Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 30 November 2014 10:10 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CEEB1A0018 for <tls@ietfa.amsl.com>; Sun, 30 Nov 2014 02:10:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOUdV6A8qL_Y for <tls@ietfa.amsl.com>; Sun, 30 Nov 2014 02:10:00 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BE281A0013 for <tls@ietf.org>; Sun, 30 Nov 2014 02:09:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1417342202; x=1448878202; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=60698mBT7u5bg7t8OJUJDIvBPAnkwj0Lb7PNkmPa1JA=; b=ZRYkanic4qMLkszSktbXBtjLERBQ0VIuWotlq6NbS84ZqbH0fn+vp2lj R86WZOn1qJnP3qItKqidAt7HXowS+a6FPU07dy5Uv9/bqN5qZNJgbkrbv MGjWGENpb1MDEJcYbZbtHoknyymDUh0l1oXWexDhZ3WMKOPPNn1QXMdUJ w=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="293897385"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Nov 2014 23:09:58 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.139]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Sun, 30 Nov 2014 23:09:56 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] WG adoption: draft-nir-tls-rfc4492bis
Thread-Index: AdAMhcqRURR5jkHMSL26EXhLM3yQJw==
Date: Sun, 30 Nov 2014 10:09:56 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9F7A14@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fSsVdVwJhRIEFffyxHRV-nPwuMU
Subject: Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2014 10:10:05 -0000
Stephen Checkoway <s@pahtak.org> writes: >TLS 1.2 specifies > > If the client provided a "signature_algorithms" extension, then all > certificates provided by the server MUST be signed by a > hash/signature algorithm pair that appears in that extension. Which is one of the nonsensical requirements in TLS 1.2 that you pretty much have to ignore in order to get an implementation that works (it's been discussed on the list before). Consider how this is supposed to work in practice: A client connects to Amazon and asks for ECDSA_P521_WITH_SHA384. Amazon puts the client on hold and goes to Verisign and requests that they reissue their entire cert hierarchy up to the root using ECDSA-P521 with SHA384, and then buys a new certificate using the requested algorithm. They then wait for Windows Update to propagate the new CA certs out to the client, and after a few weeks on hold the client connects. At the time this was discussed, the approach by everyone who contributed was that the client got whatever the server had available. In the rare cases where the server had more than one cert then "signature_algorithms" could be used to implement a MAY, but it still won't change the fact that beyond the server cert you get what the CA gives you and nothing else, no matter what the TLS 1.2 RFC may wish for. Peter.
- [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Nikos Mavrogiannopoulos
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Yoav Nir
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Thomson
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Ryan Sleevi
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Ilari Liusvaara
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Stephen Checkoway
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Sean Turner
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Jeffrey Walton
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Peter Gutmann
- Re: [TLS] WG adoption: draft-nir-tls-rfc4492bis Martin Rex