Re: [TLS] Delegated Credentials Question about PSS

Russ Housley <housley@vigilsec.com> Tue, 15 October 2019 22:58 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2921D120104 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2019 15:58:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrgqN_IUy_Uu for <tls@ietfa.amsl.com>; Tue, 15 Oct 2019 15:58:31 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9AD912003E for <tls@ietf.org>; Tue, 15 Oct 2019 15:58:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F173A300AB7 for <tls@ietf.org>; Tue, 15 Oct 2019 18:58:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TF-R9op9dA8l for <tls@ietf.org>; Tue, 15 Oct 2019 18:58:28 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 171003004AF; Tue, 15 Oct 2019 18:58:28 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <D11B62D0-2970-478F-A987-CECB45D58976@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0C498091-7628-4E45-A9E8-A10680E4429B"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 15 Oct 2019 18:58:28 -0400
In-Reply-To: <CAFDDyk-ohwH4pfeen8iFRHCqb8Pb95-DagORA_NtgaG9AWyoMQ@mail.gmail.com>
Cc: IETF TLS <tls@ietf.org>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
References: <CAFDDyk-ohwH4pfeen8iFRHCqb8Pb95-DagORA_NtgaG9AWyoMQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jniu1ap5QJcQSSkdsKNxjCOmQok>
Subject: Re: [TLS] Delegated Credentials Question about PSS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 22:58:34 -0000

When we were working on RFC 4055, we thought it would be important to allow a certified RSA public key to be bound to a specific algorithm (e.g., RSA-PSS or RSA-OAEP).  However, in transition, we thought it would be important for the certified RSA public key to be used with any of the algorithms (constrained by key usage extension).

Section 1.2 says:

   The rsaEncryption object identifier continues to identify the subject
   public key when the RSA private key owner does not wish to limit the
   use of the public key exclusively to either RSASSA-PSS or RSAES-OAEP.

   ...

   When the RSA private key owner wishes to limit the use of the public
   key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object
   identifier MUST be used in the algorithm field within the subject
   public key information ...

   When the RSA private key owner wishes to limit the use of the public
   key exclusively to RSAES-OAEP, then the id-RSAES-OAEP object
   identifier MUST be used in the algorithm field within the subject
   public key information ...

I would like to continue with the approach.

Russ


> On Oct 15, 2019, at 6:34 PM, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>; wrote:
> 
> TLSWG,
> 
> I'd like some feedback on a potential issue raised by Martin Thomson at the last IETF. The question is about the interaction between the SPKI and the signature scheme for RSA delegated credentials. The main concern is around the interaction between the rsaEncryption OID and the signature scheme, specifically PKCS#1v1.5, which we disallow in TLS 1.3 but not explicitly in DCs (yet). This issue is tracked on Github as issues/28 <https://github.com/tlswg/tls-subcerts/issues/28>;.
> 
> Given the feedback on Github, I see two main choices to resolve this issue:
> 
> 1) Allow RSA Credentials with the rsaEncryption OID in the SPKI to be used with the rsa_pss_rsae_* signature schemes, but disallow rsa_pkcs1_* signature schemes.
> 2) Forbid RSA Credentials with the rsaEncryption OID (and associated signature schemes) and require an RSA PSS OIDs for rsa_pss_pss_* signature schemes.
> 
> Does anyone have a strong preference for one of these options?
> 
> My take:
> The rsa_pss_rsae_* suites are a hack created to allow TLS 1.3 to be backward-compatible with existing rsaEncryption OID certs while enabling RSA-PSS. We don't have this legacy in delegated credentials, so I'm inclined to prefer 2).
> 
> The only reason I see to go for 1) is the risk of implementation difficulties. The RSA PSS OIDs are hard to get right in code. However, considering that RSA DCs are unlikely to be widely used in favor of elliptic-curve DCs, the implementation risk seems low and restricted to implementations who choose to support RSA DCs as an optional feature.
> 
> Nick
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls