Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)

[Phil Pennock <phil.pennock@spodhuis.org>]

On 2018-07-10 at 00:17 -0400, Viktor Dukhovni wrote:
> More generally, as noted in RFC7435, you get more security by raising
> the ceiling than by raising the floor.

+1, including to the points about SMTP fallback to cleartext, etc.

> For example, I recently learned that current GnuTLS
> versions by default no longer validate certificates with SHA-1
> issuer signatures, and that current versions of Exim linked with
> these GnuTLS releases fail to validate some DANE-TA(2) chains issued
> by private-CAs that still use SHA-1.  And yet:

That's fine by me.  Linking against GnuTLS has long had implications for
mail delivery.  It blocked SSLv3 at a time when SSLv3 was still fairly
widespread in corporate circles (Exchange).  Folks who care about TLS
interop for real mail-systems use OpenSSL.

For myself, I think that since SHA-1 has practical collision attacks
today, the next break will be second preimage attacks, at which point
the use in certificates is dead.  Whether that comes tomorrow or three
years from now, I don't know.

It's appropriate to not re-enable SHA-1 at a point where the entire
non-SMTP ecosystem has moved away from it and nobody should be asking
_other people outside their own administrative domain_ to trust SHA-1 in
certs.  If folks want to use it internally, that's fine.  If you want to
use DANE-TA to expose your internal CA to the outside world, that's fine
too, but you need to meet the common minimum bar for protecting chain
integrity.

> Thus there is no practical exposure to SHA-1 via the public CA
> ecosystem, and as the issue is comprehensively addressed on the
> issuer side.

Today, no.  But when SHA-1 is already so broken that 2nd preimage is the
only remaining step to fall before it becomes unsuitable for certs, it's
certainly not good to encourage its continuing usage.

> Non-public CAs, on the other hand, are typically already compromised
> by the time they can be convinced to issue certificates to untrusted
> strangers, even if the hash algorithm is impeccably strong.

And this step then falls because if considering the next break rather
than "publicly known today" then the "issuing to untrusted strangers"
stops being a prerequisite for attack.

> For the record, SHA-1 use is not common.

Not common enough for me to do more than update the Exim Specification
to include a warning, which I'll do shortly.

On 2018-07-10 at 00:43 -0400, Viktor Dukhovni wrote:
> All the below have DANE-TA(2) TLSA RRs, with SHA-1 leaf sigs.
> 
>     semidefinite.de
>     iki.fi
[ *.iki.fi ]

So looks like two organizations total.  I'm not encouraging a time-bomb
break in TLS security for two orgs.


Thanks for bringing this to my attention.  I'll update docs shortly.

-Phil