Re: [TLS] Remove signature algorithms from cipher suites in 1.3
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Tue, 23 December 2014 11:26 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4253C1ACDB5 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 03:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.402
X-Spam-Level:
X-Spam-Status: No, score=-2.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9RvUY8KK5gM for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 03:26:53 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [94.23.252.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9331ACDA9 for <tls@ietf.org>; Tue, 23 Dec 2014 03:26:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=bUGsN1dFPokCDdaMriQl9qfO9GCjz99e9EFAajYsXOI=; b=ia/7Wk5qgq7CJoh+vII+PE+VLGjsM+M3qbCRR7eIFv/7GhfnINZi51NzujkEgQ4Vkjq3DpflNNkGDgODdXfKdZpVaunxNK5kSIYlNq1uM+LSZlNOT+yTHu0ZZ7rvEmnB;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (envelope-from <antoine@delignat-lavaud.fr>) id 1Y3Nc2-00084T-54 ; Tue, 23 Dec 2014 12:26:50 +0100
Message-ID: <54995163.7070004@delignat-lavaud.fr>
Date: Tue, 23 Dec 2014 12:26:27 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
References: <5498DBCE.1070909@delignat-lavaud.fr> <20141223102635.3bda9ed2@pc>
In-Reply-To: <20141223102635.3bda9ed2@pc>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/k_9PI6ccVqmKaLufhTZpUzahCt0
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 11:26:56 -0000
Hi, Le 12/23/2014 10:26 AM, Hanno Böck a écrit : > Do I understand your proposal right that it'd result in: > > a) If we use the normal RSA certificates we have today TLS 1.3 would > continue using RSA-PKCS#1v1.5 > b) If the user gets a designated RSA-PSS key/certificate it'd use PSS? > > I think this would result in a near-zero-adoption for PSS probably for > a very long time because you'd depend on the CA to do anything. No, in my proposal, the algorithm used in CertificateVerify messages is negotiated based on advertised support in the "signature algorithms" extension (and supported_signature_algorithms field in CertificateRequest). Clients are encouraged to prioritize rsa-pss/sha256 over rsa/sha256 or rsa/sha1, and supporting servers may pick PSS even if their certificate chain only contains rsa/sha256 and rsa/sha1. > (Please note that the algorithm identifier for PSS already exists for > X509, it's RFC 4055. It allows Keys with an algorithm identifier > restricting to PSS, but that's no requirement - you can use the old > keys for PSS as well, as technically they're no different.) If anything, my own concern is the opposite. Allowing the same RSA key to be used to sign with both PSS and PKCS#1v1.5 is considered cryptographic malpractice, as the composition of secure and weak signatures may very well be broken. However, servers have the ability to avoid this risk by sending a different certificate depending on whether the client advertises support for PSS or not, even if the two certificates are signed with PKCS#1 (the proof of the protocol will probably assume servers enforce this behavior). Furthermore, one of the issues of PSS in RFC 4055 is its reliance on signature parameters, which have tricky agility characteristics. For everyone's sake, it may help adoption if new OIDs for PSS signatures were used that correspond to fixed parameters. In any case, this discussion is out of the scope of the TLS WG. Best, Antoine
- [TLS] Remove signature algorithms from cipher sui… Antoine Delignat-Lavaud
- Re: [TLS] Remove signature algorithms from cipher… Brian Smith
- Re: [TLS] Remove signature algorithms from cipher… Antoine Delignat-Lavaud
- Re: [TLS] Remove signature algorithms from cipher… Hanno Böck
- Re: [TLS] Remove signature algorithms from cipher… Antoine Delignat-Lavaud
- Re: [TLS] Remove signature algorithms from cipher… Brian Smith
- Re: [TLS] Remove signature algorithms from cipher… Hanno Böck
- Re: [TLS] Remove signature algorithms from cipher… Russ Housley