Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

David Benjamin <davidben@chromium.org> Mon, 06 May 2019 19:02 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 302691200EF for <tls@ietfa.amsl.com>; Mon, 6 May 2019 12:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.508
X-Spam-Level:
X-Spam-Status: No, score=-9.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHqxQOhb61gb for <tls@ietfa.amsl.com>; Mon, 6 May 2019 12:02:37 -0700 (PDT)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D55AF1201D3 for <tls@ietf.org>; Mon, 6 May 2019 12:02:36 -0700 (PDT)
Received: by mail-qt1-x841.google.com with SMTP id a17so1948522qth.3 for <tls@ietf.org>; Mon, 06 May 2019 12:02:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dF7ATGstTE0nmOi7ZDEoep0QltzEvI5uEBAOsic7Wj4=; b=YAnw5wrDHsDQB2reHuo23AXsKNm1pR7jI9N8bp2o6HLVCBG/Gmn1sco+4uxdyLVbuG XL6VGhpTHxUi0doayWPDsC9xpKveycR/TJbuk0QIQKgzFo77YlKKg/EiPDt7F+DnuSTD /fPM0XfiWc7YosBSCdkoD65RNGUcj/Jw38rbs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dF7ATGstTE0nmOi7ZDEoep0QltzEvI5uEBAOsic7Wj4=; b=tn0ldtWl0lIANqILiwr3ALzCKiEQaCJohSrR/7AGkS3xqyxzktCAZ9odvYL3ku+a3W Qpmem7mdYhRHC+mklIaWj8zcIBMxu/eVpVOyUU+qEAO0Ml/l3DB4L0+We9JhL4/Aq9Ux tGuIU1qMjSYqxYgO+XkOcUpDyqe3lliKUc19r0lsUO/TX65w3Y30NL6VQvLLAjYpEfkG iq1IrIQVJkhF50OTrC4tR/gcoOUVlHms/ShnUAm54jbv4rzriGTrL4B0aKLIL/DtR1wO h1AlWuZKXeSUCE7kZd5JVma8VGYOF/YheVtnb87ao1oog8IhnAc0m7mlk9OdZgoKE/eF DNfw==
X-Gm-Message-State: APjAAAVkz1AJVjs9vu/JzYFcVKxyncY8QDcaNYChLQKiSla2kjI+M71Z fvVX4D4UORqEJVQZQlon0uLS3OH4PMH8lE1tID5daZQ=
X-Google-Smtp-Source: APXvYqy1dscDmCeSOS5Afh8PSB/X+L6Bu3zNa2mp6W3bT9NtjrQBqog2cmb8dT0+w092iQt+Lbgs8ncEmcQ9CWc7mwc=
X-Received: by 2002:ac8:2df9:: with SMTP id q54mr22687678qta.10.1557169355631; Mon, 06 May 2019 12:02:35 -0700 (PDT)
MIME-Version: 1.0
References: <28511b10-8f6a-4394-95a9-5188130f7b58@www.fastmail.com> <20190503172022.GH4464@akamai.com> <1556904629782.23087@cs.auckland.ac.nz> <16747558.couhpb2nsq@pintsize.usersys.redhat.com> <785E42E7-83FB-411F-8726-989CC8B734BC@ll.mit.edu> <CAHbuEH65=xJJr4dK=UJBMgaWFZ8h8jwtLt+Nb-jGHYB_RsjcHQ@mail.gmail.com> <20190506184141.GL67454@straasha.imrryr.org>
In-Reply-To: <20190506184141.GL67454@straasha.imrryr.org>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 6 May 2019 14:02:18 -0500
Message-ID: <CAF8qwaCVcPQk6nhUUDO_Do+fQaS5Cg1gPFCFGpv8HcnTCoyzsw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c9a2905883cbe1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/me9qtrlap9phj6UcdskGTJtelCY>
Subject: Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 19:02:49 -0000

On Mon, May 6, 2019 at 1:43 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, May 06, 2019 at 01:50:42PM -0400, Kathleen Moriarty wrote:
>
> > Is this better suited for another (short) draft?
>
> SHA-1 certificates are history now.  If we're raising the floor,
> it should IMHO be safe to deprecate the MD5 and SHA-1 signature
> algorithms from TLS 1.2.
>
> Does anyone have evidence of medium to long-term requirements for
> continued SHA-1 sigalg support?
>

I've been following this one for some time now. Sadly, we still see quite a
lot of SHA-1 sigalg usage with RSA, even more than we see TLS 1.0 and 1.1.
(We already removed SHA-1 with ECDSA a couple years ago.) Some of it is
because older Schannel will preferentially sign SHA-1 when offered, which
is not a problem for removal but confounds metrics. Some of it is a bug in
older OpenSSLs where, on connections with SNI, it loses track of the peer
signature algorithm preferences and then assumes SHA-1 by default. Some of
it is load balancers which implemented TLS 1.2 but failed to actually
implement sigalg negotiation, and thus only sign SHA-1.

This is a consequence of text in RFC 5246 which says, when the extension is
missing, the server should take SHA-1 as default. With the benefit of
hindsight, I think that was a mistake. It meant bugs like OpenSSL's get
papered over with SHA-1, and any implementors that chose to only sign one
algorithm would pick SHA-1.
https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1

(This is not to say there shouldn't be text in this document or another
that discourages those, or requires servers be able to sign some SHA-2
hash. But I don't expect those to be removable on the web until after TLS
1.0 and 1.1.)

David