IETF Logo Mail Archive

Re: [TLS] TLS 1.2 hash agility

Eric Rescorla <ekr@networkresonance.com> Thu, 27 September 2007 16:13 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iavzw-00066M-Us; Thu, 27 Sep 2007 12:13:57 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iavzv-00066E-PV for tls@ietf.org; Thu, 27 Sep 2007 12:13:55 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Iavzv-0006SU-AY for tls@ietf.org; Thu, 27 Sep 2007 12:13:55 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 7CB8C33C28; Thu, 27 Sep 2007 09:10:05 -0700 (PDT)
Date: Thu, 27 Sep 2007 09:10:04 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] TLS 1.2 hash agility
In-Reply-To: <46FBC5A1.7020501@pobox.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com> <20070914225606.9E9B433C21@delta.rtfm.com> <46EC2AE7.9040903@pobox.com> <20070917185820.6E7CC33C3A@delta.rtfm.com> <46FA745A.3070305@pobox.com> <20070926152907.8A60B33C23@delta.rtfm.com> <46FA91E8.5020303@pobox.com> <46FB4397.6040203@pobox.com> <46FBBBBE.7000108@pobox.com> <20070927143028.7EF4433C21@delta.rtfm.com> <46FBC5A1.7020501@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070927161005.7CB8C33C28@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Thu, 27 Sep 2007 08:00:49 -0700,
Mike wrote:
> >> The only counter argument I could find is that the server's list
> >> of acceptable algorithms might be different in different places.
> > 
> > And yet, I mentioned several other reasons in my previous message:
> > 
> > - Locality of information.
> 
> For CertificateRequest, yes, but by putting it there, the client
> has to parse the Certificate to figure out if it is signed with
> an acceptable algorithm.  If the server's list of acceptable
> algorithms was passed in a ServerHello extension, the client
> would be able to determine if it should even bother.  (That is
> the benefit I referred to above.)

I'm sorry, I don't understand your point: the client tells
the server what algorithms it supports. A compliant server
MUST NOT send a certificate with a different algorithm,
but rather abort the connection. The client at this point
needs to assume that the server's certificate is OK and
parse it, yes. But if we're assuming that the server is
noncompliant, then you can't count on the indicator you're
talking about anyway.

You and I seem to be assuming different semantics here:
the design I propose is not a negotiation. The client says
"I will accept stuff signed with X" and the server does
likewise. The only restriction is that the signer use an
algorithm within the other side's set. These sets need
not intersect.


> > - It works even if the client does not offer the extension.
> 
> A client that does not offer the extension doesn't support any
> advanced algorithms.  If it did, why wouldn't it tell the server?

It might have a certificate signed with a better algorithm but that
it can't itself verify. It might simply be configured to prefer
a certain set of algorithms. Remember that the signature over
the client's certificate and CertificateVerify is for the 
client's benefit, not the servers, and vice versa, so just 
because you only trust algorithm X doesn't mean you can't
generate algorithm Y.

> >> Even if so, the client can benefit from knowing the server's
> >> certificate signature algorithms up front, so having the server
> >> respond with the extension is useful.
> > 
> > I don't see any significant value in this.
> 
> In the end, it is your specification, so all I can do is present
> my point of view....

This is a WG document, so it's actually the WG's position that
matters. But given that you and I are the people who have
expressed opinions...

-Ekr


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.35.0 | Report a Bug | By Email | System Status