Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt
David Benjamin <davidben@chromium.org> Sat, 04 September 2021 21:46 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 784A53A145E for <tls@ietfa.amsl.com>; Sat, 4 Sep 2021 14:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V17cbZ391Y2X for <tls@ietfa.amsl.com>; Sat, 4 Sep 2021 14:46:14 -0700 (PDT)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA6543A145C for <tls@ietf.org>; Sat, 4 Sep 2021 14:46:14 -0700 (PDT)
Received: by mail-pg1-x52c.google.com with SMTP id 8so2677709pga.7 for <tls@ietf.org>; Sat, 04 Sep 2021 14:46:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5z7UEgctfpa/r5B12JUZfVOWOQfiez/aeepzRiJd5XU=; b=CbbdjLfFFMvdvn3XpkuMCE6g+ARryK2SPvkUd61y5qDavKhabXkP2bfsbNV+2naR15 48YaxnDX7sTfjD3n4faVA1PAzRj5coaBZGJhWJleVWvOUL6Y9UJvd7CXoVcf/tC6XGL5 UmFwGxpI0NXt1wgDtERT+GRbgvy2eaWtAAXUg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5z7UEgctfpa/r5B12JUZfVOWOQfiez/aeepzRiJd5XU=; b=cLvqrWBXoT7WK/g4m1BhgPVHVWfceb+0MZBgPL7QOZempsfa4958IEAeoeDRReRZ9p a6S8HiI37HCTWgP8eCkmypP0+W+UMgVN/FYbdI+eTIEJufZQWP17MH1YgbRbaxTMux3N FMxWKqM2SPK/wZC4K+QnRI6DYf3ScOnxxjq3VYyKY4T+R34YEQSFYEsFF6yxYwmUSP0Y f/H2iOxUGZg3wd6rHes36KSCe0J6MdjzPhQKz/mTf7zLLdKKDxUVE+d0taQjeuXuEYTQ fc0MkM59Dtq8Rz7okhnty2az+BmAAr6S70POWz6BQBH7YsCEIXhT+K4lXhItlGRB2UhC UmWg==
X-Gm-Message-State: AOAM530/L5l3LAfEJIS3K0jwxoNBh0euoDULLyQP5w2Vzj7a8WRe7qrs gqh6QqJ8+MOeFdvQ2tDiTBl0licx1iQEab5/2V1ngC4gzw==
X-Google-Smtp-Source: ABdhPJwJx0Bd208jEetarMHZqwZJtAxxi0/wLbvPpdqEBOx/blQKhucaxMX81M8WJYg/Ggcq86lZjMLR2mA3lALpp1A=
X-Received: by 2002:a62:f243:0:b0:3fb:b8bd:e9d9 with SMTP id y3-20020a62f243000000b003fbb8bde9d9mr4999737pfl.63.1630791972476; Sat, 04 Sep 2021 14:46:12 -0700 (PDT)
MIME-Version: 1.0
References: <163068481195.6396.4015668882511523788@ietfa.amsl.com> <6f0942ee-e946-48fb-96db-1fe35d2c1d46@redhat.com>
In-Reply-To: <6f0942ee-e946-48fb-96db-1fe35d2c1d46@redhat.com>
From: David Benjamin <davidben@chromium.org>
Date: Sat, 04 Sep 2021 17:45:56 -0400
Message-ID: <CAF8qwaBQdw5m7BAqaVL7hw9_1gDrw8=6uZSZfJ2BmzaOBpyY9g@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003972a705cb325808"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QabRygNYRwOq_wXg6TlYLoOirEM>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-deprecate-08.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2021 21:46:20 -0000
On Fri, Sep 3, 2021 at 1:24 PM Hubert Kario <hkario@redhat.com> wrote: > On Friday, 3 September 2021 18:00:12 CEST, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line > > Internet-Drafts directories. > > This draft is a work item of the Transport Layer Security WG of the IETF. > > > > Title : Deprecating MD5 and SHA-1 signature > > hashes in (D)TLS 1.2 > > Authors : Loganaden Velvindron > > Kathleen Moriarty > > Alessandro Ghedini > > Filename : draft-ietf-tls-md5-sha1-deprecate-08.txt > > Pages : 6 > > Date : 2021-09-03 > > > > Abstract: > > The MD5 and SHA-1 hashing algorithms are increasingly vulnerable to > > attack and this document deprecates their use in TLS 1.2 digital > > signatures. However, this document does not deprecate SHA-1 in HMAC > > for record protection. This document updates RFC 5246. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/ > > > > There is also an htmlized version available at: > > > https://datatracker.ietf.org/doc/html/draft-ietf-tls-md5-sha1-deprecate-08 > > > Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest > > messages. > > > Clients MUST NOT include MD5 and SHA-1 in CertificateVerify messages. > > If a server receives a CertificateVerify message with MD5 or SHA-1 it > > MUST abort the connection with handshake_failure or > > insufficient_security alert. > > As written, this would make already existing implementations not RFC > compliant > when they are configured to not support SHA-1. > > RFC5246 requires the server to abort with illegal_parameter if the > CV included an algorithm that wasn't advertised in CR. > Ah, good catch. There's also some odd asymmetry here. Section 4 talks about a server being unable to *send* a ServerKeyExchange (and uses the correct alerts). It says nothing about the client *receiving* an invalid (by ClientHello) ServerKeyExchange which is, as in the case you describe, an illegal_parameter. Meanwhile, Section 5 talks about the server *receiving* an invalid (by CertificateRequest) CertificateVerify, and with the wrong alerts. It says nothing about the client being unable to *send* a CertificateVerify. I don't feel very strongly about whether we talk about sending, receiving, or both, for each of these messages. But we should be consistent and use the right alerts. (Or we could just talk about preferences and let the message behavior fall out of that.) David
- [TLS] I-D Action: draft-ietf-tls-md5-sha1-depreca… internet-drafts
- [TLS] Fwd: I-D Action: draft-ietf-tls-md5-sha1-de… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-dep… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-dep… David Benjamin
- Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-dep… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-dep… David Benjamin
- Re: [TLS] I-D Action: draft-ietf-tls-md5-sha1-dep… Sean Turner