Re: [TLS] Kathleen Moriarty's Yes on draft-ietf-tls-rfc4492bis-15: (with COMMENT)

Yoav Nir <ynir.ietf@gmail.com> Tue, 14 March 2017 22:05 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB0DC129BA1; Tue, 14 Mar 2017 15:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYwvM216UF8u; Tue, 14 Mar 2017 15:05:32 -0700 (PDT)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9C1B1300E8; Tue, 14 Mar 2017 15:05:31 -0700 (PDT)
Received: by mail-wm0-x243.google.com with SMTP id z63so1962319wmg.2; Tue, 14 Mar 2017 15:05:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=YZVNnT1Hq3L5yAvXcy4mRw0zwU3HqNxK0Q/lMhnNK4k=; b=VDIDaFLLrzonlemn6rlQCDIqsAYuks+/8bzuCPUTp7xSTyxfa8ilAIGLJAsAAiN9hy F/X2IRbxlYgh/CMaJfgkU6sMRVkDeBkXm7CqoPTdIL+dzVf6s2svKhbSsOfQtJ23FIoq v4sBjHvp7NfxUnop1IV6zl+vrkIH0oOaXfDu3cNn2iHnFcr8xos17CCpSVvj6tl7l0ei Kyh8AWLNwQ7b8Uds34OxOc5cV2IJ9SBzraGI8rFXR18d8i5r+qaKmLpSXzpbJdlP868z F7G72Z7EwKhSE/x0Wq8JfYVmXPy96fy0j9jDF1sspAlEbUgLauvgfZJC/14EIwawF+JO YZmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=YZVNnT1Hq3L5yAvXcy4mRw0zwU3HqNxK0Q/lMhnNK4k=; b=bsqRbmZxttu4FMczyYKyqHov1aBW5QVvXHqcCghc7pY5EE+pfjlCzNG2xhsfbJ8m1T YJJL6dyaONRkA3qf8zbeMQYh0HXZwy3zMpJDzFRS2uRGwvxR4cKfrTKleZmEZZQxkFRU QE6BKZIJAeL778CMlhcZ/1XMdIsVTDVdAKf8MyOI2d04kpM5BO0l9507hcBRv7geShNs dslSk6G+l8/jvXq1pqfVqcFByipKuxWacBUktQxQvECboN4qLe4BP0HMOCxSOY6/5NRr D7jm4BxjhCVED0hWgpGfye5KfMdD/fc2ZMtdKpZWptnGMoccaBdzfrwiZosghrX1A8vv g0oQ==
X-Gm-Message-State: AFeK/H3FhmzKtvhUgUTqVC0FaibvBHEkusmG/3T0MwafrXhVte2KHXk7EwGe1+bJL42JpQ==
X-Received: by 10.28.152.212 with SMTP id a203mr1600425wme.36.1489529130480; Tue, 14 Mar 2017 15:05:30 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id k43sm30685060wrk.42.2017.03.14.15.05.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2017 15:05:29 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <897DE78D-E918-415C-8716-9C0EA637274F@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_1D62CD8F-1DBC-4FA1-9063-009EE56330F2"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 15 Mar 2017 00:05:26 +0200
In-Reply-To: <CABkgnnVtDZdv1qnVARFc3Pj5dCVEqfhr0R9nUvNAvjEBbM=Eeg@mail.gmail.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "tls@ietf.org" <tls@ietf.org>, tls-chairs <tls-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-tls-rfc4492bis@ietf.org
To: Martin Thomson <martin.thomson@gmail.com>
References: <148952402426.24274.4020884632180640309.idtracker@ietfa.amsl.com> <26D48307-948B-4CBE-AD4A-7C53D70BF8F0@gmail.com> <CABkgnnVtDZdv1qnVARFc3Pj5dCVEqfhr0R9nUvNAvjEBbM=Eeg@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Qnxjz3o0-m2a6wDDPARzS1zVBeA>
Subject: Re: [TLS] Kathleen Moriarty's Yes on draft-ietf-tls-rfc4492bis-15: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 22:05:34 -0000

> On 14 Mar 2017, at 23:29, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 15 March 2017 at 08:26, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> That is the document that was referenced by RFC 4492 and it’s from 1998. It
>> doesn’t mention any hash function other than SHA-1.
>> 
>> RFC 4492 said that other hash functions may be used. We’ve upgraded it to a
>> SHOULD.
> 
> In light of recent developments, is there any reason we couldn't
> further upgrade this advice?

It might be better to rephrase the whole thing and eliminate the thing about a default. X9.62 has been revised in 2005. This newer version does mention the SHA-2 family in addition to SHA-1, so I don’t know it that is in any sense of the word still “the default”. I’d look it up, but as an ANSI standard, it’s behind a paywall.

We might just say:

OLD
   All ECDSA computations MUST be performed according to ANSI X9.62 or
   its successors.  Data to be signed/verified is hashed, and the result
   run directly through the ECDSA algorithm with no additional hashing.
   The default hash function is SHA-1 [FIPS.180-2 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#ref-FIPS.180-2>], and sha_size (see
   Section 5.4 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#section-5.4> and Section 5.8 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#section-5.8>) is 20.  However, an alternative hash
   function, such as one of the new SHA hash functions specified in FIPS
   180-2 [FIPS.180-2 <https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-15#ref-FIPS.180-2>], SHOULD be used instead.

NEW
   All ECDSA computations MUST be performed according to ANSI X9.62 or
   its successors.  Data to be signed/verified is hashed, and the result
   run directly through the ECDSA algorithm with no additional hashing.
   A secure hash function such as the SHA-256, SHA-384, and SHA-512
   [FIPS.180-4] MUST be used.