IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 13 July 2015 19:45 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9511B2DE2 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 12:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBqDFiByh-yD for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 12:45:50 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0721.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::721]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BBE41B2DDA for <tls@ietf.org>; Mon, 13 Jul 2015 12:45:49 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1394.namprd03.prod.outlook.com (10.163.81.140) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 19:45:30 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 19:45:30 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
Thread-Index: AQHQuMqGail83kPeBUGeFeksHA1hqJ3QLTyAgAAI+QCAAAQ1gIAADWmAgAA2FYCAAVxcgIAAAVqAgAAEyoCAAVE1AIABlogAgAAEJoCAAAXGgIAACRQAgAADNACAAAGWgIAAA+QAgAAQkpCAAUrngIAADsEAgAAC7oCAABbWgIAANnyAgAAH4ACAAAoZgIAAB+GAgAAMDwCAAAXygIAAI+yAgAADFACAAd8BsIAACoIAgADHX/CAABhggIAAFePg
Date: Mon, 13 Jul 2015 19:45:30 +0000
Message-ID: <BLUPR03MB1396BC8D279F74007EE288CE8C9C0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <201507111709.27725.davemgarrett@gmail.com> <CABcZeBNCBrNeMKm5hCLQ741zFRpcXQ321onofH2EWJbiQrSs6w@mail.gmail.com> <201507111929.02696.davemgarrett@gmail.com> <BLUPR03MB13965B49B433823B6A04B3088C9C0@BLUPR03MB1396.namprd03.prod.outlook.com> <20150713044104.GK28047@mournblade.imrryr.org> <BLUPR03MB1396DF5184A7E3DFAF3F11028C9C0@BLUPR03MB1396.namprd03.prod.outlook.com> <20150713180153.GO28047@mournblade.imrryr.org>
In-Reply-To: <20150713180153.GO28047@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ee31::3]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1394; 5:ZIokjTxk1uKP82QyAiZOzXbkRKi3ZgkN0SfjVmV6ifUnkg2mFZXUts4nXUxZEQC6r86dl3D8phow1/AoTHRzIZD/acwBLATgwqnMdMIKVQDwRYKWOcQUnThO6UNNBM85ZyEhZcTexiwfAraynkevPg==; 24:8aYrDn/zn704ztrI0vAADzjQbMWUYAN76Mv6hJJYAM6IyH014m88iRLLAYu0Drhw5TgRLGQT1LX363Rnf02uAcePjZ1ZGfz5Uh9dqaDVp7A=; 20:NymGduWtgmNQtGXT4gOo26vz2sApJN01sWYaefrapIFRI55LwcqMqPDhj90eYkC72FUlYsqToyDfbzF/kM1qcg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1394;
blupr03mb1394: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR03MB139436620182E08531FD753A8C9C0@BLUPR03MB1394.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1394; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1394;
x-forefront-prvs: 0636271852
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(377454003)(13464003)(5001960100002)(122556002)(110136002)(107886002)(40100003)(2900100001)(5003600100002)(77156002)(74316001)(189998001)(450100001)(2501003)(62966003)(86612001)(5002640100001)(92566002)(15975445007)(2950100001)(77096005)(102836002)(33656002)(561944003)(2656002)(54356999)(86362001)(46102003)(50986999)(19580395003)(2351001)(106116001)(19580405001)(87936001)(76176999)(93886004)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1394; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 19:45:30.2533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1394
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_XGNZbrZbrKyZthXZ4HrL6MpF14>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 19:45:52 -0000

> An opportunistic TLS or DANE TLSA client cannot advertise the capability of supporting algorithms it was aware existed (by ignoring all signatures in the chain).
> We surely don't want to muddy the waters by adding "wildcard" algorithm code-points, and new APIs for clients to request that the TLS stack send those.

Would it make sense for an opportunistic client to advertise all algorithms commonly supported in the server certs? After all, there are relatively few signature/hash pairs in use, and they are changing very slowly over time.

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Viktor Dukhovni
Sent: Monday, July 13, 2015 11:02 AM
To: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

On Mon, Jul 13, 2015 at 05:11:29PM +0000, Andrei Popov wrote:

> I think a good design is to have the client explicitly advertise any 
> algorithms the client is willing/able to support, and for the server 
> to honor the client's capabilities.

To the extent possible.  However, the server SHOULD NOT refuse to continue the handshake merely because it believes that some certificates in its chain might have signatures the client can't check.  The point being that the client may not need or attempt to check those signatures.

> IMHO the existing specs already meet the above goal,

No, the language about the certificate chain is needlessly restrictive.
The decision as to whether the chain works for the client or not, SHOULD be left to the client.  The server's job is to *try* to avoid problems by sending a known-compatible chain when available.

> No, I don't care for SHA1; let's deprecate it ASAP. I do care for a 
> straightforward and deterministic handshake where the client MUST 
> advertise supported algorithms and the server MUST honor the client's capabilities.

The MUST honour bit cleanly applies to choices of algorithms in signature the server makes during and after the handshake.  However, honouring the algorithms for the chain signatures is more subtle.
Yes, send a compatible chain when possible, HOWEVER, DO NOT prejudge the client's inability to handle an alternative chain if that's all you have.  As explained before, opportunistic TLS, DANE, pinning, ...  may mean that the client does not in fact examine the signatures in the chain and the handshake would succeed, if only the server were not needlessly pedantic.

Let's not be needlessly pedantic.

> Having shipped a product that implements the strict interpretation of 
> the current specs (WRT signature_algorithms) for a number of years 
> now, I remember exactly 3 related problem reports. Without pointing 
> fingers (as much as possible), here they are:

Past performance is not a guarantee of future returns.

Today, TLS 1.2 clients generally support all the defined hash algorithms, so problems are rare.  In the future, there will be new hash algorithms that not all clients will support, and there will servers with chains that are signed with bleeding-edge algorithms, there's no need to reject connections from clients that don't need to verify said signatures.


> My preference would be to keep the client explicitly advertising its 
> capabilities, and the server strictly honoring the client-advertised 
> capabilities. And since the concept of "default algorithms" confuses 
> people, let's just get rid of it in 1.3. Conveniently, most of this WG 
> no longer wants SHA1 or MD5. Why not just make signature_algorithms 
> (even
> more) clearly and unambiguously MTI in 1.3?

An opportunistic TLS or DANE TLSA client cannot advertise the capability of supporting algorithms it was aware existed (by ignoring all signatures in the chain).

We surely don't want to muddy the waters by adding "wildcard"
algorithm code-points, and new APIs for clients to request that the TLS stack send those.

The proposal on the table is simply sensible.  The server lacks sufficient information to make an informed decision as to whether its chain is unacceptable, and therefore should send whatever chain it has if it lacks a known compatible chain.  This is simply sound engineering.  The alternative is needless incompatibility. 

That this also fixes the problem for some folks who don't want to make sending the extension mandatory (and happen to get back a chain they can accept) is a harmless accident.

-- 
	Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email