IETF Logo Mail Archive

[TLS] Better weak hash language (was Re: AD Review of draft-ietf-tls-tls13)

Dave Garrett <davemgarrett@gmail.com> Tue, 23 May 2017 00:19 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B8E129477 for <tls@ietfa.amsl.com>; Mon, 22 May 2017 17:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9xdorOcACdh for <tls@ietfa.amsl.com>; Mon, 22 May 2017 17:19:50 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 039C5128D3E for <tls@ietf.org>; Mon, 22 May 2017 17:19:50 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id v27so115193344qtg.2 for <tls@ietf.org>; Mon, 22 May 2017 17:19:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=1GLB6Vw5pPszfqun523TqXLqVVQ906g5xzrYu+JJuKM=; b=ea2wQjTOEhskreIZOA6hQ8LAW3yWFqZ8pW1a8e8o5wPCyat0+TOTZPF3OZubvmNpIt B7pFzvbiRBAu6YV5if4KuuH9275B2SpkSiZlyr2XFOywocvKrQTrm2ajht9mIDuh6JaO aBuvjEk73/BuFYtgrtSL7qI6yBV5wHwfhQuUKVF9X3xjuyqCzn6cY4Yn+uOqfLgziC+0 pjnOzhJCJUhTh/UpyfzdYTJ+j4wk85vLQoWZWv97unOy2SJk9GKVg5xJdPAonV4L9aUa fg1HFwj/v1b+sYJ3gEO87/ysISuS58Vl38Aj91JKzWmCz0P65Pvja4cyiPaGEFt4lk6B Iq+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=1GLB6Vw5pPszfqun523TqXLqVVQ906g5xzrYu+JJuKM=; b=UTzp1MM0KA5etZwtseoyh9qOcv+P1XjMMd2TaXCiaz676kgchy2NTGbd3OYXOoXXl/ LqpBRHrP3ASSV8AlDK49WA7BVeZmfcyfi6/82Cm/7jC7MVcp/DRF1PnfWdlM0b9Vy0bp 5+6IFKjDEV/xF+0BnW0s2BfjQQfppS55d+pXmnE82Z4fzWKiFbKmLM30iEAbNEdvnoWY cFHDulP88gWSkK3WUmLe46q9GWJ/E+x/L1DmXclzORp8mUNAbQzQGVTqYtyRkgjDBsKI rkUgdfyKwPVzikoOr6eH9+9hqjXjuoLfXUToOAb7M1UysBNPrcBd/IU802Wr/26lB2M7 D0Ow==
X-Gm-Message-State: AODbwcAreNw7l4fjvHXL1PTZ2dc5JeROp1FlDqiG2edfCE4B+tkjtLQR POmsTr1HRglnDMkP
X-Received: by 10.237.63.71 with SMTP id q7mr23079592qtf.49.1495498789061; Mon, 22 May 2017 17:19:49 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-36-197.phlapa.fios.verizon.net. [71.185.36.197]) by smtp.gmail.com with ESMTPSA id q5sm12846346qtb.52.2017.05.22.17.19.47 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 22 May 2017 17:19:48 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Mon, 22 May 2017 20:19:46 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com> <CABcZeBMMfp4DUcNCFUYCCP6B+UQn85bq2LSoumJdywy=0GOq4Q@mail.gmail.com> <E3BB180E-EC66-4F92-868B-E04F9E63CDF6@dukhovni.org>
In-Reply-To: <E3BB180E-EC66-4F92-868B-E04F9E63CDF6@dukhovni.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201705222019.46521.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/g-sYupDa83_fRnxfJ65p3UuJflE>
Subject: [TLS] Better weak hash language (was Re: AD Review of draft-ietf-tls-tls13)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 00:19:52 -0000

On Monday, May 22, 2017 05:31:55 pm Viktor Dukhovni wrote:
> So if putting the consensus to ban MD5/SHA-1 in its *proper context*
> is consistent with the WG consensus, let's do that.

Yes, please.

Citing discussion elsewhere in this thread (that probably should've all
been forked off with a different subject long before now...):

On Monday, May 22, 2017 05:00:20 pm Nico Williams wrote:
> On Tue, May 23, 2017 at 05:49:47AM +0900, Eric Rescorla wrote:
> > On Tue, May 23, 2017 at 5:43 AM, Nico Williams <nico@cryptonector.com>
> > wrote:
> > > Proposal:
> > >
> > >    Clients SHOULD/MUST NOT accept server certificates, or certificate
> > >    validation paths, where the server certificate or intermediate
> > >    certificates (but not trust anchors) are signed with "weak" signature
> > >    algorithms, unless the client is not expecting TLS to strongly
> > >    authenticate the server (e.g., for opportunistic use) or where the
> > >    client has previously learned and cached the server's certificate.
> > 
> > I don't think "strongly authenticate" is useful here. I think the
> > requirement is that the RP must not accept these algorithms in any
> > context which would require validating signatures made using them.
> 
> Well, I want it to be crystal clear that the "not MD5 and such"
> requirement need not apply to opportunistic TLS usage.  If you don't
> like my text, maybe you can propose your own.

My issue with this area is that we've got this fairly weird two tiered
problem where we're still pretending SHA-1 is vaguely acceptable in some
scenarios where certificates are being validated, and thus we need two
sets of language: one for weak hash MUST NOTs and another for weak hash
SHOULD NOT. The current text was written before SHA-1 was broken back in
February, so, while the topic of changing language we had consensus on is
up, I'd really like to make SHA-1 completely banned for standard certificate
authenticated TLS 1.3+ connections alongside MD5. To do this in a
non-messy way, we'd have to delete the SHA-1 special-casing and state
that TLS 1.3+ implementations can only use deprecated hashes
(MD5/SHA1/SHA224/etc) if explicitly doing opportunistic encryption or some
scenario where trust can be established without validating them. Again,
the trust anchor gets an exception here due to it being trusted directly
without need for validation, and they can get away with just a "NOT
RECOMMENDED". If we can agree to this, then the resulting text will end up
being far less problematic. If we can't get a consensus for this, I seriously
propose citing RFC 6919 s3.


Dave

v2.23.0 | Report a Bug | By Email