Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)
Phil Pennock <phil.pennock@spodhuis.org> Tue, 10 July 2018 18:13 UTC
Return-Path: <phil.pennock@spodhuis.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F47131050 for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 11:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=nLA2VG/n; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=0Ms6GTWe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNhUQaqf1_fy for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 11:13:44 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D395113102A for <tls@ietf.org>; Tue, 10 Jul 2018 11:13:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201804; h=In-Reply-To:Content-Type:MIME-Version:Message-ID :Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1uGnGZJZJEN828KacuP9ueiFqdT4A0MhUDeioS10ltA=; b=nLA2VG/nnM9szClE8PJNE3JV7O bmswa0l1A6dLxdvhgbwBQ4bxuFDOUSLqwCW/GZ4ycbSAmm4DGZfguNuFdXdUFvERYLcPBftHHynn1 CsZKfdfPOpwPUBP+KRK8Qhc4zmUlB5W7wZmXb2o9jM5Jh6mPkiK+gFlg5EGQG7gdFO+mUxH/W5QKQ Vzf3Rg3ZstBFymQIbxrnTBxVvVTgY/11KYM1OTUIg/fv5Ijhe7rU9p4ZQhBGLhxwPes45vLNLCpPD IkHzgJ7IWBbZcdaLGCuVDnrrAbk0gRLsj0RmWofwb6GM48wRkEzxYPTMNlOk93tezkPHPlp7Xq5RO BvaLHq4Q==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201804e2; h=In-Reply-To:Content-Type:MIME-Version: Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:References:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=1uGnGZJZJEN828KacuP9ueiFqdT4A0MhUDeioS10ltA=; b=0Ms6GTWe/xIgeD4OY9tJXLgTBL 85dBVUOJGhj3HKl+q1wTSIBJPAZKCvhXrs5Q2HMUyqoalOuCyhyH0hAPK5AA==;
Received: from authenticated user by smtp.spodhuis.org with esmtpa id 1fcx8t-000Aqy-R9; Tue, 10 Jul 2018 18:13:40 +0000
Date: Tue, 10 Jul 2018 14:13:37 -0400
From: Phil Pennock <phil.pennock@spodhuis.org>
To: Viktor Dukhovni <viktor@dukhovni.org>
Cc: tls@ietf.org
Message-ID: <20180710181336.GA47412@osmium.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20180710044324.GG85096@straasha.imrryr.org> <20180710041755.GD85096@straasha.imrryr.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_0_IVxBQm7M6H3GGBv5QSRSBjrs>
X-Mailman-Approved-At: Tue, 10 Jul 2018 11:38:00 -0700
Subject: Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 18:13:53 -0000
On 2018-07-10 at 00:17 -0400, Viktor Dukhovni wrote: > More generally, as noted in RFC7435, you get more security by raising > the ceiling than by raising the floor. +1, including to the points about SMTP fallback to cleartext, etc. > For example, I recently learned that current GnuTLS > versions by default no longer validate certificates with SHA-1 > issuer signatures, and that current versions of Exim linked with > these GnuTLS releases fail to validate some DANE-TA(2) chains issued > by private-CAs that still use SHA-1. And yet: That's fine by me. Linking against GnuTLS has long had implications for mail delivery. It blocked SSLv3 at a time when SSLv3 was still fairly widespread in corporate circles (Exchange). Folks who care about TLS interop for real mail-systems use OpenSSL. For myself, I think that since SHA-1 has practical collision attacks today, the next break will be second preimage attacks, at which point the use in certificates is dead. Whether that comes tomorrow or three years from now, I don't know. It's appropriate to not re-enable SHA-1 at a point where the entire non-SMTP ecosystem has moved away from it and nobody should be asking _other people outside their own administrative domain_ to trust SHA-1 in certs. If folks want to use it internally, that's fine. If you want to use DANE-TA to expose your internal CA to the outside world, that's fine too, but you need to meet the common minimum bar for protecting chain integrity. > Thus there is no practical exposure to SHA-1 via the public CA > ecosystem, and as the issue is comprehensively addressed on the > issuer side. Today, no. But when SHA-1 is already so broken that 2nd preimage is the only remaining step to fall before it becomes unsuitable for certs, it's certainly not good to encourage its continuing usage. > Non-public CAs, on the other hand, are typically already compromised > by the time they can be convinced to issue certificates to untrusted > strangers, even if the hash algorithm is impeccably strong. And this step then falls because if considering the next break rather than "publicly known today" then the "issuing to untrusted strangers" stops being a prerequisite for attack. > For the record, SHA-1 use is not common. Not common enough for me to do more than update the Exim Specification to include a warning, which I'll do shortly. On 2018-07-10 at 00:43 -0400, Viktor Dukhovni wrote: > All the below have DANE-TA(2) TLSA RRs, with SHA-1 leaf sigs. > > semidefinite.de > iki.fi [ *.iki.fi ] So looks like two organizations total. I'm not encouraging a time-bomb break in TLS security for two orgs. Thanks for bringing this to my attention. I'll update docs shortly. -Phil
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Eric Rescorla
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- [TLS] raising ceiling vs. floor (was: New Version… Viktor Dukhovni
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- [TLS] Fwd: New Version Notification for draft-mor… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Loganaden Velvindron
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] Fwd: New Version Notification for draft… Alessandro Ghedini
- Re: [TLS] Fwd: New Version Notification for draft… Andrei Popov
- Re: [TLS] Fwd: New Version Notification for draft… Eric Mill
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… David Benjamin
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… Viktor Dukhovni
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Phil Pennock
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Martin Rex
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] raising ceiling vs. floor (was: New Ver… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Salz, Rich
- Re: [TLS] [CAUTION] Re: Fwd: New Version Notifica… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… Kathleen Moriarty
- Re: [TLS] Fwd: New Version Notification for draft… David Benjamin
- Re: [TLS] Fwd: New Version Notification for draft… nalini elkins
- Re: [TLS] Fwd: New Version Notification for draft… Eric Rescorla
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Christopher Wood
- Re: [TLS] Fwd: New Version Notification for draft… Yaron Sheffer
- Re: [TLS] Fwd: New Version Notification for draft… Hubert Kario
- Re: [TLS] Fwd: New Version Notification for draft… Jeremy Harris
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Artyom Gavrichenkov