IETF Logo Mail Archive

Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?

John Mattsson <john.mattsson@ericsson.com> Wed, 02 October 2019 05:46 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE56F120077 for <tls@ietfa.amsl.com>; Tue, 1 Oct 2019 22:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeSml_BNJMuT for <tls@ietfa.amsl.com>; Tue, 1 Oct 2019 22:46:53 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03on0601.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe08::601]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BAB4120041 for <TLS@ietf.org>; Tue, 1 Oct 2019 22:46:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fc0Ef4Z+YB8+Nru2ixh4LUQIgo6VKRL8/Feh0HgqxQp4EMnvd0Kdsflkkl/GGgeL+A0XBft18NaT6FtnEZSvgA9vzE6sNf6BrtJQS6OopO6IZrOBAfXXTlJP5cyxsW1Y7jSKlG6mCTnEI3RbRz8T84p9BfX0RUx3XSAMbFU5CBIp79oG+aooxcPY2kOwvnbrNJN814RrfzPfSRkkc2ophjC48UNypMe2xa9VaVwY49WupoNB84PxFRNYsuv3BwWBwkZnkYLM/YBwGBy3sBZV9J72iCYRsUukgt5b4PGOc4h6Yig+59XzWp4rM52NBjw+MYqFD8FMarBSNYtm499hzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XgIHPFt5oeU89x+9PH5t6e6a9uXeDw/qomhwExAe2lo=; b=YBoXOYfRRHWAU5kVMlrFy3H2/LgUfaGXK17Str3PqRbVnlzHV7ri8uZBPpIabrT5SvYSj1u4jr6ZwG6G+5269m35la6J7B54SW/tj+Wo6+E0ra9WV9EgNd18DPBDry/CfT9FKcOmzT/uCy03bEjcmUPOg6/GGLBAvFCRzUW/Sv2IbDiTQbTq6LFVnt7iu/kWQqEj+KU1D5dczwFKuXq9kOefrmO/5bKtlDbRrobkidSXesXAFVxiqLghySd71m/11qYxlhzlgveyaPvYFB4kAHBjKP2T23J6z/+4lSN13o3u4CedZsm2v5hU7xmbFR0fBV9FzCk9Jl+xqGOAzhawhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XgIHPFt5oeU89x+9PH5t6e6a9uXeDw/qomhwExAe2lo=; b=OHni6u9z7HsG+uWFIY+iBhDgT1Bw586dj894sFUa5jOZsO+VAz0XBKu7RE1mAiNdIS+Nq8gFQ6DAV0tT4d1wkXFm7JeyY2XZOwZq3mjoEeIpPe27UXQ3NqtwpTdz1wZhute+XLSOsGsxtbspJf2qx+U2uxWXdjVwwade6K4KOWQ=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB4217.eurprd07.prod.outlook.com (20.176.162.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.9; Wed, 2 Oct 2019 05:46:48 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2305.017; Wed, 2 Oct 2019 05:46:48 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Dan Brown <danibrown@blackberry.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?
Thread-Index: AQHVeGlJXOoNUpva+EaXYSQQm4v9R6dG+kCA
Date: Wed, 02 Oct 2019 05:46:47 +0000
Message-ID: <819C3432-51C1-49A7-AD2C-53E4F7C3D469@ericsson.com>
References: <20191001104718.8626261.12105.36904@blackberry.com> <7F3BF5B8-8E88-4611-813D-F207CCED4CD9@ericsson.com> <CABcZeBNRhoJC0hiNrfd6SwNbwRFoVy+TE_n2CvqkS3zMVYMbzA@mail.gmail.com>
In-Reply-To: <CABcZeBNRhoJC0hiNrfd6SwNbwRFoVy+TE_n2CvqkS3zMVYMbzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [90.232.91.179]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e7449abb-f455-44a4-6da2-08d746fbea80
x-ms-traffictypediagnostic: HE1PR07MB4217:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB4217928685A1FC4D003DFFE7899C0@HE1PR07MB4217.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0178184651
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(136003)(366004)(346002)(376002)(13464003)(199004)(189003)(44832011)(966005)(14454004)(5660300002)(71190400001)(606006)(6246003)(36756003)(71200400001)(81166006)(99286004)(76176011)(4326008)(7736002)(66066001)(81156014)(54906003)(486006)(6916009)(476003)(6436002)(2906002)(2616005)(53546011)(6506007)(102836004)(186003)(8936002)(478600001)(6116002)(3846002)(33656002)(236005)(6512007)(6306002)(256004)(229853002)(14444005)(11346002)(58126008)(66556008)(26005)(66946007)(66476007)(64756008)(66446008)(86362001)(446003)(76116006)(25786009)(6486002)(54896002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4217; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ha+eN42q84qnLPC7cDrQbP3THdZsDUnjIiMxepmFJXWu4y2j2O1ZdikPUFPOuIn8lf+OvuHMlU1SlnHUklPQa4+6asZXC97aIpCxtRtiM2zjaTozIF5a5655dshhE6gA2iilel2swq3i2XCVgckOiPVBAIJbuzDx28AZpy+WJA7uk00iP9GP2Z2eCRazYUN96WPOXZvMDxJ2+JgIdYLTMe4joRIE0ZrBJR7zNARAonF62cV0kkWhZnZaJx9/VSNfiZLUt50yyH1H4sFjDLR28j0XGi81Bq1Pesak33Pgs0MYa17Z3QMz5r7p4lj0o3OFnekevh5QVMX0v+VgWTclReiw+Jy0W80WUh+NEo0WRwOWzkGPd+IjWn6aHp5/hnwoynbwP931qMeGcWOFEyBEi9L16BkBML3Czdt2TeKtRa9IM600O967/vtqXSGTz/rKe/PyxGkKQ8fFLGcssBganA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_819C343251C149A7AD2C53E4F7C3D469ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7449abb-f455-44a4-6da2-08d746fbea80
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2019 05:46:47.6368 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pNecY/hYSMVCq4T/wEL1gkqPqD+KXElz3sKr8zp1WjtREbhfCYoHIjalQKf2qnXZJJ8n1k0Iu7AAjhKbJUDU4WJswKCkIwumsV8E40j2NBQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4217
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n4D9fpchqW-ts7_1-cUIA8qAULw>
Subject: Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 05:46:56 -0000

>I agree with you about the policy here. To be honest, I just didn't notice this; and it would probably need some github >spelunking to figure out the history of these references.

The reference comes from RFC 5246 (TLS 1.2). In 2008 the specification was not withdrawn.

> If someone wanted to propose an erratum that would fix this, I would be very appreciative.

Pointing out the problem is easy, but I don't know what to put in "It should say:". Pointing to SEC1 is not good if that is incompatible with NIST/ANSI. ISO and IEEE are behind paywalls. At this point it is probably best to wait for NIST SP 186-5 (NIST said earlier they hoped to release a draft version by May 2019, so I assume it will be released very soon).

RFC 8422 is also referencing ANSI X9.62-2005 and would need a similar errata.

John

From: Eric Rescorla <ekr@rtfm.com>
Date: Tuesday, 1 October 2019 at 17:02
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Dan Brown <danibrown@blackberry.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?



On Tue, Oct 1, 2019 at 5:27 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>> wrote:

> ANSI X9.62-2005 was withdrawn in 2015

Ok, that TLS 1.3 is relying on a withdrawn publication that used to be behind a paywall is even worse.

Ugh.


> Also, I expect FIPS 186-5 is nearly ready, and will specify much of ECDSA

That NIST FIPS 186-5 will include all the details needed to implement ECDSA is great.

>IETF has specs for sigs and their formats already, no?

At the time when RFC 8446 was published, there was probably no quick and easy solution to the problem. But the fact that IETF has historically been fine with relying on specifications behind paywalls is part of the problem. If IETF had implemented a strong open-access policy a long-time ago, there would probably be an open-access version of ECDSA (NIST or IETF) a long time ago..

I agree with you about the policy here. To be honest, I just didn't notice this; and it would probably need some github spelunking to figure out the history of these references.

If someone wanted to propose an erratum that would fix this, I would be very appreciative.

-Ekr


Cheers,
John

-----Original Message-----
From: Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>>
Date: Tuesday, 1 October 2019 at 12:47
To: John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>, Peter Gutmann <pgut001@cs.auckland..ac.nz<mailto:pgut001@cs.auckland.ac.nz>>, Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>>, "TLS@ietf.org<mailto:TLS@ietf.org>" <TLS@ietf.org<mailto:TLS@ietf.org>>
Subject: Re: [TLS]  Ecdsa-sig-value in TLS 1.3 – need for erratum?

    Re ECDSA specs and paywells:
    ANSI X9.62-2005 was withdrawn in 2015, expiring automatically after 10 years, despite my weak effort.
    A revival, ANSI X9.142, with almost the same content is under way, though even its fate is unsure.
    Also, I expect FIPS 186-5 is nearly ready, and will specify much of ECDSA and EdDSA (not ASN.1?), which many may like (even better than ANSI).
    Meanwhile, SEC1, versions 1.0 and 2.0, are available, fortunately or not, despite my weak effort.
    IETF has specs for sigs and their formats already, no?
    Then there's ISO, IEEE, ...


      Original Message
    From: John Mattsson
    Sent: Tuesday, October 1, 2019 5:25 AM
    To: Peter Gutmann; Hubert Kario; TLS@ietf.org<mailto:TLS@ietf.org>
    Subject: Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?

    Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>> wrote:

    > Now, I don't have access to X9.62-2005, but there's a possibility of confusion.

    I think references to specifications behind paywalls and other types of limited access is a major problem. Not only for the standardization process, but also for researchers and implementors. In general, I think people should be able to implement and analyze IETF standards without having to pay for access.

    Open-access is even more important for security specifications. ANSI X.62 is hopefully quite well-studied, but for other references, the lack of analysis often leads to mistakes and unknown weaknesses.

    I would like the IETF to take a much stronger stance against normative references to paywalls.

    Cheers,
    John

    _______________________________________________
    TLS mailing list
    TLS@ietf.org<mailto:TLS@ietf.org>
    https://protect2.fireeye.com/url?k=749c6dba-280e60e6-749c2d21-0cc47ad93d46-3da924ab2cfe57e8&q=1&u=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.ietf.org_mailman_listinfo_tls%26d%3DDwICAg%26c%3DyzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE%26r%3DqkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw%26m%3DA-9JTBh7dU_hCbOrrx-iACEmGPbjipnEohllYGLju6I%26s%3Dp2p9Y_hh-jb_qBNaNqTbSTYE2tAuJo-BaKDbemFVLxU%26e%3D


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email