Re: [TLS] Moving SHA-1 signature schemes to not recommended in draft-ietf-tls-md5-sha1-deprecate

Sean Turner <sean@sn3rd.com> Fri, 18 September 2020 14:28 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519B63A0A01 for <tls@ietfa.amsl.com>; Fri, 18 Sep 2020 07:28:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEBa2U41qHME for <tls@ietfa.amsl.com>; Fri, 18 Sep 2020 07:28:26 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AFEC3A09F2 for <tls@ietf.org>; Fri, 18 Sep 2020 07:28:26 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id 16so6234989qkf.4 for <tls@ietf.org>; Fri, 18 Sep 2020 07:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Ag7M4yNcA/rpYMzU6Hcytw68gUM2oBfrWnzLWJ5XBok=; b=dhCd7bZ8jFTtf7w9bjDnPbLtcMDPpdTot7jmSTM0M2GbGyNf4qOUwNx9nSTQ0RoCaP ePVtuEEiX9hx4kyYpm039ZVqlMwtuUI43t9vibYAsIb3ZMuDJThIaKp5mNKs781hCQ36 HpXkigROyCjbWveeytg6awKofB3SyCztQyJ1k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Ag7M4yNcA/rpYMzU6Hcytw68gUM2oBfrWnzLWJ5XBok=; b=opkgNmhP+lZKewQLvey+PUfwct4uCo48LjZ6zo4sPJ2y+yVAdg1YlC9NEG9i/CiQW0 PXgFf8CpcCa4QD9vCDvlOalR6szwNKwR9dnZ8sZg2WrYiuKSJzfSU6RdZOBS2C7+KRpy 6lOM/03SmtSwd781gnOO6oJqghRf8AeSZyeTln9Rpn67Y8FSXIUO6Y3+Y+PsD/Gwk8us 38LpV71fVxWgk+sI8cDckERhNx3zg4r3oQ1k4MENZHDv6Z2PtiBX9nQjGQT90TWMK4iS RFLL/P1s5QHwUdXH04vFUVtFy61aNZGBYYzIkXhK0pxIfsr6SfwMS7mbamh9WMWIXDK6 1HBw==
X-Gm-Message-State: AOAM532CIZyizISdpbNXNeqOaXRZUmzoalQPPSL3FHALUfcj/GY0s9p1 ijGH6PpZi45Y8uWYvpur/Sx+EQ==
X-Google-Smtp-Source: ABdhPJyO2Dk19h9HRAvjOswvvqZzfOy2q5itiVxxu4S9n0I3gGYHKX3mCip5Evsp2tyxBFCoEieB3Q==
X-Received: by 2002:a37:44c7:: with SMTP id r190mr32254789qka.253.1600439305462; Fri, 18 Sep 2020 07:28:25 -0700 (PDT)
Received: from [192.168.1.152] (pool-108-31-39-252.washdc.fios.verizon.net. [108.31.39.252]) by smtp.gmail.com with ESMTPSA id t11sm2222705qtp.32.2020.09.18.07.28.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Sep 2020 07:28:24 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <49C2B577-FD06-44E7-A6E1-6F74E2AB85A9@akamai.com>
Date: Fri, 18 Sep 2020 10:28:23 -0400
Cc: Joe Salowey <joe@salowey.net>, TLS List <tls@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-tls-md5-sha1-deprecate@ietf.org" <draft-ietf-tls-md5-sha1-deprecate@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DC52F167-32B5-499E-B86D-FD520CE1288D@sn3rd.com>
References: <CAOgPGoAj-Pf4jWKuZuNS=Dh0V3WV9e5cHbQcFVBnmxd=93AebQ@mail.gmail.com> <49C2B577-FD06-44E7-A6E1-6F74E2AB85A9@akamai.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gXyUpnLLyB0rUqp3mCZP1aPkvcw>
Subject: Re: [TLS] Moving SHA-1 signature schemes to not recommended in draft-ietf-tls-md5-sha1-deprecate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 14:28:30 -0000

Rich,

Just to close the loop on this, there are three values: Y, N, and blank. I tend to think we should mark is as “N”:

   If an item is not marked as "Recommended" (i.e., "N"), it does not
   necessarily mean that it is flawed; rather, it indicates that the
   item either has not been through the IETF consensus process, has
   limited applicability, or is intended only for specific use cases.

That specific use case is two servers talking an old version to each other in whatever setting they are being used in.

Also, should we be adding “_legacy” to the names of the code points as was done for rsa_pkcs1_sha256_legacy by:
https://www.ietf.org/archive/id/draft-davidben-tls13-pkcs1-00.txt?

spt


> On Jun 25, 2020, at 08:35, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
> 
> 	• I submitted a PR [1] for draft-ietf-tls-md5-sha1-deprecate to move the recommended IANA registry entries for  rsa_pkcs1_sha1 and ecdsa_sha1 in the Signature Scheme registry from Y to N.   This change can be incorporated with any updates from the AD review.  
>  
> Yes yes yes.
>  
> Or no no no?
>  
> I think it is remove the “Y” and leave blank, right?
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls