Re: [TLS] Moving SHA-1 signature schemes to not recommended in draft-ietf-tls-md5-sha1-deprecate

David Benjamin <> Fri, 18 September 2020 14:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C01BB3A0BC6 for <>; Fri, 18 Sep 2020 07:49:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.944
X-Spam-Status: No, score=-10.944 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r8MOc9VYblZL for <>; Fri, 18 Sep 2020 07:49:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5CBF3A0BC2 for <>; Fri, 18 Sep 2020 07:49:24 -0700 (PDT)
Received: by with SMTP id d6so3578279pfn.9 for <>; Fri, 18 Sep 2020 07:49:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nrDVkATn0PgwEJtHDKLRVRrhw8mnY5xaVUhIDyPLX3o=; b=YMV1uGiUzViof4/wlFGEDszlYA2nAKD+cwLNz8ryfDM3OXT44oQxA9p9vfhZVb91gX 0Kw8anmhLLe92+xX0TvSBYNSbgRYYe8Tsun20kPSleQNXUAOjGi7uNheP9lhj1rtEEGn eojBb5tcj9WQjNDUShWpqh+Jub2j6FH0LCDZQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nrDVkATn0PgwEJtHDKLRVRrhw8mnY5xaVUhIDyPLX3o=; b=OwUtEz7k9Xf0HcGRNrd0dy2AwUW+prsytZpgZcLijCK45N5/2q6ZALpcYAzBvshnZp dKOY5B7Uy39E7kEamAq1oBKI+06TXK1c6XL11Q1SVadsDc4YTare5tUC1QjAixkEJwyh g4XBWOrDH+Xx/n2oVAz4DN4b8ZHbR/StkUR1jBhMh0SO7Av6BXbd7u3I6T+l6S5rL43U YsvDnwxsD6RsRwjM7Wqs0+2GFKSzRlzWluqoKUGqdN6bCfTOttbgjd7U4rsWPsgLvvbr A6PORao/S+3aIAmLwfs80dRTD+FRDX2H9RXzS4KW5ulZ2s1tvJkZaC1FCzBh3qOtlOxD Hj8A==
X-Gm-Message-State: AOAM530eDaxDmxBFHaZ8I4vKMrhckfKII2AlTpMRoXEITohBz3S8Wfrh pXZfX+gzcpBMQ49RNY7lH5EhMDZvqAIy1ao2sWKz
X-Google-Smtp-Source: ABdhPJzRpWXPuCbYWegGXGdTDhslIgsWUBvH9IXOeSu66D7Ynert4p9k3+FKLt86Gs3gnJ19IIBbqX8Tm/BzPiGIobo=
X-Received: by 2002:a62:c701:0:b029:142:2501:39e4 with SMTP id w1-20020a62c7010000b0290142250139e4mr16815682pfg.51.1600440564078; Fri, 18 Sep 2020 07:49:24 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Fri, 18 Sep 2020 10:49:07 -0400
Message-ID: <>
To: Sean Turner <>
Cc: "Salz, Rich" <>, "" <>, TLS List <>, Benjamin Kaduk <>
Content-Type: multipart/alternative; boundary="0000000000004eca8e05af979b7e"
Archived-At: <>
Subject: Re: [TLS] Moving SHA-1 signature schemes to not recommended in draft-ietf-tls-md5-sha1-deprecate
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Sep 2020 14:49:27 -0000

On Fri, Sep 18, 2020 at 10:28 AM Sean Turner <> wrote:

> Also, should we be adding “_legacy” to the names of the code points as was
> done for rsa_pkcs1_sha256_legacy by:

My inclination is no. We didn't go about renaming the huge mess of TLS
cipher suites or anything else that I remember.

The "_legacy" suffix in that draft has a slightly different meaning
(perhaps I should have picked a different name). The existing
rsa_pkcs1_sha256 code points from TLS 1.2 were carried over into TLS 1.3
but with a subsetted meaning. In TLS 1.2, rsa_pkcs1_sha256 advertises both
TLS and X.509 capabilities, but in TLS 1.3 it advertises only X.509
capabilities. rsa_pkcs1_sha256 is undefined for a TLS CertificateVerify
because we took PKCS#1 v1.5 out. So, in order for TLS 1.3 servers to opt
into accepting PKCS#1 v1.5 signatures in CertificateVerify, the draft
needed to define new code points with a CertificateVerify capability.

rsa_pkcs1_sha256_tls1_3_certificate_verify_for_legacy_clients was a
mouthful, so I just added a "legacy" suffix. :-)