IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Eric Rescorla <ekr@rtfm.com> Sat, 11 July 2015 13:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0CB1A8928 for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 06:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.077
X-Spam-Level:
X-Spam-Status: No, score=-0.077 tagged_above=-999 required=5 tests=[FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpb4iYA5T-sx for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 06:56:27 -0700 (PDT)
Received: from mail-la0-f45.google.com (mail-la0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53C061A8924 for <tls@ietf.org>; Sat, 11 Jul 2015 06:56:27 -0700 (PDT)
Received: by lagx9 with SMTP id x9so279151072lag.1 for <tls@ietf.org>; Sat, 11 Jul 2015 06:56:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=valRZpS5ybGh+QVdPw/rmCsEfkKwhU9xD5zq+lOhvXg=; b=Vhn8YD5ypZ74ml1xyQ1Ghh5eNn/w2aDl2zaB8CMdBksrgn7H+PTQgDh7hyaVcZ4c6M I6om1c2UiYWsSDM0sxbEhaVx1BogIm7uszs/baWhQ7QQ6nX5GAcMRdwEN6anLrZdK8MD FzxF+JyRX+QPO44D/VaCvkZWwPeqTsNTNyUg6Eb/dxSvWoRu7bIHbXdDBXgbEc+XtceN NyG9GEJ9jp79tNH2xSUy8dV11VezQr7bT5cL1QHxkYCYI+/ykL5+HScXN1remU/Xs0qD ghAZcOMzQnsJwNqGJFEhskaTUWbPsb9nXTWL6fqjZymW/2jADqQN585Q0xyYtX+QdYG4 s3EQ==
X-Gm-Message-State: ALoCoQkscoJJyymyTqUZUyZwLX3Q1fOweW3U5xrjTgBRT19FHhMKPmKi2jENWAx5dVb5BKfQWg4X
X-Received: by 10.152.37.228 with SMTP id b4mr24114598lak.117.1436622985433; Sat, 11 Jul 2015 06:56:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.99.103 with HTTP; Sat, 11 Jul 2015 06:55:45 -0700 (PDT)
In-Reply-To: <20150711134516.GA6970@LK-Perkele-VII>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <201507101137.44703.davemgarrett@gmail.com> <20150710154912.GU28047@mournblade.imrryr.org> <201507101154.53812.davemgarrett@gmail.com> <20150710160848.GW28047@mournblade.imrryr.org> <BLUPR03MB139645B664D7C3998B2DAA3C8C9F0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABcZeBNs9+h9UWfu=eDC3JBQ1ULCcuBSOK8B9JdDsiX-Ne5g2g@mail.gmail.com> <20150711134516.GA6970@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 11 Jul 2015 09:55:45 -0400
Message-ID: <CABcZeBO2k230mP+qpP+Mfr3ee9tsvWe6BOcAgCtYxj3=PzOZPg@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="089e014939fcb92c48051a99dae4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_ePdCdmkckE8vP8V-D5OlCuyvx8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 13:56:30 -0000

This makes a certain amount of sense (though I wonder how often it's really
an issue that a server declines to send a certificate that would otherwise
have worked to a compliant client [0]).

Perhaps the right text here is that if you have a conformant certificate,
you
MUST send it, but if not, you MAY send a nonconformant one?

-Ekr

[0] As you say, with a buggy client all bets are off.


On Sat, Jul 11, 2015 at 9:45 AM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi> wrote:

> On Sat, Jul 11, 2015 at 08:52:27AM -0400, Eric Rescorla wrote:
> > I'm not necessarily opposed to relaxing this requirement on the server,
> > but given that:
> >
> > 1. SHA-1 is on its way out.
> > 2. Future versions of TLS seem very likely to explicitly indicate which
> > hash algorithms the clients support.
> >
> > I'm kind of confused about the principle being espoused here. In general,
> > when the client has told the server what's acceptable and the server
> > doesn't have it, we abort the handshake. What makes this case different
> > from (say) the client only supporting P256 and the server only supporting
> > Curve25519 but deciding to send Curve25519 anyway?
>
> The ECDH example involves something that will certainly blow up. Same with
> the server signature itself being made with unsupported algorithm.
>
> But with sending non-compliant certificates, the further up the chain the
> non-complance is, the more likely client processing will terminate before
> the client hits the "bad" signature and chokes. In some cases the last
> thing client processes might even be the public key of the end-entity
> certificate (never reaching the issuer signature of any certificate
> in chain).
>
>
> So if server wants to make last-ditch hail mary attempt, it would be
> picking certificate chain that contains accepted algorithms as far
> as possible (if it doesn't have EE certificate that can sign using
> the indicated algorithms, it can abort right away because it is
> not going to work[1]). It may or may not work, but at least it has
> the greatest probability of working.
>
>
> [1] Unless the client is buggy.
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email