Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 12 October 2015 13:44 UTC
Return-Path: <prvs=77277e3e67=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555671B3253 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 06:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzm5ULCpBTWW for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 06:44:54 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE521B3251 for <tls@ietf.org>; Mon, 12 Oct 2015 06:44:54 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t9CDipOF006010; Mon, 12 Oct 2015 09:44:51 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dave Garrett <davemgarrett@gmail.com>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Thread-Topic: [TLS] banning SHA-1 in TLS 1.3, a new attempt
Thread-Index: AQHRA4PcZmhnRFnvbU2c8qliyAuSfJ5lcHcAgAAIk4CAAAOSAIAAAh0AgAAYY4CAAD/XAIAABw0AgAAGPwD//9q4ioAAT2MAgACfZICAACGvAIAADriAgAAcn4CAACFSgIAAFLKAgAANVICAACz6AIAAdmyA
Date: Mon, 12 Oct 2015 13:44:51 +0000
Message-ID: <D24131A5.1DF68%uri@ll.mit.edu>
References: <201510101337.29335.davemgarrett@gmail.com> <201510111913.04247.davemgarrett@gmail.com> <20151012000045.GF15070@mournblade.imrryr.org> <201510112241.44817.davemgarrett@gmail.com>
In-Reply-To: <201510112241.44817.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.5.150821
x-originating-ip: [172.26.148.51]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3EE7BBA942436B449B9907FDAB7A9CFB@ll.mit.edu>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-10-12_08:2015-10-12,2015-10-12,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1510120159
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZAw76Hm87kG83lud0oFletDGoUw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 13:44:56 -0000
In summary: +1 to Viktor’s argument. -1 to Dave’s. -- Regards, Uri Blumenthal On 10/11/15, 22:41, "TLS on behalf of Dave Garrett" <tls-bounces@ietf.org on behalf of davemgarrett@gmail.com> wrote: >On Sunday, October 11, 2015 08:00:45 pm Viktor Dukhovni wrote: >> There's no reason for pessimism > >Sorry, I have to laugh a bit here. :p > >> we're not trying to deprecated deployed >> functionality, there is no TLS 1.3 deployed base. > >Due to the fact that the vast majority of TLS implementations that will >be used are going to be existing ones, upgraded to support TLS 1.3, yes >we are deprecating deployed functionality for that implementation as well >as their users. > >> > Prohibiting TLS 1.3 implementations from using SHA1 certs does not >>break >> > OE. >> >> It does when the SHA-1 leaf certificate is pinned, and/or the server >> has nothing else to send, and its clients rightly don't care. > >In the second case, a correct course of action for the server would be to >send an incomplete or outright empty certificate_list fallback, in which >case the clients that don't care will be fine with it. Pinning a SHA1 >end-entiy (leaf) cert rather than an intermediate just seems like a bad >idea that you can't expect to work forever. In cases where the server >can't handle lack of SHA1, then my response is to fix that before >upgrading TLS. > >> > My goal is to have fewer systems using SHA1 within a reasonable >>timeframe. >> >> That happens automatically in the minimal version of the PR. > >We're both trying to predict possible futures with different thought >processes. I'm concerned that the simpler course is too slow, _not_ >because we need to rush to get rid of SHA1 certs ASAP, but because going >slower requires keeping SHA-1 around in implementations in the interim. >Even requiring settings and code for an algorithm at all poses an attack >surface by itself (we had attacks on supposedly disabled features over >the past year). Every known vulnerable feature is one which we have to be >wary of getting re-enabled or left on accidentally. I consider this risk >to be high enough to not rely on delegation to another layer; you think >that delegation cannot be changed without excessive interop risk. > >I'll post a follow-up question to the WG (with a changed title, as our >discussion here got long) with the options phrased as a question with 3 >main choices (including the option of doing nothing new). If there's no >support for a full drop in SHA-1 support under the new version, then >there won't be a point in pushing for it further, unless there's yet >another SHA-1 revelation in the near future. > > >Dave > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls
- [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Eric Rescorla
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Ilari Liusvaara
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Yoav Nir
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] The SHA-1 Options (was: banning SHA-1 i… Dave Garrett
- Re: [TLS] The SHA-1 Options (was: banning SHA-1 i… Ryan Sleevi
- [TLS] closing this thread: Re: The SHA-1 Options … Sean Turner
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Hubert Kario
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Blumenthal, Uri - 0553 - MITLL