Re: [TLS] PR to clarify RSASSA-PSS requirements
Eric Rescorla <ekr@rtfm.com> Wed, 22 November 2017 04:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B23E129C30 for <tls@ietfa.amsl.com>; Tue, 21 Nov 2017 20:38:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PzIuxcXaIJQ for <tls@ietfa.amsl.com>; Tue, 21 Nov 2017 20:38:27 -0800 (PST)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546D5129C2F for <tls@ietf.org>; Tue, 21 Nov 2017 20:38:27 -0800 (PST)
Received: by mail-yw0-x22f.google.com with SMTP id c195so3816766ywh.10 for <tls@ietf.org>; Tue, 21 Nov 2017 20:38:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MpdiR4z8iHRUEdf9gAWwLL634eUh9El518iO13VidII=; b=YjiCaSpgHyErCkiftLjMPToaLkYwaqki1NHkmBAMrW+Mo/oxVzigi/m9hP060QWjmt j9eLQa6KFvz+Y/K94EgyeAb6msMVfIL4NiYSani21UlZo3hSUlSqs6O0+BC+eM9Bi8kT HL5meYvW0BhWmCiMfyN40tmZ4NkUIp1rpMQyG/QX90OFTJXy5N+rniQh1WN2BwkpYCjG grAsjwzi1roN1bT8JSlF4YmxR9pitXU57H9gmJK5XWFO7AM6bhJOoCM7z3yC5KHFNFCg 7GgvppYoxhmbgR89wd4ov6NHzzVWRW6+y6Phfen7MRRWLvlKUG9UD+pek2wXQ/9WMwSH 9YxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MpdiR4z8iHRUEdf9gAWwLL634eUh9El518iO13VidII=; b=kLjGC6yhfeQfoAaskMI/rKqKxfgUMgidVHCUCjEDhtSsyGxfE0aEH8/BaGFPgoiJGT ghZxBTZo0AXaUp/SkGPa0eKT+hlZETG6+CAtg2ueOPoude+A01tvStKgzaN5fT3kRM6j p+s3UE2vSkwhrNwhzCV0DfjiOOekY5bhs8hrQ0O+Hi/x7n4jc4ODZB+BGd9NJcn4cljn GoPqjjGPb+WOr2u0tA3nHwNmi/DctlSyiOqi5HD9iFP1due1KOJO0+Ki8skzq4UzeaOI MXIBzpdtCSRsT5mwVRvZHcZXywy/BRx+TpRCp+gTGHLH88ORjyKG6uLcv/xXF/83ITEC 1TgQ==
X-Gm-Message-State: AJaThX7ymB5Q7JgCCF4tuPOFNh8N/a5cyGVd1FjKmNDVw3sSzMT4OytU be/C/98ecnKStAklCTGimXXcM7o6o52qdIBThRbqimhPNfc=
X-Google-Smtp-Source: AGs4zMa9bGIq+d0zgnXZsN5iIuaQlZXRa76ZbACV9SaBnEYCumNaQpDxTGNfAgo6eXnJGyyD83kd/orFaZcVUM4NTjk=
X-Received: by 10.129.154.22 with SMTP id r22mr12486182ywg.296.1511325506358; Tue, 21 Nov 2017 20:38:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Tue, 21 Nov 2017 20:37:45 -0800 (PST)
In-Reply-To: <20171122035404.GC18321@al>
References: <20171122035404.GC18321@al>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Nov 2017 20:37:45 -0800
Message-ID: <CABcZeBP+1xrd8KdWwHh6U2_rMXUDeZAZKF_ZvFrs8DJ7hnQrGw@mail.gmail.com>
To: Peter Wu <peter@lekensteyn.nl>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0bb4e8f26512055e8ae32f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V36Ke4aquHGLbIYyc65Rub2SH5s>
Subject: Re: [TLS] PR to clarify RSASSA-PSS requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2017 04:38:29 -0000
I don't think that this is the right answer. Let's separate out the question of (a) what people need to support and (b) what the code points mean. (b) needs to be unambigous, as that's the point of the extension and this PR actually makes it explicitly unambigous. With that said, there seem to be two points of contention: - Whether the code point refers to signatures other than those in CertificateVerify - Whether the code point refers to SPKIs with OIDs other than rsaEncryption For the first point, I recognize that there are those who believe that the code point should refer only to CertificateVerify but that's not what it meant in TLS 1.2 and I don't think there's consensus to make that change. We could certainly introduce a new extension later which refers to just chain certificates. For the second point, I wouldn't be averse to having two code points, one for PSS that means "must be rsaEncryption" and one for "PSS with funny parameters" (with the hope we only ever needed the first). But that's not this PR. -Ekr On Tue, Nov 21, 2017 at 7:54 PM, Peter Wu <peter@lekensteyn.nl> wrote: > Hi, > > At the moment there is still ambiguity in the requirements for PSS with > relation to certificates. Proposal to clarify this: > https://github.com/tlswg/tls13-spec/pull/1098 > > > This PR intends to clarify the requirements for PSS support. > > The requirements are intentionally minimal to reduce implementation > efforts, but recognizes that some other implementations may be more > complete. Notes: > > - "Supporting PSS signatures on certificates is a mandatory requirement > and I think we should be very clear about the parameters we permit." > https://www.ietf.org/mail-archive/web/tls/current/msg23007.html > - Martin Rex wishes to remove TLS requirements on signature algorithms > for certificates, hence the "MAY" for other PSS parameters in this PR. > https://www.ietf.org/mail-archive/web/tls/current/msg23021.html > - Regardless, rsa_pss_sha256 is currently MTI for CertificateVerify and > certificates, hence the strong MUST wording in this PR. > - It does not say anything about non-end-entity certificates, that's up > to the PKI verifier. Consider case "CA Key: rsa-pss; EE signature: > rsa-pss; EE key: rsa" from > https://www.ietf.org/mail-archive/web/tls/current/msg24453.html > - PSS params in certificates are explicitly not restricted, satisfying > https://www.ietf.org/mail-archive/web/tls/current/msg24457.html > > >From what I have heard, boringssl does not (or will not?) implement any > PSS support in the certificates (yet?). Don't know if anything should be > changed here to reflect that decision, but I thought it is worth > mentioning. It is possible that I'll follow boringssl's example in tris. > > If a TLS extension is introduced later, hopefully that improves interop > with odd keys and signatures that are optional in this PR (PSS pubkey or > custom salt lengths). > -- > Kind regards, > Peter Wu > https://lekensteyn.nl > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Eric Rescorla
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu
- Re: [TLS] PR to clarify RSASSA-PSS requirements Nikos Mavrogiannopoulos
- Re: [TLS] PR to clarify RSASSA-PSS requirements Hubert Kario
- Re: [TLS] PR to clarify RSASSA-PSS requirements Ilari Liusvaara
- Re: [TLS] PR to clarify RSASSA-PSS requirements Peter Wu