IETF Logo Mail Archive

Re: [TLS] Should we use proof-of-possession rather than signatures?

Eric Rescorla <ekr@rtfm.com> Tue, 24 November 2015 22:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB2F1A90FB for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 14:42:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1cBeTjeP8c1 for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 14:42:48 -0800 (PST)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 807C71A90FA for <TLS@ietf.org>; Tue, 24 Nov 2015 14:42:48 -0800 (PST)
Received: by ykdv3 with SMTP id v3so37024403ykd.0 for <TLS@ietf.org>; Tue, 24 Nov 2015 14:42:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=bZWSoLag3cIkOQ5ghpqnwx1j+ZXIuimFklpy23XQR74=; b=IIIGAUetKjw70rs/nTp7J9foVs74sHLDqIsv41Ab5QghGr+nPPuaTO25saPqrOHev0 mCIk6PgmiCyHl4npbN8Zk7ZfOdc4Odi/cOT9luaG8fbvVGzPz2oeQ8eCI0o57oDH7oWr FIi4egPMBEOZnDcScVFlfJ+OCA3hNcQ1dzC4uHYjXeTMRry7IDrFy36FrTX5RIQLWM+Y Ap4RhioPT3HSJHoG/0cgMfTYj30Q6kMhIeibpOzaLsYGdtW16iaEJ5HQGlaJ7/q9mHeC bGcTz0xCA8ra+8ujpgbShoPCzECks2d9g1i2Tgl5GMS5nUlHNfvDWB+7kaZWL1S3mX6I s04Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bZWSoLag3cIkOQ5ghpqnwx1j+ZXIuimFklpy23XQR74=; b=T15iW+VZvqfOiZjtKjAEL9RmOCvE4QUOrgI1kxFGlR5RAR/4fEi9LNAqsg0DIwExhk pPNK6QiLHzsaXQ6m8vJ8GPdrWc9X7yOADowpYMeAyvmk0N+BuxPUcrTdd66sB3g7V1nt B4dy95+FhoZyh6qgEsXi9HdVFjDHz8GrMtHDIq/BYbJ6u8GvhngGQNhinGd50oJhTg1F dkrzj9qSj88PnW+k/r962G/sMLMbtWGVnBZLiBiAjlV+zvYbGYbiLkZEnHi0HbzdfCHG hAafGooYZZtJo+NYUp7niKy34tZVraf1o5HKIqruoLhtevrng9s9LyucQa6wWYu+wmEU txWg==
X-Gm-Message-State: ALoCoQksUzYlut9IrO8z8VD4M/5zvqdXSNCjBkTBAI7eDihPo7Gq9lUOH7tqds8HIbiHBELxaaCk
X-Received: by 10.129.46.136 with SMTP id u130mr500055ywu.129.1448404967833; Tue, 24 Nov 2015 14:42:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.232.201 with HTTP; Tue, 24 Nov 2015 14:42:08 -0800 (PST)
In-Reply-To: <CAH9QtQFC9s5_jv+i3N5g894dt98c7zP31hjtR8MwQPuE6kHn4g@mail.gmail.com>
References: <CAH9QtQEwXBYapbNb5FC0=yOHJ_brmx+P0_6ODoWP-wQOQW=oMg@mail.gmail.com> <CABcZeBOk0mXFAHR_LFvN0CjuH3TuiMpOB5YossX+3oPMMx-aaQ@mail.gmail.com> <689E730F-63D4-4D64-B678-D5A701983146@shiftleft.org> <CADi0yUPtprXrczVPDObj8MQd9tnXMysepbFNA=whrJV=H1E65w@mail.gmail.com> <727C6597-F386-4349-B334-6D8442354F1E@shiftleft.org> <CAH9QtQFC9s5_jv+i3N5g894dt98c7zP31hjtR8MwQPuE6kHn4g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 24 Nov 2015 14:42:08 -0800
Message-ID: <CABcZeBP_UsVDSXqe6i6VG-kx1V2upWe1YJKsagASJpZX60JS=g@mail.gmail.com>
To: Bill Cox <waywardgeek@google.com>
Content-Type: multipart/alternative; boundary="001a114095969968720525510f50"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/X1qLOOBVFNb5ERGyFKYZ8VP-2tI>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Should we use proof-of-possession rather than signatures?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 22:42:50 -0000

On Tue, Nov 24, 2015 at 2:31 PM, Bill Cox <waywardgeek@google.com> wrote:
>
> From the paper, it sounds like using delegated keys currently has some
> unanticipated security problems, at least in the near term while we
> continue to accept incorrectly padded RSA based certs.  Would Hugo's
> suggestions for extending certificates address weaknesses due to delegated
> keys, and allow DH keyshares to be used for proof-of-possession, and
> possibly MQV?  If so, it sounds like a valuable upgrade.
>

The underlying concern is misuse of *existing* server's signing keys to
produce essentially
permanent delegations. So, as Hugo observed, requiring a certificate
extension (or DH
certificates) removes this case. As I mentioned in my earlier message, we
discussed this
extensively at a number of meetings and came to the WG consensus that it
would
be good if someone wrote a separate draft documenting one or both of these
mechanisms,
but that it shouldn't be on the critical path for TLS 1.3. Volunteers
wanted!

-Ekr




> Thanks,
> Bill
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email