[TLS] Old signature schemes in CertificateRequest

"Martin Thomson" <mt@lowentropy.net> Mon, 03 June 2019 01:29 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C56F4120072 for <tls@ietfa.amsl.com>; Sun, 2 Jun 2019 18:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=xxl1PM1Q; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=14Xf8H/F
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vEyEd6xkRr4 for <tls@ietfa.amsl.com>; Sun, 2 Jun 2019 18:29:45 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5337F12004E for <tls@ietf.org>; Sun, 2 Jun 2019 18:29:45 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 8A53B21F92 for <tls@ietf.org>; Sun, 2 Jun 2019 21:29:44 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Sun, 02 Jun 2019 21:29:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm2; bh=SrFJHNnT3fHUkzI96sqABUnB3ZoSgHrlSqNUtvaCNZo=; b=xxl1PM1Q 2HyckHTXoLRwa96V/3bTEbUcx1mwU99yzww/cF2/rHl+Tn8gJtNcTOY07Qgu0Sdb im4VDf5erysEmTPo7RZZUebqHkhRdUtiTuSwsTSPP5VjToReNhMTbFP6bwhMnOeD CUkWvGJKb89UE4kW0+MIlmCq+O8DC6SVDmuGgwIGhIV+8fZ7ZhsEGRJAH+t9hkjn diFUJXP06o5viZomf5McqlQjsQDISvEENggAvw3eaASIicOVY7Ci7SZ+TOEG1XJL 1A8VL6IDuk/y+idnU6n6dhEq8rEQnKuRKCaeYkotpLyEvoGjR3AF2wwq6jmQMOBq F9n+OkbBEKsdOA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=SrFJHNnT3fHUkzI96sqABUnB3ZoSg HrlSqNUtvaCNZo=; b=14Xf8H/FZp0vXUBdB7IKviQg+0JJ8M+wS2Z76yqNCoo1Z OyFTMJAmPDlkyFzOjO+rC8Ur+igXIDlhUtYcj1+hqTQCpB0qDvkGcwSEreoeFsxu MoyQXcV63TLJkaFH3UkvsnHqzBp3TQCjVT/94fiYKu1RYNLw7mvqObByBnGOnMv1 uAT3QmKoXxJQsDIn6yv/a/oRuhxdkrPGKWAhFbZzU7vmYmCmJtOGsjGepFawOrqy SP16z1cnH//smg0vRT8GAjECNK98w/CrS4eNcnrlR/3p0cNpKVpQzwrBrLnZyABQ xuNKR6jNS7EzhVTUcuqAtAVWX1r1dy2jBOuTlpRJg==
X-ME-Sender: <xms:CHj0XK1stRJij3d0xM7nvF3EwrO_yK0RFIGAGnfX6NRYUXR-P2Buzw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudefiedggeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvg hnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:CHj0XD4Zf9DBcvdWyYYBKvuWpVYmHTmXAPqj3m10UHO57oYwuPZ-BQ> <xmx:CHj0XL0Jgd22IPXo93Nz5kneEERHsNQ9hJH3Sf3qWiHJq4XsPq781Q> <xmx:CHj0XOq-7jZZS5XrW-5U5GNyqB8lu1Aad-Konhtj0iUrNohPf6fqHA> <xmx:CHj0XC3An2t4HYy_Xt5w4ZN4n21C_9nEefFfnXrlSqEK_EEfn4eVUA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0BF5DE00A2; Sun, 2 Jun 2019 21:29:44 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-555-g49357e1-fmstable-20190528v2
Mime-Version: 1.0
Message-Id: <5887cc7a-1d8f-4b8b-ac29-5df45c920160@www.fastmail.com>
Date: Mon, 03 Jun 2019 11:29:47 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RB-2NSGwFp4TT8ewm9GmbxvcR5U>
Subject: [TLS] Old signature schemes in CertificateRequest
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 01:29:47 -0000

   RSASSA-PKCS1-v1_5 algorithms:  Indicates a signature algorithm using
      RSASSA-PKCS1-v1_5 [RFC8017] with the corresponding hash algorithm
      as defined in [SHS].  These values refer solely to signatures
      which appear in certificates (see Section 4.4.2.2) and are not
      defined for use in signed TLS handshake messages, although they
      MAY appear in "signature_algorithms" and
      "signature_algorithms_cert" for backward compatibility with
      TLS 1.2.

Similar things are said about those involving SHA-1 and other "legacy" schemes.

My reading is that this permits the inclusion of the related signature schemes in CertificateRequest messages.  These can't really be used in CertificateVerify, so there are some interesting corner cases to consider, like the case where only unusable schemes are listed.

I don't think that this rises to erratum level, but it's a bit of a problem.  Ideally, we'd fix this in a subsequent version by saying some more about CertificateRequest.  But then maybe this backward compatibility stuff will no longer be necessary when that time comes (he says optimistically/naively).

Is this right?  How do you think we should track this problem?