[TLS] Renumbering the new SignatureSchemes

David Benjamin <davidben@chromium.org> Tue, 20 September 2016 15:27 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E0212B7DE for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 08:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.015
X-Spam-Level:
X-Spam-Status: No, score=-5.015 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lUPUFB8OFZM for <tls@ietfa.amsl.com>; Tue, 20 Sep 2016 08:27:18 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3813E12B938 for <tls@ietf.org>; Tue, 20 Sep 2016 08:08:04 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id r145so22780053ior.0 for <tls@ietf.org>; Tue, 20 Sep 2016 08:08:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=U9O7g54xjAqo/+/dNce3uvOI6tIofjr74K8A4VdvEks=; b=hEx1RTrs5fX6UW36jigCL7Vhu7hm8DRmaS+yI8JjjMtxmTD28J7qG9Q5YywaCblqCY cV2azWbU6ZoudTfxuqelIPhgry4/ulj6CPIxBQgVNbQSvreJpp2CBVitJvmYAAE9UCEH bSSLu+e4WPmDqwYbJ+wBus2RFWD3R3rmAdIPA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=U9O7g54xjAqo/+/dNce3uvOI6tIofjr74K8A4VdvEks=; b=DACM5KLT49ashD4uqqh9ufY8n1dn0RmSrw0hqiWhJ5V8cvywKmvnm7sKWlzli3Lkg+ gzxQZHh8sCKTsX9A8wvDbLHTtTtbBXrIoTRp0ShMTAT4TnOBgb6Us0ejGxQC5HUuBo43 Wl3POXJzbya+QxjLNDuAXZ5hYxxMdP7L66huzMhn29rNqV/mBmLQ6ugBS2s21Az7dLj/ OMW39ySd1lTIVgmw+nFnCk+USOC9r0Og5waehDW8+OMitE+hsD60D3AI83lnFr+pQrZw qp/swikQkhhk4wf59Xpd13EDDURuTUQi1ypdxYvcV97wY2oYVm+FUTlSpbvSSdz75aZ9 6TjA==
X-Gm-Message-State: AE9vXwNIpKmr7QFjLrpeYpJrWc27CL7HghzilOoRHEINcLYByD8iZGqXXvpBarlOPnQ26yynj7U9F2O6qMxjMMQU
X-Received: by 10.107.152.74 with SMTP id a71mr43118927ioe.120.1474384082913; Tue, 20 Sep 2016 08:08:02 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Tue, 20 Sep 2016 15:07:51 +0000
Message-ID: <CAF8qwaAo-MKJvxdpDkb-fyMfLmOpbhif=2Axik3wnr1DPzd5Eg@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a1140e88286caad053cf1cbd0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XEiyjLzZvSC5Mrwb5bdBCtr0FnQ>
Subject: [TLS] Renumbering the new SignatureSchemes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 15:27:20 -0000

Hi folks,

I've just uploaded this PR to slightly tweak SignatureScheme numbering:
https://github.com/tlswg/tls13-spec/pull/641

In principle, we should only have needed to burn values starting with known
HashAlgorithms, but TLS 1.2 said:

   signature
      This field indicates the signature algorithm that may be used.
      The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
      [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively.  The
      "anonymous" value is meaningless in this context but used in
      Section 7.4.3.  It MUST NOT appear in this extension.

We'd started RSA-PSS along the train to get shipped in Chrome to get early
warning on any interoperability issues. We ran into an implementation which
enforced this MUST NOT. It's a MUST NOT in 1.2, so it seems prudent to
allocate around it and avoid ending in known SignatureAlgorithms. Thus,
rather than only burning {0x00-0x06, *}, we also burn {*, 0x00-0x03}. This
has the added benefit that TLS 1.2 dissector tools don't get confused.

(I'm not sure how to express it in the enum syntax or IANA registry, so I
left it a TODO in the PR.)

David