IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Hubert Kario <hkario@redhat.com> Tue, 14 July 2015 09:31 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC3A1A911D for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 02:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvW9GOHssShz for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 02:31:39 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5D8F1A9114 for <tls@ietf.org>; Tue, 14 Jul 2015 02:31:39 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 63D8C3187C2; Tue, 14 Jul 2015 09:31:39 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-73.ams2.redhat.com [10.36.112.73]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t6E9VYc0000849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Jul 2015 05:31:38 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Tue, 14 Jul 2015 11:31:26 +0200
Message-ID: <1649068.52kEfPtajD@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.0.6-200.fc21.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <201507111709.27725.davemgarrett@gmail.com>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <20150711204810.GU28047@mournblade.imrryr.org> <201507111709.27725.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1606914.3tkUhEPGc1"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_-agtJqfoLjKoZhE_PhvSS4jgb4>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 09:31:41 -0000

On Saturday 11 July 2015 17:09:27 Dave Garrett wrote:
> On Saturday, July 11, 2015 04:48:10 pm Viktor Dukhovni wrote:
> > Largely close enough.  Feel free to borrow any text from the below
> > that you find to be an improvement.
> > 
> >     ========================================
> >     
> >     Whenever possible, all certificates provided by the server
> >     SHOULD be signed by a hash/signature algorithm pair indicated
> >     by the client's supported algorithms extension (or the defaults
> >     assumed in its absence).  If the server cannot produce a
> >     certificate chain that is signed via only the indicated supported
> >     pairs, then it SHOULD continue the handshake by sending the
> >     client a certificate chain of its choice that may include
> >     hash/signature algoriths that are not known to be supported by
> >     the client.
> >     
> >     The public key in the leaf certificate must of course be
> >     compatible with the chosen cipher-suite, and the subsequent
> >     ServerKeyExchange message must be signed via a mutually supported
> >     hash/signature algorithm pair.
> >     
> >     If the client cannot construct a satisfactory chain using the
> >     provided certificates and decides to abort the handshake, then
> >     it MUST send an "unsupported_certificate" alert message and
> >     close the connection.
> >     
> >     ========================================
> 
> The middle bit is already in existing text above the section in question.
> 
> New version with a little rewording and a typo fix.
> 
> \/
> 
> ========================================
> All certificates provided by the server SHOULD be signed by a
> hash/signature algorithm pair indicated by the client's
> "signature_algorithms" extension (or the defaults assumed in
> its absence), where possible. If the server cannot produce a
> certificate chain that is signed only via the indicated supported
> pairs, then it SHOULD continue the handshake by sending the
> client a certificate chain of its choice that may include algorithms
> that are not known to be supported by the client. If the client
> cannot construct an acceptable chain using the provided certificates
> and decides to abort the handshake, then it MUST send an
> "unsupported_certificate" alert message and close the connection.
> ========================================

What about the cert chain offered by client to server as a response to 
Certificate Request message?

They are also under the limitation of using just the signature algorithms 
advertised as supported by server.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email