Re: [TLS] Consistency for Signature Algorithms?
Benjamin Kaduk <bkaduk@akamai.com> Fri, 21 July 2017 19:37 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4861315FE for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 12:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J97N4I3go1am for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 12:37:45 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87EEF131B5B for <tls@ietf.org>; Fri, 21 Jul 2017 12:37:45 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v6LJb9LH000907; Fri, 21 Jul 2017 20:37:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=jan2016.eng; bh=qVHd1IaicJy4slVMkus77XWwvYKBKdoVjyWidmshtp4=; b=kellTT+63yx8ZQJqFuoejR0r8Qzeu7feYigYgj9v4VImCmpaSkZBwIBl6xrAMzhryHBB uxtmL9ZGG+hW9Ew5JBN4bVVBThS3LR7SK8RF5v40681HR5VfG3qLGmoNkHI2WA0YviFS yLWVByW7jOfMyQhD45T9WkSojey4q1G0yrkEnI2usM1FHJyeYjbPbcPxcLRFYRHTp691 lfhwPWcWljnNNT4gkJOm2Utw9CiaioiATfAQkfcv0eJLMuBGRdfTOpr57Amjl3HkF2Y0 N0nBcCsQF8RKGR053FgK/F08WccuByD5kupnOn6UBw/Dg9p8SQ5CoTF5WQK7PBILtXEk /A==
Received: from prod-mail-ppoint3 ([96.6.114.86]) by m0050093.ppops.net-00190b01. with ESMTP id 2bs7vssyfq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 Jul 2017 20:37:43 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v6LJa6Xp017509; Fri, 21 Jul 2017 15:37:42 -0400
Received: from prod-mail-relay15.akamai.com ([172.27.17.40]) by prod-mail-ppoint3.akamai.com with ESMTP id 2bqecvthu6-1; Fri, 21 Jul 2017 15:37:42 -0400
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay15.akamai.com (Postfix) with ESMTP id 82DCB20066; Fri, 21 Jul 2017 13:37:42 -0600 (MDT)
To: Hubert Kario <hkario@redhat.com>
Cc: tls@ietf.org
References: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com> <2a648a63-8299-1a9c-776e-f5d043371055@akamai.com> <3673860.07CCjCncdc@pintsize.usersys.redhat.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <6f6bf32f-5c73-9213-969a-2fdf1a4c48a2@akamai.com>
Date: Fri, 21 Jul 2017 14:37:42 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <3673860.07CCjCncdc@pintsize.usersys.redhat.com>
Content-Type: multipart/alternative; boundary="------------E40CB803024DDF1B4E8D1225"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-21_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707210306
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-21_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707210307
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i7yUkCA4Pm6vbBhjij1leaQVXVY>
Subject: Re: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 19:37:47 -0000
On 07/21/2017 09:34 AM, Hubert Kario wrote: > On Friday, 21 July 2017 15:38:32 CEST Benjamin Kaduk wrote: >> On 07/21/2017 08:23 AM, Hubert Kario wrote: >>> Signature Algorithms for ECDSA now define both the curve and the hash >>> >>> algorithm: >>> ecdsa_secp256r1_sha256(0x0403), >>> ecdsa_secp384r1_sha384(0x0503), >>> ecdsa_secp521r1_sha512(0x0603), >>> >>> This is in contrast to the TLS 1.2 protocol, where any hash can be used >>> with any curve. >> I assume you saw >> https://www.ietf.org/mail-archive/web/tls/current/msg23714.html which >> raised a different question in this same general area. >> >> I do not see how the response here cannot be the same as it was there: >> namely, that the current formulation is assumed to have WG consensus, >> having been through two WGLCs; there would need to be rather strong >> reasons to make changes at this stage. > MTI (section 9.1) says only that ecdsa_secp256r1_sha256 is mandatory (MUST) > and no word about any of the other two. > > given that we already have CAs that use P-384 for signatures. I'd say this is > a big conflict between theory and practice. > I'm afraid I don't understand this remark. There is the caveat to which Ilari alludes, that the server can send whatever chain it has, if the server can't send a chain that complies with the client's signature_algorithms. Since certificate validation is assumed to be largely a function of the PKI library and not really in scope for the TLS spec itself, this is not particularly problematic. The other main usage of the signature_algorithms limits what can be used in CertificateVerify, which is directly relevant to TLS and depends on the key attested to in the certificate. Are you claiming that there are servers that only possess certificates with p384 keys (i.e., no RSA or p256 or other fallback cert)? -Ben
- [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Ilari Liusvaara
- Re: [TLS] Consistency for Signature Algorithms? Watson Ladd
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Viktor Dukhovni
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Eric Rescorla
- Re: [TLS] Consistency for Signature Algorithms? Blumenthal, Uri - 0553 - MITLL