[TLS] Draft 18 review : Signature in certificates
Olivier Levillain <olivier.levillain@ssi.gouv.fr> Tue, 22 November 2016 19:10 UTC
Return-Path: <olivier.levillain@ssi.gouv.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6DC129AE5 for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 11:10:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfvWSOkhpmLr for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 11:10:50 -0800 (PST)
Received: from garfield.picty.org (garfield.picty.org [82.231.235.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4614A129B59 for <tls@ietf.org>; Tue, 22 Nov 2016 11:10:25 -0800 (PST)
Received: from neoplankton.picty.org (unknown [80.12.39.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by garfield.picty.org (Postfix) with ESMTPSA id 69D8A54248 for <tls@ietf.org>; Tue, 22 Nov 2016 19:05:04 +0000 (UTC)
Date: Tue, 22 Nov 2016 20:07:45 +0100
From: Olivier Levillain <olivier.levillain@ssi.gouv.fr>
To: tls@ietf.org
Message-ID: <20161122190738.GF19978@neoplankton.picty.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WuGw4IsavqqS1oUgQfMKEB4er4U>
Subject: [TLS] Draft 18 review : Signature in certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 19:10:51 -0000
Hi list,
I am sorry for the very late answer concerning draft 18, but we
(ANSSI) have several remarks after proof-reading the current
specification.
We are sorry for the multiple long messages.
If the WG is interested by some of our concerns/proposals, we would be
glad to propose some PRs.
= Signature in certificates =
The two paragraphs in 4.4.1.2 P.56 starting with "All certificates"
are very far from clear. They require (MUST) some behaviour, which is
later reformulated with an unless part. I am not sure of the intent
here, but we believe the current text should be rewritten to clearly
express the intent of the WG.
My comprehension is that the server MUST use only signature schemes
described in signature_algorithms, except for the following cases:
- for checking the signature in self-signed or trust anchors (since
this check is useless, the trust coming from an out-of-band
mechanism in this case)
- when the only available chains use signature scheme are not known
to be supported by the client
- the case of SHA-1 is special
The same confusion can be found in 4.4.2 P.59 ("If sent by a
server...")
Olivier Levillain
- [TLS] Draft 18 review : Signature in certificates Olivier Levillain
- Re: [TLS] Draft 18 review : Signature in certific… Eric Rescorla