Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt
Eric Rescorla <ekr@rtfm.com> Sat, 10 October 2015 17:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23921B42D1 for <tls@ietfa.amsl.com>; Sat, 10 Oct 2015 10:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_Yark5rMQ0Z for <tls@ietfa.amsl.com>; Sat, 10 Oct 2015 10:44:45 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14A451B42D0 for <tls@ietf.org>; Sat, 10 Oct 2015 10:44:45 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so103941293wic.1 for <tls@ietf.org>; Sat, 10 Oct 2015 10:44:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=zMQVXoG75Bq+UrMQiU4WjdF7yMUl4OHo0cxGq4OfTnE=; b=YTvG12+TkclbXe+b7Y41eRO2Mpl3HAMayHhJRaMU9i1xDKUigTNJFx447u3zN9wb8A Wgb+7IBn47xgCZpsf6wU9EI5KoeviD/xlJdCiFLb7H4Uxja2pO71t1HcJpF+wqtf3oCf O1HLZby44FZBUmwg1QHOcctiFdLM+z0G1Ba/5EfL7NuVi+JLpSGH2FPbbrwZPTXLSfub oTpch4UojLjy3xI7naDjlKHmA2mEThFTEMhJBppKUP4qLPIhBO260fxRRC9bO7z18WeU UdjQn7pWO5N9dnORVHzZWUCmw1UdrCbMJO9nidyMMljRNUwXL15VwoM/Sx2JxPBHcdpO LOhA==
X-Gm-Message-State: ALoCoQltINb/AfQQmZ8a/+5kacg4q5LIJs/JCdINSS0XAl93dHPy7DadZJf2JtqSbotkTKYm2xBC
X-Received: by 10.194.94.71 with SMTP id da7mr21162652wjb.8.1444499083697; Sat, 10 Oct 2015 10:44:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Sat, 10 Oct 2015 10:44:04 -0700 (PDT)
In-Reply-To: <201510101337.29335.davemgarrett@gmail.com>
References: <201510101337.29335.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 10 Oct 2015 19:44:04 +0200
Message-ID: <CABcZeBNNZq2UUZ5tkSJuid+yDv_EFBsBjmkEVHa1gwiiZSiOjw@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bf0c102c33dcb0521c3a602"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZLClYFWZMlFuxaCUxYuM6O_gxqU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 17:44:47 -0000
On Sat, Oct 10, 2015 at 7:37 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > In light of completely unsurprising recent events [0], I think it's time > to reconsider the current consensus on how to deal with SHA-1 in TLS 1.3. > Currently, it's allowed if needed by servers that have nothing better [1]. To be clear, the only thing that's allowed is SHA-1 in *certificates*. It's forbidden in CertificateVerify. -Ekr > I propose we stop playing around and just prohibit it under TLS 1.3+. > Implementations that can negotiate nothing better would be permitted to > fall back to TLS 1.2 with the security restrictions currently in the draft > [2] (which is still a concession I'd rather not make, but it's currently > needed). I have submitted a PR [3] to this effect in order to have specific > text to discuss here, though WG consensus and chair approval is of course > required to change the current status. > > Please note that TLS 1.3 is not coming out tomorrow, nor will its > deployment be instant. By the time servers even decide to consider an > upgrade, SHA-1 will be in an even less secure state than it already is. > > To answer the obvious question: Prohibiting it in new versions reduces the > risk of mistakes, draws a clear line where support is killed, and puts an > actual impetus on PKI to transition faster. TLS 1.2 is potentially > vulnerable, depending on configuration (nothing new there), but TLS 1.3 > should be known to be secure in all valid configurations. The discussion to > have with non-experts should not be about specific algorithms to pick and > choose (RC4, MD5, SHA1, EXPORT ciphers, non-AEAD, non-PFS, weak DH groups, > etc. etc.); we should be able to point at the current version and say "use > this, not the old thing", or we can't expect it to be understood and taken > seriously. > > [0] https://sites.google.com/site/itstheshappening/ > [1] https://tools.ietf.org/html/draft-ietf-tls-tls13-09#page-60 > [2] https://tools.ietf.org/html/draft-ietf-tls-tls13-09#appendix-C.3 > [3] https://github.com/tlswg/tls13-spec/pull/287 > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Eric Rescorla
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Ilari Liusvaara
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Yoav Nir
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Viktor Dukhovni
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Dave Garrett
- Re: [TLS] The SHA-1 Options (was: banning SHA-1 i… Dave Garrett
- Re: [TLS] The SHA-1 Options (was: banning SHA-1 i… Ryan Sleevi
- [TLS] closing this thread: Re: The SHA-1 Options … Sean Turner
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Hubert Kario
- Re: [TLS] banning SHA-1 in TLS 1.3, a new attempt Blumenthal, Uri - 0553 - MITLL