of page 48.
> 
> I was just about to respond to this with the obvious joke: "It works
> perfectly fine except for the part that is broken" ... and then I read the
> spec and actually have to defend them here. There isn't actually a
> requirement of throwing an error alert in the spec, currently. There of
> course ~should~ be an alert, and it should be in the spec, but it isn't
> yet.

this is general behaviour of schannel implementation, as far as I've read
 
> Note, BTW, that my current WIP for MTI extensions already does have hard
> error cases added in, including a new alert:
> https://github.com/davegarrett/tls13-spec/compare/pruning...davegarrett:man
> datoryextensions
> 
> There have already been a few spots that got clarifications on what errors
> should be expected, and I think this is an area that really should be given
> proper focus for TLS 1.3. We shouldn't have any spots where anyone can say:
> "huh, what should it do now?".

definitely agree, what action to take on an error state should be clearly 
defined by the spec

I'm quite sure that by differences in error handling you can fingerprint the 
implementations very specifically - not catastrophic, but hardly ideal

that being said, I don't think this part of spec is, let's say... "fortunate".
It should be left up to the client to decide if it likes the certificate or 
not - not the server withholding it as a "you won't like it anyway".

> In fact, I think a catch-all requirement that a server MUST always return
> ~something~ in response to a (mostly) valid client message might be helpful
> here. Radio silence in response to any error is a really bad scenario that
> makes dealing with things annoyingly difficult. Servers should only stealth
> block/drop connections when it's likely to be junk its receiving (e.g. DoS
> or explicitly invalid/unauthorized attempt).

that was my general understanding for the TLS specs, given that we have such 
general alerts as "internal_error" and "handshake_failure" - but I can't point 
to any specific part of RFC that says that.

+1 for adding it to the TLS 1.3 spec
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email