Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)

Phil Pennock <phil.pennock@spodhuis.org> Tue, 10 July 2018 18:13 UTC

Return-Path: <phil.pennock@spodhuis.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F47131050 for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 11:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=nLA2VG/n; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=0Ms6GTWe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNhUQaqf1_fy for <tls@ietfa.amsl.com>; Tue, 10 Jul 2018 11:13:44 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D395113102A for <tls@ietf.org>; Tue, 10 Jul 2018 11:13:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201804; h=In-Reply-To:Content-Type:MIME-Version:Message-ID :Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1uGnGZJZJEN828KacuP9ueiFqdT4A0MhUDeioS10ltA=; b=nLA2VG/nnM9szClE8PJNE3JV7O bmswa0l1A6dLxdvhgbwBQ4bxuFDOUSLqwCW/GZ4ycbSAmm4DGZfguNuFdXdUFvERYLcPBftHHynn1 CsZKfdfPOpwPUBP+KRK8Qhc4zmUlB5W7wZmXb2o9jM5Jh6mPkiK+gFlg5EGQG7gdFO+mUxH/W5QKQ Vzf3Rg3ZstBFymQIbxrnTBxVvVTgY/11KYM1OTUIg/fv5Ijhe7rU9p4ZQhBGLhxwPes45vLNLCpPD IkHzgJ7IWBbZcdaLGCuVDnrrAbk0gRLsj0RmWofwb6GM48wRkEzxYPTMNlOk93tezkPHPlp7Xq5RO BvaLHq4Q==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201804e2; h=In-Reply-To:Content-Type:MIME-Version: Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:References:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=1uGnGZJZJEN828KacuP9ueiFqdT4A0MhUDeioS10ltA=; b=0Ms6GTWe/xIgeD4OY9tJXLgTBL 85dBVUOJGhj3HKl+q1wTSIBJPAZKCvhXrs5Q2HMUyqoalOuCyhyH0hAPK5AA==;
Received: from authenticated user by smtp.spodhuis.org with esmtpa id 1fcx8t-000Aqy-R9; Tue, 10 Jul 2018 18:13:40 +0000
Date: Tue, 10 Jul 2018 14:13:37 -0400
From: Phil Pennock <phil.pennock@spodhuis.org>
To: Viktor Dukhovni <viktor@dukhovni.org>
Cc: tls@ietf.org
Message-ID: <20180710181336.GA47412@osmium.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180710044324.GG85096@straasha.imrryr.org> <20180710041755.GD85096@straasha.imrryr.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_0_IVxBQm7M6H3GGBv5QSRSBjrs>
X-Mailman-Approved-At: Tue, 10 Jul 2018 11:38:00 -0700
Subject: Re: [TLS] raising ceiling vs. floor (was: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 18:13:53 -0000

On 2018-07-10 at 00:17 -0400, Viktor Dukhovni wrote:
> More generally, as noted in RFC7435, you get more security by raising
> the ceiling than by raising the floor.

+1, including to the points about SMTP fallback to cleartext, etc.

> For example, I recently learned that current GnuTLS
> versions by default no longer validate certificates with SHA-1
> issuer signatures, and that current versions of Exim linked with
> these GnuTLS releases fail to validate some DANE-TA(2) chains issued
> by private-CAs that still use SHA-1.  And yet:

That's fine by me.  Linking against GnuTLS has long had implications for
mail delivery.  It blocked SSLv3 at a time when SSLv3 was still fairly
widespread in corporate circles (Exchange).  Folks who care about TLS
interop for real mail-systems use OpenSSL.

For myself, I think that since SHA-1 has practical collision attacks
today, the next break will be second preimage attacks, at which point
the use in certificates is dead.  Whether that comes tomorrow or three
years from now, I don't know.

It's appropriate to not re-enable SHA-1 at a point where the entire
non-SMTP ecosystem has moved away from it and nobody should be asking
_other people outside their own administrative domain_ to trust SHA-1 in
certs.  If folks want to use it internally, that's fine.  If you want to
use DANE-TA to expose your internal CA to the outside world, that's fine
too, but you need to meet the common minimum bar for protecting chain
integrity.

> Thus there is no practical exposure to SHA-1 via the public CA
> ecosystem, and as the issue is comprehensively addressed on the
> issuer side.

Today, no.  But when SHA-1 is already so broken that 2nd preimage is the
only remaining step to fall before it becomes unsuitable for certs, it's
certainly not good to encourage its continuing usage.

> Non-public CAs, on the other hand, are typically already compromised
> by the time they can be convinced to issue certificates to untrusted
> strangers, even if the hash algorithm is impeccably strong.

And this step then falls because if considering the next break rather
than "publicly known today" then the "issuing to untrusted strangers"
stops being a prerequisite for attack.

> For the record, SHA-1 use is not common.

Not common enough for me to do more than update the Exim Specification
to include a warning, which I'll do shortly.

On 2018-07-10 at 00:43 -0400, Viktor Dukhovni wrote:
> All the below have DANE-TA(2) TLSA RRs, with SHA-1 leaf sigs.
> 
>     semidefinite.de
>     iki.fi
[ *.iki.fi ]

So looks like two organizations total.  I'm not encouraging a time-bomb
break in TLS security for two orgs.


Thanks for bringing this to my attention.  I'll update docs shortly.

-Phil