[TLS] Delegated Credentials Question about PSS

Nick Sullivan <nick@cloudflare.com> Tue, 15 October 2019 22:35 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6432712087E for <tls@ietfa.amsl.com>; Tue, 15 Oct 2019 15:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4kUBW9--c2QY for <tls@ietfa.amsl.com>; Tue, 15 Oct 2019 15:35:01 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0135F120814 for <tls@ietf.org>; Tue, 15 Oct 2019 15:35:00 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id n2so6601516ual.11 for <tls@ietf.org>; Tue, 15 Oct 2019 15:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=/rSf3ql5W0IfLgTz+z0PoxvupGkWvm3TBnuxOeluNKs=; b=OG12o5WNBnrGaKX+gtMuu58HzSINX1240lIvQok2cC4Po1ArNmZLHy2b0M4zsVIJfz qsiPhw2WcWFV694ClLV3sbMyHPalyt22PLRQyUd6PUFkbFWZDyTb26xYsbomr14YEMtX Cv3jjzqkWRk57y/oPQ8B7Lw99gYXC6fu3iYwM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/rSf3ql5W0IfLgTz+z0PoxvupGkWvm3TBnuxOeluNKs=; b=neUWbnlUAZvUF7uA5zZnTpJdSYHp3EPprAsVavqUmblZt2NNV8uPXyZkuGxon6XUuq jlFjLkW/z62zNiImXOyMmeezMZaihNSQ93LGUM1jQtAmiyN448lzhoaJ9a4xyp0eEGcx 6ejXS3MCMPW2BwLD+1q63tH5VHeDSuQqfriZupAkNiCoNmg6Bz/NuiOJ28Bog5FqeArd C8FEx/uQxYtInwR+Mt76nnkB7l0Z3RqbmjK5eL2hmHbOviWpOaPNcG7P1oyxua+U6jzc Rl2IcawG7aF6YBAZYps8QN5Ev3bpHTWSedVMMM0SgoWXHWtcsCSh6BZGYkmmNEPo+sf6 CzGw==
X-Gm-Message-State: APjAAAUYwk7XblyvR4dOF1bXyxsVhQz2R2ZPO/l13ZYqKQtTVbieEHoJ TR9RYm30p+ydQ+xyJiKVhZTnFllmRevcveG36WOW92Pbwmo5Hw==
X-Google-Smtp-Source: APXvYqzcI4sY4VLKScI0J1ESd8c+zgxPToDBPpM0sGQYhtw0/2Np92xL6wqZn0iXebG86e04FqqQRgAVjso2nExDdTs=
X-Received: by 2002:ab0:1c58:: with SMTP id o24mr17408150uaj.58.1571178899293; Tue, 15 Oct 2019 15:34:59 -0700 (PDT)
MIME-Version: 1.0
From: Nick Sullivan <nick@cloudflare.com>
Date: Tue, 15 Oct 2019 15:34:43 -0700
Message-ID: <CAFDDyk-ohwH4pfeen8iFRHCqb8Pb95-DagORA_NtgaG9AWyoMQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c27210594fa98ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZPYNa4b2B-cwPBj9pfTEQUqd_pQ>
Subject: [TLS] Delegated Credentials Question about PSS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 22:35:14 -0000


I'd like some feedback on a potential issue raised by Martin Thomson at the
last IETF. The question is about the interaction between the SPKI and the
signature scheme for RSA delegated credentials. The main concern is around
the interaction between the rsaEncryption OID and the signature scheme,
specifically PKCS#1v1.5, which we disallow in TLS 1.3 but not explicitly in
DCs (yet). This issue is tracked on Github as issues/28

Given the feedback on Github, I see two main choices to resolve this issue:

1) Allow RSA Credentials with the rsaEncryption OID in the SPKI to be used
with the rsa_pss_rsae_* signature schemes, but disallow rsa_pkcs1_*
signature schemes.
2) Forbid RSA Credentials with the rsaEncryption OID (and associated
signature schemes) and require an RSA PSS OIDs for rsa_pss_pss_* signature

Does anyone have a strong preference for one of these options?

My take:
The rsa_pss_rsae_* suites are a hack created to allow TLS 1.3 to be
backward-compatible with existing rsaEncryption OID certs while enabling
RSA-PSS. We don't have this legacy in delegated credentials, so I'm
inclined to prefer 2).

The only reason I see to go for 1) is the risk of implementation
difficulties. The RSA PSS OIDs are hard to get right in code. However,
considering that RSA DCs are unlikely to be widely used in favor of
elliptic-curve DCs, the implementation risk seems low and restricted to
implementations who choose to support RSA DCs as an optional feature.