IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Dave Garrett <davemgarrett@gmail.com> Sat, 11 July 2015 18:32 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101B81A9139 for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 11:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXN1GTng8Pdf for <tls@ietfa.amsl.com>; Sat, 11 Jul 2015 11:32:32 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9396D1A9138 for <tls@ietf.org>; Sat, 11 Jul 2015 11:32:32 -0700 (PDT)
Received: by qkcl188 with SMTP id l188so44305279qkc.1 for <tls@ietf.org>; Sat, 11 Jul 2015 11:32:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=pWt2utagkrM2cB9RlB00/VzUzNEgAooFp5EeJHIdmYQ=; b=NxPb760KC+Iyk7e47xmqDYKb08xLFhIStN2WOby8Yfr06p01DAeEqyQbU/HXd4uEtf oUS4iehhRqkY8dhQkt1Fwu371BzcQzSbEZavddhkIrCc3FQs8aV2GiQy1x2Qan62+fNN uNoO4ocaljHyVF6i+I/JkVHbRrbcQCTcq0ltd6Fia5zeWktExZcPdZRqvsGvlGu6rECg vdVkz/t1EPjRi4NV2rC2TDVVb7AG5YZF6FWebnwrFYYJ7pZ3r98z5J/RcfTj90LtN5y1 MyF+96USMpPdvrDRGytxp622U4wLXA3SD2+vlbyJ8xcxnfl/VTxXbvNIEWn5KxJjncpn lj2A==
X-Received: by 10.140.20.204 with SMTP id 70mr427909qgj.26.1436639551870; Sat, 11 Jul 2015 11:32:31 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by smtp.gmail.com with ESMTPSA id i197sm7952670qhc.36.2015.07.11.11.32.30 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 11 Jul 2015 11:32:31 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Sat, 11 Jul 2015 14:32:29 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <CABcZeBO2k230mP+qpP+Mfr3ee9tsvWe6BOcAgCtYxj3=PzOZPg@mail.gmail.com> <20150711151729.GO28047@mournblade.imrryr.org>
In-Reply-To: <20150711151729.GO28047@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201507111432.29731.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/k290GLgF9Ad0f-_JCczHr0K4X8g>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 18:32:34 -0000

On Saturday, July 11, 2015 11:17:29 am Viktor Dukhovni wrote:
> On Sat, Jul 11, 2015 at 09:55:45AM -0400, Eric Rescorla wrote:
> > Perhaps the right text here is that if you have a conformant certificate,
> > you MUST send it, but if not, you MAY send a nonconformant one?
> 
> Correct.  It is important to try to match a supported algorithm,
> but failing that, send what you have.  It may well work just fine
> for the client, since the signatures in question are not made in
> real-time by the server, but rather at some previous time by some
> CA, which the client may not care about (pinned leaf cert, DANE
> leaf cert, opportunistic TLS, ...).
> 
> And the point about debugging also makes sense.  The client
> administrator can much more easily determine which additional
> algorithm is required to interoperate with the server.

Ok, draft language for new behavior here:

==============================
If a server receives a ClientHello, but the server cannot produce a valid
end-entity certificate using the hash/signature pairs known to be supported by
the client (via this extension or the defaults assumed in its absence),
then the server MUST send an "unsupported_certificate" alert message and
close the connection. In the event that a server can produce a valid end-entity
certificate known to be supported by the client, however the known supported
hash/signature pairs are insufficient to produce a known valid certificate
chain, the server is RECOMMENDED to send a complete valid certificate chain
which attempts to use supported hash/signature pairs where possible yet
includes certificates with unknown client support. If the client cannot build
a trusted chain using these certificates and any other trusted information it
has access to, then it MUST send an "unsupported_certificate" alert message
and close the connection. The server MAY instead choose to simply send an
"unsupported_certificate" alert message and close the connection.
==============================

Sound viable?

(this might be a bit too wordy, though; the wording throughout the document about fatal alerts could probably be simplified a bit)

I pushed the above to the morealerts WIP branch.


Dave

v2.23.0 | Report a Bug | By Email