Re: [TLS] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

Daniel Migault <mglt.ietf@gmail.com> Wed, 05 May 2021 03:17 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F2D3A215C; Tue, 4 May 2021 20:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_eG3Q6XaILx; Tue, 4 May 2021 20:17:35 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08DC3A215A; Tue, 4 May 2021 20:17:34 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id 1so244461qtb.0; Tue, 04 May 2021 20:17:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0OJrttesSxrrA1bW9r66PpWmxdLEstT/CrvJ1sjcIJE=; b=KPw6z1Mm9hmoxjGatoyANF3xFUqhYA8wYHs5C9modFw6eoIKuVbngFNCl2O4wEgsXG mLK1/fq+3ETps3DmDmPLHHoP/7AzT/tvwtXjAS0anE7WMLVgnh5dNy3Zz1z1JuE3Mx9y k8nB2i/TKM8iXuv3xzFehw/x8ZuD2dqnllwMJ1EO/cq3BS+PYcTgmzQR706b68JRtzlu Uku4aOY1TjKoRTW2asY6g1wu654SFDyXoE8eCfa0sWrBhNnya5AFUlsSOyRwhVMSzssq T92mmEtU5FeS2y/nDic95zuoUvZJ3pxclCJ92Emt988PX1JlLxl9BIREmqYJZPYb0otZ hrwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0OJrttesSxrrA1bW9r66PpWmxdLEstT/CrvJ1sjcIJE=; b=MdWed6cu2sLAkQzJF/KOAHpb+QJ9ncRToiSBdCfIJvpIgP+Bj5tDjhL4Y6/PQb5nUt VZ4cAnvfGcrIib/YogCCw4DH8p1idQR3CirlSMTnIVmykggs1aGAuYGkZqoNF/vAMW/Y Om1vfH4PKVoNYAcRx82rLLnxm1GMIalsn23H42Gjn2EsivVXhYTnmDTmGADHOUBOVDMa I8N4nU7mvROWfYCaCMlkDsatMq3e1F1J3dGozgRY+Dvtgq4j9gSW/445s774Y51qj/Al JXPrwice8Gv2v2hOku3NtiB+cBozql1qRbyIPyeSkXYNQf/e043mdd1rkw16ydPUJjwF d5UQ==
X-Gm-Message-State: AOAM5305yhmu7INxvEjXMjW6zbuSJ8qJQWzPRpfKuLxMTR6f38tnwLg9 0kt2BvlIKOAlQ5OxAVzCYm7LHNNaNnU1S4nJQ9Y=
X-Google-Smtp-Source: ABdhPJy3XbJHuadyOb5SMzktgsHUpfVb5miwjqbTXMy+qOzHu65NxDgAaTiH20BD1+M+bDHFuJf2elOV+YWKjoRrvw8=
X-Received: by 2002:ac8:7757:: with SMTP id g23mr14047360qtu.46.1620184652533; Tue, 04 May 2021 20:17:32 -0700 (PDT)
MIME-Version: 1.0
References: <160380837029.27888.4435196327617929302@ietfa.amsl.com> <9EA8797E-2487-4465-9608-6CCB6E565BEE@sn3rd.com> <CADZyTk=_WSrc+UfKmZ6b=HzmfEvitu1p6Q9N7GvkHUn3619dnw@mail.gmail.com> <CAOp4FwRyd7tAcbQJR3Td_N=SgdUionwvbXfva2_tnvXcvHWkvA@mail.gmail.com> <CADZyTknQhh=yNf2isOutZa1XKoHtk6dOvE6hgXni8JowsJm=eQ@mail.gmail.com> <C93021E9-3F50-4448-8659-EE6688C3A9E0@sn3rd.com> <C9D655C0-BD5E-4E52-BFF4-BD88D281B34B@sn3rd.com>
In-Reply-To: <C9D655C0-BD5E-4E52-BFF4-BD88D281B34B@sn3rd.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 4 May 2021 23:17:21 -0400
Message-ID: <CADZyTknWs-kNp4EO39souKQwHsT=EAWOQ_E5Z4J77KFgudhhhg@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: Loganaden Velvindron <loganaden@gmail.com>, TLS List <tls@ietf.org>, iot-directorate@ietf.org, draft-ietf-tls-md5-sha1-deprecate.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000af53f505c18ca2bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Uf_1u_nfcW09Av4hAYluAL7HrNc>
Subject: Re: [TLS] Iotdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 03:17:42 -0000

Hi,

Thanks for the update and the followup. To me the only remaining point I am
not sure has been fully addressed is the clarification of 5246, but
otherwise we agree on the content to be written. Please find my comments
inline.

Yours,
Daniel

On Tue, May 4, 2021 at 1:23 PM Sean Turner <sean@sn3rd.com> wrote:

> Daniel,
>
> Thanks for your (and the WG’s) patience on this. Responses in line.
>
> spt
>
> > On Apr 9, 2021, at 14:54, Sean Turner <sean@sn3rd.com> wrote:
> >> On Jan 22, 2021, at 08:23, Daniel Migault <mglt.ietf@gmail.com> wrote:
> >> On Fri, Jan 22, 2021 at 12:13 AM Loganaden Velvindron <
> loganaden@gmail.com> wrote:
> >> On Fri, Jan 22, 2021 at 7:30 AM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
> >> > On Tue, Oct 27, 2020 at 11:34 PM Sean Turner <sean@sn3rd.com> wrote:
> >> >>
> >> >>
> >> >> Please note the comment about Section 3 suggests changing server
> behavior from SHOULD NOT to a MUST NOT.
> >> >>
> >> >> > On Oct 27, 2020, at 10:19, Daniel Migault via Datatracker <
> noreply@ietf.org> wrote:
> >> >> >
> >> >> > Reviewer: Daniel Migault
> >> >> > Review result: Ready with Nits
> >> >> >
> >> >> > Hi,
> >> >> >
> >> >> >
> >> >> > I reviewed this document as part of the IoT Directorate's ongoing
> effort to
> >> >> > review all IETF documents being processed by the IESG.  These
> comments were
> >> >> > written primarily for the benefit of the Security Area Directors.
> Document
> >> >> > authors, document editors, and WG chairs should treat these
> comments just like
> >> >> > any other IETF Last Call comments.
> >> >> >
> >> >> > Review Results: Ready with Nits
> >> >> >
> >> >> > Please find my comments below.
> >> >> >
> >> >> > Yours,
> >> >> > Daniel
> >> >> >
> >> >> >
> >> >> >         Deprecating MD5 and SHA-1 signature hashes in TLS 1.2
> >> >> >                  draft-ietf-tls-md5-sha1-deprecate-04
> >> >> > [...]
> >> >> >
> >> >> > 1.  Introduction
> >> >> >
> >> >> >   The usage of MD5 and SHA-1 for signature hashing in TLS 1.2 is
> >> >> >   specified in [RFC5246].  MD5 and SHA-1 have been proven to be
> >> >> >   insecure, subject to collision attacks [Wang].  In 2011,
> [RFC6151]
> >> >> >   detailed the security considerations, including collision
> attacks for
> >> >> >   MD5.  NIST formally deprecated use of SHA-1 in 2011
> >> >> >   [NISTSP800-131A-R2] and disallowed its use for digital
> signatures at
> >> >> >   the end of 2013, based on both the Wang, et. al, attack and the
> >> >> >   potential for brute-force attack.  In 2016, researchers from
> INRIA
> >> >> >   identified a new class of transcript collision attacks on TLS
> (and
> >> >> >   other protocols) that rely on efficient collision-finding
> algorithms
> >> >> >   on the underlying hash constructions [Transcript-Collision].
> >> >> >   Further, in 2017, researchers from Google and CWI Amsterdam
> >> >> >   [SHA-1-Collision] proved SHA-1 collision attacks were practical.
> >> >> >   This document updates [RFC5246] and [RFC7525] in such a way that
> MD5
> >> >> >   and SHA-1 MUST NOT be used for digital signatures.  However, this
> >> >> >   document does not deprecate SHA-1 in HMAC for record protection.
> >> >> >
> >> >> > <mglt>
> >> >> > RFC6194 may be mentioned as a reference for
> >> >> > not deprecating HMAC-SHA-1 as well as an
> >> >> > additional reference to [NISTSP800-131A-R2].
> >> >>
> >> >> Are asking for something like this:
> >> >>
> >> >> OLD:
> >> >>
> >> >>   In 2011, [RFC6151] detailed the security considerations,
> >> >>   including collision attacks for MD5.
> >> >>
> >> >> NEW:
> >> >>
> >> >>   In 2011, [RFC6151] [RFC6194] detailed the security considerations,
> >> >>   including collision attacks for MD5 and SHA-1, respectively.
> >> >>
> >> >> > Reading the text the situation of HMAC with
> >> >> > MD5 is unclear. Since we specify that SHA-1
> >> >> > is not deprecated for HMAC we may specify
> >> >> > the status for HMAC with MD5. Given RFC6151 I
> >> >> > hope the reason is that MD5 and HMAC-MD5 has
> >> >> > already been deprecated but I have not found
> >> >> > this. Maybe that would worth mentioning it
> >> >> > is deprecated already.
> >> >> >
> >> >> > </mglt>
> >> >>
> >> >> Are you asking for something like this:
> >> >>
> >> >> OLD:
> >> >>
> >> >>   However, this document does not deprecate SHA-1 in HMAC
> >> >>   for record protection.
> >> >>
> >> >>   However, this  document does not deprecate MD-5 or SHA-1 HMAC
> >> >>   for record protection.
> >> >
> >> > <mglt>
> >> > maybe we could add these are still considered as secured at the time
> of writing.  It is also tempting to add that given we deprecate sha1 and
> md5 in the signature, it is tempting to suggest to use unless necessary
> hmac-sha256.  I have commented the PR12
> >> > </mglt>
>
> <spt>
>
> I think we address or will address this one in this to-be updated PR:
> https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/12/files
>
> In fact, I plan to submit updates to the PR for all of the changes so we
> can look at them in one place.
>
> <spt>
>
> >> >> <
> >> >> > [...]
> >> >> >
> >> >> > 2.  Signature Algorithms
> >> >> >
> >> >> >   Clients MUST NOT include MD5 and SHA-1 in the
> signature_algorithms
> >> >> >   extension.  If a client does not send a signature_algorithms
> >> >> >   extension, then the server MUST abort the handshake and send a
> >> >> >   handshake_failure alert, except when digital signatures are not
> used
> >> >> >   (for example, when using PSK ciphers).
> >> >> >
> >> >> > <mglt>
> >> >> > It seems to me that the server behavior might
> >> >> > be defined as well. In our case this could be
> >> >> > something around the lines the server MUST
> >> >> > ignore MD5 and SHA1 values in the signature
> >> >> > algorithm extension.
> >> >> >
> >> >> > </mglt>
> >> >>
> >> >> I guess that would be the way to absolutely stamp them out, but
> don’t we get the same result because the client is not sending the values
> in the signaure_algorithms extension?
> >> >>
> >> > <mglt>
> >> > The reason I would maybe have preferred to have indications for the
> client and the server is that it is always easier for a server to say that
> it is following the specs than to indicate that the client is not.
> >> > This is correct the result is similar, but client usually complement
> servers and we usually specify both. I believe that would be better to be
> updated.
> >> > </mglt>
>
> <spt>
>
> So … personally, I tend to agree with you. However, we (the royal we) get
> what we want by deprecating it on the client side so to maintain the rough
> consensus we currently have I am proposing that we leave the server
> indications out.
>
> <spt>
>
<mglt>
works for me.
</mglt>

>
> >> >> > 3.  Certificate Request
> >> >> >
> >> >> >   Servers SHOULD NOT include MD5 and SHA-1 in CertificateRequest
> >> >> >   messages.
> >> >> >
> >> >> > <mglt>
> >> >> > It seems to me that the same level of
> >> >> > authentication should be provided for both
> >> >> > peers and that server MUST NOT  include MD5
> >> >> > or SHA-1.
> >> >> >
> >> >> > A SHOULD NOT status might be welcome for a
> >> >> > smooth transition. At that time, collision
> >> >> > for MD5 and SHA1 are known for years. It is likely
> >> >> > that software that still need MD5 or SHA1 are
> >> >> > likely to never upgrade, so I doubt a smooth
> >> >> > path worth being taken.
> >> >> > </mglt>
> >> >>
> >> >> This has been a SHOULD NOT since it was a first published as an
> individual draft and through the WGLC. I would not feel comfortable
> changing it now without further discussion.
> >> >>
> >> >> I tend to think it is okay to leave as SHOULD NOT because the server
> MUST use values from the now ever present signature_algorithms extension
> and MD5 and SHA1 are not going to be there. If the server is going to go
> nuts and include MD5 and SHA-1 in the CertifiateRequest even though it’s
> not been asked, well, you got bigger problems.
> >> >>
> >> > <mglt>
> >> > Let's say that there are some softwares using SHA-1 / MD5 that will
> be upgraded. I would have probably incline to put MUST NOT... but SHOULD
> NOT carries the message, and I do not believe that is worth further
> discussion.
> >> > </mglt>
>
> <spt>
>
> Again, I tend to agree with you on the MUST NOT, but also agree SHOULD NOT
> gets it done. In light of that, we should no change here.
>
> <spt>
>
> <mglt>
This is fine to me as well.
</mglt>

> >> >> > 4.  Server Key Exchange
> >> >> >
> >> >> >   Servers MUST NOT include MD5 and SHA-1 in ServerKeyExchange
> messages.
> >> >> >   If a client receives a MD5 or SHA-1 signature in a
> ServerKeyExchange
> >> >> >   message it MUST abort the connection with the illegal_parameter
> >> >> >   alert.
> >> >> >
> >> >> > <mglt>
> >> >> > As per section 2, the client has clearly
> >> >> > indicated it does not support signature with
> >> >> > MD5/SHA1, so Server Key Exchange should not
> >> >> > end up with signature with SHA1/MD5.
> >> >> >
> >> >> > """
> >> >> > If the client has offered the "signature_algorithms" extension, the
> >> >> >   signature algorithm and hash algorithm MUST be a pair listed in
> that
> >> >> >   extension.
> >> >> > """
> >> >> >
> >> >> > It also seems to me that the constraint of
> >> >> > including a MD5 and SHA-1 signature is
> >> >> > related to the Certificate. I suspect that
> >> >> > some clarification are needed here.
> >> >>
> >> >> It’s about the digitally-signed struct for the dhe_dss and dhe_rsa
> cases in ServerKeyExchange.
> >> >
> >> > <mglt>
> >> > sure. My point here was that Certificate MUST be signed by the
> signature, hash provided by the extension. This mandates the CAs deprecates
> SHA1 as well, and I am unclear if that is a correct assumption. I think
> this could be addressed in a section or note related to Certificate.
> >> > </mglt>
> >> >>
> >>
> >> Daniel, do you mean this ?
> >>
> >> https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/
> >>
> >> <mglt>
> >> I think this is a usefull reference to show no problems are expected
> from certificate validation. Thanks.
> >> </mglt>
> >>
> >> >>
> >> >> > Since the case where the extension becomes
> >> >> > mandatory, the quoted text above of RFC 5246
> >> >> > might be updated as well, though this does
> >> >> > not appear that necessary.
> >> >>
> >> >> So we might do it, but the question is whether implementers are
> going to be confused if we don’t update it.  I tend to think that the
> changes in s2 are clear that the extension will be present (except when
> sigs are not used) if the handshake is to complete.
> >> >>
> >> >> > </mglt>
> >> >>
> >> >> Not sure anything needs to be changed in this section based on the
> above.
> >> >>
> >> > <mglt>
> >> > I see your point and agree.
> >> > </mglt>
>
> <spt>
>
> We landed on adding a reference to the CAB Forum SHA1 sunset statement. I
> think we can do that in the introduction:
>
> Note that the CABF has also deprecated use of SHA-1 [CABF].
>
> Informative reference:
> [CABF] https://cabforum.org/2014/10/16/ballot-118-sha-1-sunset/
>
> I also looked for a similar statement for md5, but md5 was deprecated in
> the initial version of their baseline requirements, i.e., there is no
> statement because it was never allowed. In other words, there’s no
> statement to reference for MD5, but that should be okay.
>
> <spt>
>
> <mglt>
works for me.
</mglt>

> >> >> > 5.  Certificate Verify
> >> >> >
> >> >> >   Clients MUST NOT include MD5 and SHA-1 in CertificateVerify
> messages.
> >> >> >   If a server receives a CertificateVerify message with MD5 or
> SHA-1 it
> >> >> >   MUST abort the connection with handshake_failure or
> >> >> >   insufficient_security alert.
> >> >> >
> >> >> >
> >> >> > <mglt>
> >> >> >
> >> >> > 6. Certificate
> >> >> >
> >> >> > Unless I am missing something, it seems to me
> >> >> > that signature may also be found in the
> >> >> > Certificate messages for the chain as well in
> >> >> > the restriction of the signature algorithm.
> >> >> > The end certificate is associated to the peer
> >> >> > while other certificate are related to a CA.
> >> >> >
> >> >> > It seems that client and server behavior may
> >> >> > be specified. The quoted text below may be
> >> >> > helpful to clarify.
> >> >> >
> >> >> > """
> >> >> > If the client provided a "signature_algorithms" extension, then all
> >> >> >   certificates provided by the server MUST be signed by a
> >> >> >   hash/signature algorithm pair that appears in that extension.
> >> >> > """
> >> >> >
> >> >> > </mglt>
> >> >>
> >> >> Are you suggesting that a new section be added to address the
> Certificate message?
> >> >
> >> >
> >> > <mglt>
> >> > yes. I have the impression that since SHA1/MD5 MUST NOT be mentioned
> in the "signature_algorithms", this assumes that CAs do not sign using
> these algorithms. I tend to believe that worth being mentioned. As
> mentioned before, I think that could be mentioned in the draft.
> >> > </mglt>
>
> <spt>
>
> I think I get your point that we could tell the CAs: hey don’t issue these
> types of certs. But, TLS usually stays out of the PKI game ass best as
> possible and as we’ve noted the CAB Forum has basically said that for us.
>
> <spt>
>
> <mglt>
I agree the ref to the CAB do carry the message.
</mglt>

> >> >> > 6.  Updates to RFC5246
> >> >> >
> >> >> >   [RFC5246], The Transport Layer Security (TLS) Protocol Version
> 1.2,
> >> >> >   suggests that implementations can assume support for MD5 and
> SHA-1 by
> >> >> >   their peer.  This update changes the suggestion to assume
> support for
> >> >> >   SHA-256 instead, due to MD5 and SHA-1 being deprecated.
> >> >> >
> >> >> >   In Section 7.4.1.4.1: the text should be revised from:
> >> >> >
> >> >> >   OLD:
> >> >> >
> >> >> >   "Note: this is a change from TLS 1.1 where there are no explicit
> >> >> >   rules, but as a practical matter one can assume that the peer
> >> >> >   supports MD5 and SHA- 1."
> >> >> >
> >> >> >   NEW:
> >> >> >
> >> >> >   "Note: This is a change from TLS 1.1 where there are no explicit
> >> >> >   rules, but as a practical matter one can assume that the peer
> >> >> >   supports SHA-256."
> >> >> >
> >> >> >
> >> >> > <mglt>
> >> >> > I am reading the Note as an explanation on
> >> >> > why sha was taken as the default hash
> >> >> > function with the following rules.
> >> >> >
> >> >> > """
> >> >> > If the client does not send the signature_algorithms extension, the
> >> >> >   server MUST do the following:
> >> >> >
> >> >> >   -  If the negotiated key exchange algorithm is one of (RSA,
> DHE_RSA,
> >> >> >      DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
> >> >> >      sent the value {sha1,rsa}.
> >> >> >
> >> >> >   -  If the negotiated key exchange algorithm is one of (DHE_DSS,
> >> >> >      DH_DSS), behave as if the client had sent the value
> {sha1,dsa}.
> >> >> >
> >> >> >   -  If the negotiated key exchange algorithm is one of
> (ECDH_ECDSA,
> >> >> >      ECDHE_ECDSA), behave as if the client had sent value
> {sha1,ecdsa}.
> >> >> > """
> >> >> >
> >> >> > The current document does not update the
> >> >> > default hash function from sha to sha256 to
> >> >> > avoid interoperability issue where one peer
> >> >> > takes sha while the other one takes sha-256.
> >> >>
> >> >> You are right that this section, which is updating TLS1.2 [RFC5246],
> is not changing the default to SHA-256, but the recommendations for
> configuring TLS 1.2, which are provided in RFC 7525/BCP 195, is being
> updated to recommend SHA-256 in the very next section.
> >> >>
> >> > <mglt>
> >> > Updating the update works. It believe that saying a section should be
> remove is not too hard, and it seems to me that mentioning the default
> behaviour is important. I would say that could get implementers confused to
> implement part of the specifications that do not hold any more. I would
> prefer to have this being addressed.
> >> >
> >> > I am reading RFC7525 as recommending a non default parameter while
> this document removed the support of default parameters. So to me the
> updating the status of the default parameters seems more updating the 5246
> then 7525.
> >> > </mglt>
> >> >
> >> >> > As a results, these rules and the "Note" may
> >> >> > eventually all together be replaced by your
> >> >> > text of section 2.
> >> >> >
> >> >> > The following text may also be removed:
> >> >> >
> >> >> > """
> >> >> > If the client supports only the default hash and signature
> algorithms
> >> >> >   (listed in this section), it MAY omit the signature_algorithms
> >> >> >   extension.
> >> >> > """
> >> >>
> >> >> So we might do it, but the question is whether implementers are
> going to be confused if we don’t do it. I think because s1 already says
> that client MUST send a signature_algorithms extension that we don’t have
> to indicate that that particular sentence be dropped/removed from the
> draft. I will admit this document mixes the two ways to do a bis document,
> i.e., old/new and describing blanket changes, but I think the intent is
> pretty clear based on the brevity of the draft.
> >> >>
> >> >
> >> > <mglt>
> >> > I agree we may be able to find all the dots. I think this provides
> more insight to clarify the reading of 5246. I agree the intend is clearly
> stated in the title and section 2 addresses most of it and I believe that
> some flexibility is permitted, but that is unclear to me where to put the
> bar. I still believe that could be easily be addressed.
> >> > </mglt>
> >> >
>
<mglt>
I think I have lost a bit where we are, but I tend to agree that
clarification of 5246 would be clearer here. That is mentioning the text
that needs to be removed / changed.
</mglt>


> >> >>
> >> >> > Regarding the Note, it seems to be that the
> >> >> > removal of support for MD5/SHA1 will result
> >> >> > in interoperability issues. At this point,
> >> >> > the issue is due to the obsolescence of the
> >> >> > implementation as deprecation of SHA1/Md5 has
> >> >> > started a long time ago.
> >> >> >
> >> >> > It is unclear to me how normative is
> >> >> > interpreted "can assume". Was the support of
> >> >> > MD5/SHA1 a SHOULD or a MUST? In both case, if
> >> >> > we were willing to maintain interoperability
> >> >> > between software that only implemented
> >> >> > MD5/SHA1, we should take a slower path and
> >> >> > introducing SHA-256 and having were MD5/SHA1
> >> >> > kept for interoperability purpose before
> >> >> > being deprecated. I do not think we should
> >> >> > take that path as implementations that
> >> >> > currently do not support SHA-256 are unlikely
> >> >> > to be updated and that deprecation of
> >> >> > SHA1/MD5 has started a long time ago.
> >> >> >
> >> >> > I would however mention the issue of
> >> >> > interoperability in the  section but not in
> >> >> > the text to update. In the text to update I
> >> >> > would maybe suggest that the support of
> >> >> > SHA-256 comes with a normative MUST
> >> >> > statement.
> >> >> >
> >> >> >
> >> >> > </mglt>
> >> >>
> >> >> I think we can accomplish migrating to SHA-256 by updating RFC
> 7525/BCP 195.
> >> >
> >> >
> >> > <mglt>
> >> > yes, but the current update only RECOMMENDs RFC7525.
> >> > </mglt>
>
> <spt>
>
> I think we are in agreement that by updating RFC 7525, which this I-D
> does, then we are recommending clients move to SHA-256. Also, RFC 7525 is a
> BCP so it’s a wee-bit more.
>
> <spt>
>
> >> >> > Velvindron, et al.       Expires April 12, 2021
>  [Page 3]
> >> >> >
> >> >> > Internet-Draft      draft-ietf-tls-md5-sha1-deprecate
>  October 2020
> >> >> >
> >> >> >
> >> >> > 7.  Updates to RFC7525
> >> >> >
> >> >> >   [RFC7525], Recommendations for Secure Use of Transport Layer
> Security
> >> >> >   (TLS) and Datagram Transport Layer Security (DTLS) recommends
> use of
> >> >> >   SHA-256 as a minimum requirement.  This update moves the minimum
> >> >> >   recommendation to use stronger language deprecating use of both
> SHA-1
> >> >> >   and MD5.  The prior text did not explicitly include MD5 or
> SHA-1; and
> >> >> >   this text adds guidance to ensure that these algorithms have been
> >> >> >   deprecated..
> >> >> >
> >> >> >   Section 4.3:
> >> >> >
> >> >> >   OLD:
> >> >> >
> >> >> >   When using RSA, servers SHOULD authenticate using certificates
> with
> >> >> >   at least a 2048-bit modulus for the public key.  In addition,
> the use
> >> >> >   of the SHA-256 hash algorithm is RECOMMENDED (see [CAB-Baseline]
> for
> >> >> >   more details).  Clients SHOULD indicate to servers that they
> request
> >> >> >   SHA-256, by using the "Signature Algorithms" extension defined
> in TLS
> >> >> >   1.2.
> >> >> >
> >> >> >   NEW:
> >> >> >
> >> >> >   Servers SHOULD authenticate using certificates with at least a
> >> >> >   2048-bit modulus for the public key.
> >> >> >
> >> >> >   In addition, the use of the SHA-256 hash algorithm is
> RECOMMENDED;
> >> >> >   and SHA-1 or MD5 MUST NOT be used (see [CAB-Baseline] for more
> >> >> >   details).  Clients MUST indicate to servers that they request
> SHA-
> >> >> >   256, by using the "Signature Algorithms" extension defined in TLS
> >> >> >   1.2.
> >> >> >
> >> >> > <mglt>
> >> >> > I understand the reason we do specify that
> >> >> > hash algorithms that MUST NOT been used. This
> >> >> > is fine in the context of this document, but
> >> >> > it seems to me that if we were writing the
> >> >> > updated specification we may have rather
> >> >> > mentioned a minimum level of security hash
> >> >> > function needs to be met - in our case
> >> >> > SHA-256. I leave the co-authors make the
> >> >> > appropriated choice.
> >> >> >
> >> >> > </mglt>
> >> >>
> >> >> Can you clarify what you would like changed? I am just confused
> because SHA-256 is RECOMMENDED in the proposed new text.
> >> >>
> >> > <mglt>
> >> > I suppose I proposed to move RECOMMENDED to MUST to accomplish the
> transition as I do not see RECOMMENDED sufficient to guarantee
> interoperability. At that point, I am inclined to say the MUST status is
> achieve as there are quite few hash functions deployed and available and
> that the life time of TLS 1.2 is expected to be limited. This could be made
> RECOMMENDED acceptable, but MUST would be preferred if possible. Is there
> anything I am missing or any reason to favour RECOMMENDED over MUST ?
> >> > </mglt>
>
> <spt>
>
> As noted earlier, RECOMMENDED gets us what we want and keeps the rough
> consensus so I would like to propose no change.
>
> I see that -06 made this change, and it needs to get changed back. 1st the
> OLD text block needs to remain as-is; the OLD text is just quoted. 2nd MUST
> use causes problems down the road because we would need to update this to
> SHA-512 (or whatever) later to change the MUST use.
>
> <spt>
>
> >> >> > 8.  IANA Considerations
> >> >> >
> >> >> >   The document updates the "TLS SignatureScheme" registry to
> change the
> >> >> >   recommended status of SHA-1 based signature schemes to N (not
> >> >> >   recommended) as defined by [RFC8447].  The following entries are
> to
> >> >> >   be updated:
> >> >> >
> >> >> >       +--------+----------------+-------------+-------------------+
> >> >> >       | Value  |  Description   | Recommended |     Reference     |
> >> >> >       +--------+----------------+-------------+-------------------+
> >> >> >       | 0x0201 | rsa_pkcs1_sha1 |      N      | [RFC8446][RFCTBD] |
> >> >> >       | 0x0203 |   ecdsa_sha1   |      N      | [RFC8446][RFCTBD] |
> >> >> >       +--------+----------------+-------------+-------------------+
> >> >> >
> >> >> >   Other entries of the resgistry remain the same.
> >> >> >
> >> >> >
> >> >> > <mglt>
> >> >> > It seems to me that TLS 1.2 is using the TLS
> >> >> > hash and TLS signature registry TLS signature
> >> >> > registry and TLS 1.3 is using Signature
> >> >> > Scheme.
> >> >> >
> >> >> > I suspect that TLS hash values for sha1 and
> >> >> > md5 should be deprecated. And RFCTBD should
> >> >> > be added for sha1 and md5. Note that the
> >> >> > SHOULD NOT status for CertificateRequest
> >> >> > may have prevented such deprecation.
> >> >>
> >> >> The TLS HashAlgorithm and TLS SignatureAlgorithm registries do not
> have a Recommended column. Likewise, there’s not a notes column. What I
> think we could do is replace the reference to [RFC5246] with [RFCTBD] (so
> it’s points to this document when it is published).
> >> >>
> >> > <mglt>
> >> > yes. My understanding so far is that the document deprecate SHA-1 and
> MD5 for TLS 1.3 not for TLS 1.2 for the IANA section.
> >> > </mglt>
> >> >
> >> >> > A side effect is these code points for
> >> >> > signature scheme that were assigned for
> >> >> > compatibility with legacy (TLS 1.2)
> >> >> > signatures must not be used anymore -  if
> >> >> > there are no more valid with TLS 1.2.
> >> >> > </mglt>
> >> >>
> >> >> This is what changing the Recommended to “N” is above so I think
> we’re good here?
> >> >>
> >> > <mglt>
> >> > yes, my point was to indicate that currently "N" deprecates the TLS
> 1.2 legacy protocol for TLS 1.3 as opposed to the the protocols for TLS
> 1.2. Unless I misinterpreted the IANA registries I did not have the
> impression that the signature scheme replaced the registries of TLS 1.2. It
> is possible I am missing something with the IANA registries, but otherwise,
> I think the draft should be updated.
> >> > </mglt>
>
> AH, now i get it. To address this, what we need to do is add the IANA
> considerations:
>
> IANA is also requested to update the Reference for the TLS
> SignatureAlgorithm and TLS HashAlgorithm registries to refer to this RFC:
>
> <mglt>
That is it.
</mglt>

> OLD:
>
> Reference
> [RFC5246][RFC8447]
>
> NEW:
>
> Reference
> [RFC5246][RFC8447][RFC-to-be]
>
>

-- 
Daniel Migault
Ericsson