Re: [TLS] Kathleen Moriarty's Yes on draft-ietf-tls-rfc4492bis-15: (with COMMENT)

Yoav Nir <ynir.ietf@gmail.com> Tue, 14 March 2017 21:26 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D58DC13155F; Tue, 14 Mar 2017 14:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHGdIwYneBiL; Tue, 14 Mar 2017 14:26:29 -0700 (PDT)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F419C129AE8; Tue, 14 Mar 2017 14:26:28 -0700 (PDT)
Received: by mail-wm0-x243.google.com with SMTP id v190so1829059wme.3; Tue, 14 Mar 2017 14:26:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=BG7SkCdJ+2E0OPCgar7Puc/rCJIXdVJzdTAVkRmcwV8=; b=LHausIWZlKBhJmFfGNB/61iiAY51oSmdk9MRAEUA3Db96zIru5IW4nNm/WCevXfm47 V11IH7kKsNVqm15TBdeIv52ufU16PK/YrgKOs/VUPzU50qXkqQMSLmQ9ZsBIT1a/cqQO ic5iADW6OAp5z/RbrjzHhf1poIJtnqlxYy9eXaUqSzc+NwdoGHRMS1gjCdpFOUDKiYjQ QdRQmJbYH/cXjdbWbp/9rXalR8pKXXQ+KJBKdxSZxfGjzDkciZ/uZSWJYSD5gAYfAVIG ddDUUolSqYY8+4T76WtcI1YEJheKcUcnrARTKwQOB8NKvdDwmwjD85gO7Hc7zv5xyn16 oxyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=BG7SkCdJ+2E0OPCgar7Puc/rCJIXdVJzdTAVkRmcwV8=; b=nX1eqLQSQ4E4M4hZZ+vDiAMjp6AXXkdJYSUukd6LhyjKk4s4UOlcWSMNiMNA8X0uNr +3u29i0jBCcp6NuIJT3PAF/F9B2QVfOkkQaAypciCHrlzbjQVa61JKhc5zq8NsIXSsnF Lt3qXTRH4YSbYLEOhopqJqgEW7UHuGrJPndGsQua4p15tnrsD8cxizqVtmVRruwnZRLv SZiFL7H6omrbeKLjQ1HC94y/nbo0GUuj97uT2BMJjVICJ1DylNXRjOt0fTXBYfhDxeYX mMna4p6jlU3w/zBdYDKPkeRGDjPBeLJNQabph9ZeULCRr/dmScjwx3pnrMzbd85/Cny1 fRSQ==
X-Gm-Message-State: AFeK/H0BgD5UtJNpAB8LUHqa3Z/cCdFc/RoaYyPOuNbyqWaX7vSetRAwIyIcy2I4hIwrJg==
X-Received: by 10.28.47.7 with SMTP id v7mr16005099wmv.138.1489526787519; Tue, 14 Mar 2017 14:26:27 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id u11sm30731463wrb.45.2017.03.14.14.26.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2017 14:26:26 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <26D48307-948B-4CBE-AD4A-7C53D70BF8F0@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E98C0D0A-A031-452B-9D40-333830EEC8F8"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 14 Mar 2017 23:26:23 +0200
In-Reply-To: <148952402426.24274.4020884632180640309.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-rfc4492bis@ietf.org, Sean Turner <sean@sn3rd.com>, tls-chairs@ietf.org, tls@ietf.org
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <148952402426.24274.4020884632180640309.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Rc0rWdZH4u7kreaJF5GQ0yK3NTw>
Subject: Re: [TLS] Kathleen Moriarty's Yes on draft-ietf-tls-rfc4492bis-15: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 21:26:31 -0000

Hi, Kathleen.  See inline.

> On 14 Mar 2017, at 22:40, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-tls-rfc4492bis-15: Yes
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-rfc4492bis/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for your work on this draft.  I just have one question:
> 
> In section 5.10, I see the following text:
>   The default hash function is SHA-1 [FIPS.180-2], and sha_size (see
>   Section 5.4 and Section 5.8) is 20.  However, an alternative hash
>   function, such as one of the new SHA hash functions specified in
> FIPS
>   180-2 [FIPS.180-2], SHOULD be used instead.

If we add the three lines before the ones you quoted, they say this:
   All ECDSA computations MUST be performed according to ANSI X9.62 or
   its successors.  Data to be signed/verified is hashed, and the result
   run directly through the ECDSA algorithm with no additional hashing.

The default of using SHA-1 is from X9.62: https://www.security-audit.com/files/x9-62-09-20-98.pdf <https://www.security-audit.com/files/x9-62-09-20-98.pdf>
That is the document that was referenced by RFC 4492 and it’s from 1998. It doesn’t mention any hash function other than SHA-1.

RFC 4492 said that other hash functions may be used. We’ve upgraded it to a SHOULD.

> 
> Why are you setting the default to SHA-1 and then recommending that
> something else should be used?  Why not just start with a different SHA
> hash function as the default or at least for TLS 1.2?  I do see the prior
> text about TLS 1.0 and 1.1 using MD5 and SHA-1, but most have recommended
> to go right to TLS 1.2 with the SSLv3 deprecation.  As such, I'm not
> clear on why the SHA-1 default.
> 
>