Re: [TLS] Proposal to deprecate sha1 and md5 for digital signatures in TLS 1.2

"Martin Thomson" <mt@lowentropy.net> Fri, 10 May 2019 01:46 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02438120047 for <tls@ietfa.amsl.com>; Thu, 9 May 2019 18:46:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=jPha13pl; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=u9l3nQP6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdcM4mksRIZz for <tls@ietfa.amsl.com>; Thu, 9 May 2019 18:46:54 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C85A120004 for <tls@ietf.org>; Thu, 9 May 2019 18:46:54 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id F140D41B for <tls@ietf.org>; Thu, 9 May 2019 21:46:53 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Thu, 09 May 2019 21:46:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=m2RpA+IKmVlY/xOnAUPAiQHjkjxEOVn C9kEWtCbEqJE=; b=jPha13plaHpjnMitlRwGawRTH4tLHjNE2L827yFLaAGRYOr m12im5Y4EdVm+Q89wWBnu+Ir0BbwsMarff38OpN5Q3P06xpw7KAS0MYvkHpipkQH /RmGXTgaWhH9Q7gGbJy9yltV9Te/seUco6UZr9Yve+6y0LL3gOSJO1w2M/zkyR44 FXbuxPP0VPZ2cRBZLCyQy0WcFy9Ho/sTptEUs7/TRtssJzU0zIvTU9pjMyea3XJ7 1EuLKUHTN6WSopMu6foQ8wk+Kp7NzGyt9J+M6revlryXunULgv7ZsKkZFg9FbxqD XUSwO6hl0bDgtegpjDLbmhF4qVA611g78deJtgA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=m2RpA+ IKmVlY/xOnAUPAiQHjkjxEOVnC9kEWtCbEqJE=; b=u9l3nQP6VI3EeZ3L6gBhmT 4BYrGSbCx30gCC7bj5a/fD4bs6nCX7TpC37d7JL6nVsmbG9krDYHGCU92YAR4hiS FtiYJIo5hOR1yGE8WdBLZGfI73CUgMBoDu1EVZCvf+eFusTH/qr/mq5qz6QDasD4 tl1/tPf3+zU62M3K8n2Tm1DYE6K2VAZADyuZIIBHRVONLGzz3VZHzas4UXjOVdMS wbz/4BcokzGSXggnCB+dtThaPKPwKL54o4RVQp74BTfv+wpveiPj+e7GP/XlQzzF p5nZtc9UUUFdKTm2M6plKukagi0x2Ds1Sw1VLoLn5PIxvnUdmORt3dh96ec3LZfA ==
X-ME-Sender: <xms:DNjUXFz_8JCdNj-0iudi0uihkWi5JrVS4PvDQYPtdemrupJX4supSg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrkeeigdduheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehluhhs thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:DdjUXKmuIP7eYCSG3R3YZmCALhYrFymErLNsZSZKxsywGOVh4yp32g> <xmx:DdjUXHHV-8hOwhOnuB4qRGwa9e2mapryWgbgrnKlt4aG1FIdzpvvAQ> <xmx:DdjUXGOiED6J_AJ2kxgL_cX9WSJ01hGmqipxtc9ZmOxyRTpLtSFV3A> <xmx:DdjUXPRvnOLPIHButuxitz4mCCA_oGf37NmwG1QhjpnCPb9NafduLQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D2CD07C3DB; Thu, 9 May 2019 21:46:52 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1
Mime-Version: 1.0
Message-Id: <528b8748-6f99-4167-9075-891286b8bc26@www.fastmail.com>
In-Reply-To: <CAOp4FwRNxx2+MdSqHcrqgA0KkNMaQ29H8K4WBFDAw2AhL+3NKA@mail.gmail.com>
References: <CAOp4FwRNxx2+MdSqHcrqgA0KkNMaQ29H8K4WBFDAw2AhL+3NKA@mail.gmail.com>
Date: Thu, 09 May 2019 21:46:44 -0400
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Q_zY-d4oSgsCtbIHO0gUeXPRBVQ>
Subject: Re: [TLS] =?utf-8?q?Proposal_to_deprecate_sha1_and_md5_for_digital_s?= =?utf-8?q?ignatures_in_TLS_1=2E2?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 01:46:57 -0000

It might pay to spend more time on explaining what you are trying to do.

The goal appears to be to remove a dependency on signature schemes that include these weaker hash functions.  But the introduction just says that the functions are bad.

You should be very clear about what effect this has on the use of SHA-1 in HMAC for record protection.  It looks like you don't intend to deprecate that.  Say that.

The change to the enum is silly.  Overall, I think that the updates to 5246 are unnecessary.  Concentrate on 7525.

The 7525 text starts with "When using RSA", so it could be read to not apply to ECDSA.  That would be a mistake.  I recommend splitting the paragraph into talking about the group size (the first sentence) and a separate paragraph on hash functions used as part of the signing process. 

As part of that, this probably needs to be a MUST: "Clients SHOULD indicate to servers that they request SHA-256, by using the "Signature Algorithms" extension defined in TLS 1.2."

And then I think we should publish something.  Like David, I'm acutely aware of the compatibility hazard that this presents, but it's no less worth doing.


On Fri, May 10, 2019, at 00:12, Loganaden Velvindron wrote:
> Hi all,
> 
> Following the recent thread on TLS 1.0 and TLS 1.1 deprecation, we
> came up with a proposal to deprecate md5 and sha1 for digital
> signatures in the TLS 1.2 spec.
> 
> Please find the draft at this url:
> https://tools.ietf.org/html/draft-lvelvindron-tls-md5-sha1-deprecate-03
> 
> We look forward to your feedback.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>