Re: [TLS] Updated TLS 1.2 I-D
"Gregory Chudov" <gchudov@gmail.com> Fri, 14 July 2006 06:19 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1H1Z-00051B-CR; Fri, 14 Jul 2006 02:19:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1H1Y-000516-MG for tls@ietf.org; Fri, 14 Jul 2006 02:19:40 -0400
Received: from py-out-1112.google.com ([64.233.166.177]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1H1X-00033C-Eo for tls@ietf.org; Fri, 14 Jul 2006 02:19:40 -0400
Received: by py-out-1112.google.com with SMTP id t32so543191pyc for <tls@ietf.org>; Thu, 13 Jul 2006 23:19:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FLJxU6E0A9tQp4D0Fsj1odRjJMaRuT09+anlF7obhDJXO+UC+vfNJ6RxLddJqDCh87v0wKdoPHNQgiYCCxIOQC3C49fZrJGP98WNq9x2e//to6jkm1waKDBUgUQYNiMTQSXGyGBJfYrAjfK7vlKBHuhyDuk4AiFrW9MpB1thNVk=
Received: by 10.35.37.18 with SMTP id p18mr1588798pyj; Thu, 13 Jul 2006 23:19:39 -0700 (PDT)
Received: by 10.35.37.3 with HTTP; Thu, 13 Jul 2006 23:19:38 -0700 (PDT)
Message-ID: <4717c1330607132319g57470479l4892d842302b7ea0@mail.gmail.com>
Date: Fri, 14 Jul 2006 10:19:38 +0400
From: Gregory Chudov <gchudov@gmail.com>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] Updated TLS 1.2 I-D
In-Reply-To: <20060625170241.E4704222425@laser.networkresonance.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060625170241.E4704222425@laser.networkresonance.com>
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Concerning Certificate Verify message: > If the SignatureAlgorithm > is DSA, then the sha_hash value must be used. If it is RSA, > the same function (denoted Hash) must be used as was used to > create the signature for the client's certificate. This doesn't look reasonable. Aside from general "bad feeling" about this, i have at least three examples in which this causes trouble: 1) First situation is a constrained client, which uses client_certificate_url extension, and doesn't have to know it's own certificate, only it's own private key. The heuristic that you propose forces this client to also know the hash algorithm used by CA. 2) The second situation is a simple client implementation which supports only one hash function. This paragraph forces it to support also the hash functions, which were used by CA to sign his certificates. 3) The third situation is this: a client posesses a certificate, issued by a CA with a good hash function, which is not yet supported by TLS HashType enum (e.g. SHA384). Certificate Request message, which now contains a list of supported hash types, cannot contain such a value, so the client is forced not to use such a certificate. My proposition is: 1) Change the structure of the CertificateVerify message to reflect the change to CertificateRequest: struct { HashType hash_type; Signature signature; } CertificateVerify; Change the text to following: The Signature type is defined in 7.4.3. Client chooses a hash function (denoted Hash) from the list, contained in the CertificateRequest.certificate_hash to create the signature for the client's certificate, and specifies it's type in the CertificateVerify.hash_type field. CertificateVerify.signature.hash Hash(handshake_messages); 2) I think, the role of the CertificateRequest.certificate_hash list must be clearly stated in the draft. I see 3 possible choices: a) it is provided to the client as a guidance b) the server MUST verify that the CertificateVerify message uses one of the hash_types that it proposed c) the server MUST verify that the CertificateVerify message AND the client certificate chain uses only the proposed set of hashes I would strongly prefer the "b" case, because the "a" case can lead to the sitiuation where the server cannot verify client's signature, and the "c" case forces us to specify HashTypes for all the hash functions supported by PKIX (see the 3d situation above). The only alternative i see to this set of changes is to omit the certificate_hash list from CertificateRequest completely, and state that the Hash function is chosen by the cipher suite. Regards, Greg Chudov _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Kyle Hamilton
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Mohamad Badra
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Rob Dugal
- Re: [TLS] Updated TLS 1.2 I-D Gregory Chudov
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller