IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 13 July 2015 17:11 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD00A1B2C40 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:11:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRSJNDaVKdN7 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:11:50 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0700.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AC011B2C3C for <tls@ietf.org>; Mon, 13 Jul 2015 10:11:50 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 17:11:29 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 17:11:29 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
Thread-Index: AQHQuMqGail83kPeBUGeFeksHA1hqJ3QLTyAgAAI+QCAAAQ1gIAADWmAgAA2FYCAAVxcgIAAAVqAgAAEyoCAAVE1AIABlogAgAAEJoCAAAXGgIAACRQAgAADNACAAAGWgIAAA+QAgAAQkpCAAUrngIAADsEAgAAC7oCAABbWgIAANnyAgAAH4ACAAAoZgIAAB+GAgAAMDwCAAAXygIAAI+yAgAADFACAAd8BsIAACoIAgADHX/A=
Date: Mon, 13 Jul 2015 17:11:29 +0000
Message-ID: <BLUPR03MB1396DF5184A7E3DFAF3F11028C9C0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CALuAYvbteowTeyWe9VneRHgyvzTRS3LfKdorWt=jmEy2k+wNqw@mail.gmail.com> <201507111709.27725.davemgarrett@gmail.com> <CABcZeBNCBrNeMKm5hCLQ741zFRpcXQ321onofH2EWJbiQrSs6w@mail.gmail.com> <201507111929.02696.davemgarrett@gmail.com> <BLUPR03MB13965B49B433823B6A04B3088C9C0@BLUPR03MB1396.namprd03.prod.outlook.com> <20150713044104.GK28047@mournblade.imrryr.org>
In-Reply-To: <20150713044104.GK28047@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ee31::3]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1396; 5:ByMS39/FWo+wZYM34JeJtgagjOpIdFPNGcVzVbbZxGc5CmTZQ1fOz4FvO86h3Awv1VJxhU7MibqEyWHEIzGletzOjeu1C77nxsy8MH/nT9USi72uhq0ihg6N6qRBJQxoiA8l2pNI05eSLuzmhJoSfg==; 24:ThlBEfJ2qXRkIw/KSlKaQN8VsGM/cmf9jspVYrLrNx7jl0N4nnmZUsnwkFzwh66ZP2ExUdxDiYKnzXOMaRefa6Syr3dp7AkF8eO86eLwQAg=; 20:mYpJNtjIsPacK3kX2c06ql0o9NtAFVZXJ5og5WLW4EYZjE8s4VsTGUfkT/SBLqBOILeXr+tisDddKtqjhe4ktg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1396;
blupr03mb1396: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR03MB1396E697C569023AA707AE5A8C9C0@BLUPR03MB1396.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1396; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1396;
x-forefront-prvs: 0636271852
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(51704005)(13464003)(377454003)(54356999)(86612001)(33656002)(76576001)(15975445007)(86362001)(99286002)(102836002)(92566002)(189998001)(2900100001)(5003600100002)(74316001)(2950100001)(5002640100001)(40100003)(122556002)(19580395003)(450100001)(107886002)(19580405001)(5001960100002)(62966003)(77156002)(77096005)(110136002)(50986999)(2501003)(76176999)(46102003)(87936001)(93886004)(2656002)(2351001)(561944003)(106116001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1396; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 17:11:29.0575 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1396
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/q3-oJhFp_4Q60iGIpt6r-S9l93E>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 17:11:52 -0000

I think a good design is to have the client explicitly advertise any algorithms the client is willing/able to support, and for the server to honor the client's capabilities.

IMHO the existing specs already meet the above goal, with an unfortunate quirk that SHA1/MD5-only clients don't have to be explicit about their supported signature/hash combinations. This quirk has caused some confusion, but this should be easy to fix in 1.3 by requiring that all algorithms are advertised.

> Which part are you objecting to?  The subsequent proposal to suppress
> SHA-1 advertisements (if the client supports only TLS 1.3 or later) when even when the client is willing to accept a SHA-1 chain when all else fails?  
No, I don't care for SHA1; let's deprecate it ASAP. I do care for a straightforward and deterministic handshake where the client MUST advertise supported algorithms and the server MUST honor the client's capabilities.

Having shipped a product that implements the strict interpretation of the current specs (WRT signature_algorithms) for a number of years now, I remember exactly 3 related problem reports. Without pointing fingers (as much as possible), here they are:
1. A version of a popular Web browser failed to interoperate because it did not include all of its supported algorithms in the signature_algorithms extension. Unfortunately, the browser had already been fixed by the time I reported the issue to them, so I could not use this incident as an opportunity to promote IE. :)
2. An open-source TLS stack that had just added TLS1.2 support, but did not implement extensions. I pointed them at the signature_algorithms section of the RFC and they quickly implemented this extension.
3. A vocal participant of this mailing list who seems to be opposed to the idea of making certain TLS extensions MTI, as a matter of principle.

My preference would be to keep the client explicitly advertising its capabilities, and the server strictly honoring the client-advertised capabilities. And since the concept of "default algorithms" confuses people, let's just get rid of it in 1.3. Conveniently, most of this WG no longer wants SHA1 or MD5. Why not just make signature_algorithms (even more) clearly and unambiguously MTI in 1.3?

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Viktor Dukhovni
Sent: Sunday, July 12, 2015 9:41 PM
To: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

On Mon, Jul 13, 2015 at 04:11:04AM +0000, Andrei Popov wrote:

> I'm not happy with this either. The spec already says:
> 
>   "If the client supports only the default hash and signature algorithms
>    (listed in this section), it MAY omit the signature_algorithms
>    extension.  If the client does not support the default algorithms, or
>    supports other hash and signature algorithms (and it is willing to
>    use them for verifying messages sent by the server, i.e., server
>    certificates and server key exchange), it MUST send the
>    signature_algorithms extension, listing the algorithms it is willing
>    to accept."
> 
> This seems to be pretty clear: if the client properly advertises the 
> algorithms it supports, then the handshake has a deterministic outcome.

That's all fine, we're talking about what the server should do when it is certificate chain does not (in its entirety) match those algorithms.  And in the context of TLS 1.3 which is not yet set in stone.  

Which part are you objecting to?  The subsequent proposal to suppress
SHA-1 advertisements (if the client supports only TLS 1.3 or later) when even when the client is willing to accept a SHA-1 chain when all else fails?  That too seems sensible, and it was already noted that clients will need to send the SHA-1 codepoint when willing to accept TLS 1.2, since that spec does not contain the proposed new language for server-side behaviour.

-- 
	Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email