Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard
Donald Eastlake <d3e3e3@gmail.com> Thu, 15 October 2020 20:03 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8322D3A134C; Thu, 15 Oct 2020 13:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxOg9T3RRDT1; Thu, 15 Oct 2020 13:03:46 -0700 (PDT)
Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAD923A1354; Thu, 15 Oct 2020 13:03:46 -0700 (PDT)
Received: by mail-il1-x144.google.com with SMTP id p16so6113801ilq.5; Thu, 15 Oct 2020 13:03:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XBtnX5kgA/JxioC8elOpFlh3WX3Im8uTjj8BzKa3zsc=; b=rdPw9S/zDoxt5aA27mwsQGB0HIUMSXc+OMIvnkSDZ8n7eDlSXVD3eWVdtfbi4sTs3z 9tMtAEygP26v4oOa6+3SNbB6LlM38+oQfLYR6muhq11522vi+Dsl9QNBjx9JE44+JkAu 67tcuiK95o0YW/5m0j7PNt5LzCIKjtznVnRvrIju66wdxKZtrJ1ZLfLKXCVIGLDpTUFg sotmVj26BmfI/8iDxcP71F52Tq7zyVrRnNf8HkEpqOsYFaus4ICGT4UhS7x61QNgmErG AuooB9Nps72KQ0vvSCTtB4CgD7ddjAVB1OF74SNr61p2sorMauCKwKZsKJBjV0sW3phU fWsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XBtnX5kgA/JxioC8elOpFlh3WX3Im8uTjj8BzKa3zsc=; b=IhWi+b7O8XS1yYGF2JDSeDlBWPnCNfoB5s+FH8LzAb5SdCRbYgwhyEkx5eUNKJHayf 3XlzpuVI4h/tPrENBPV8ArXcnRGNIh2GV+lmSK7zl15eiUnInD2ndz1frl3TYY+aYLbK idx8DxyFMofKgSvQAAjZ/EMrPFuqUgrIbARJEEUuOF5cJOkmaiey6yPZD4AAsHCCkxxa v4E9n4bRWRCxyDE+XJmT5dLm80O5cf18g/WSY2mJJY2mQteIRvgHVeOTDAoo6QW8c53M t9J/25+j1dtRpBtkVZc3ij50+UBRlv3Dfap6jz8lBID3d88/8p3z4VO8ddz7VhrTgaUb Gn/Q==
X-Gm-Message-State: AOAM531HBLLgIxLvxk72wL5tK0PeCfcUUCmllMkcl4ifozoMEodxM5Rq 3y8DRgclRsQJVz3O/capllW1DtyjWKOHxHMD62o=
X-Google-Smtp-Source: ABdhPJzBr4ceOXhin5kvAWGomCVUGrA8X+pvyR8OppS8dXBXGizJy4JVUwZzaxItGoYc92Ng6k4l2E5JqmryeTH+NUQ=
X-Received: by 2002:a92:bb0d:: with SMTP id w13mr226521ili.168.1602792225858; Thu, 15 Oct 2020 13:03:45 -0700 (PDT)
MIME-Version: 1.0
References: <160270080535.5894.280254092203286109@ietfa.amsl.com> <20201015095605.670E5404C@ld9781.wdf.sap.corp>
In-Reply-To: <20201015095605.670E5404C@ld9781.wdf.sap.corp>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 15 Oct 2020 16:03:34 -0400
Message-ID: <CAF4+nEH6-SSN9b_EiY4ZkK3PptwF-h=2CbaRvDDbPv_Lu2zCng@mail.gmail.com>
To: mrex@sap.com
Cc: last-call@ietf.org, Roman Danyliw <rdd@cert.org>, draft-ietf-tls-md5-sha1-deprecate@ietf.org, tls-chairs@ietf.org, IETF-Announce <ietf-announce@ietf.org>, tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tInW-Yk01Zlhi5cHcLm7Cm8gR_c>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 20:03:56 -0000
Hi, On Thu, Oct 15, 2020 at 5:56 AM Martin Rex <mrex@sap.com> wrote: > > The IESG <iesg-secretary@ietf.org> wrote: > > > > The IESG has received a request from the Transport Layer Security WG (tls) to > > consider the following document: - 'Deprecating MD5 and SHA-1 signature > > hashes in TLS 1.2' > > > > <draft-ietf-tls-md5-sha1-deprecate-04.txt> as Proposed Standard > > > > The IESG plans to make a decision in the next few weeks, and solicits final > > comments on this action. Please send substantive comments to the > > last-call@ietf.org mailing lists by 2020-10-28. Exceptionally, comments may > > be sent to iesg@ietf.org instead. In either case, please retain the beginning > > of the Subject line to allow automated sorting. > >... > > Section 6 of the current draft says: > > 6. Updates to RFC5246 > > [RFC5246], The Transport Layer Security (TLS) Protocol Version 1.2, > suggests that implementations can assume support for MD5 and SHA-1 by > their peer. This update changes the suggestion to assume support for > SHA-256 instead, due to MD5 and SHA-1 being deprecated. > > In Section 7.4.1.4.1: the text should be revised from: > > OLD: > > "Note: this is a change from TLS 1.1 where there are no explicit > rules, but as a practical matter one can assume that the peer > supports MD5 and SHA- 1." It probably should be clarified but I think this text is just trying to say that with TLS 1.1 you could assume support of MD5 and SHA-1. > NEW: > > "Note: This is a change from TLS 1.1 where there are no explicit > rules, but as a practical matter one can assume that the peer > supports SHA-256." How about "Note: this is a change from TLS 1.1 where there are no explicit rules, but as a practical matter one could have assumed that the peer supports MD5 and SHA- 1." or, to be even more explicit "Note: this is a change from TLS 1.1 where there are no explicit rules, but as a practical matter with TLS 1.1 one could have assumed that the peer supports MD5 and SHA- 1." Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com > and therefore the behaviour in section 2 about the "Signature Algorithms" > extension ought to say: > > 2. Signature Algorithms > > Clients MUST NOT include MD5 and SHA-1 in the signature_algorithms > extension. If a client does not send a signature_algorithms > extension, then the server MUST use (sha256,rsa) for > digitally_signed on the ServerKeyExchange handshake message for > TLS cipher suites using RSA authentication, and the server MUST use > (sha256,ecdsa) for TLS cipher suites using ECDSA authentication. > > The server behaviour ought to be consistent for both, receipt of an > extension-less SSLv3+ ClientHello handshake message, and for a > backwards-compatible SSL VERSION 2 CLIENT-HELLO (which can not convey > any TLS extensions) as described in Appendix-E.2 of rfc5246, > and as permitted in bullet 2 in section 3 of RFC6176. > > > > As desribed in RFC6151, collision attacks on MD5 were appearing in > publications already in 2004, 2005, 2006 & 2007, the TLSv1.2 spec > rfc5246 should have never *NEWLY* added support for (md5,rsa) in > TLSv1.2 digitally_signed. > > Similarily, since the sunset date for SHA1-signatures had been > announced by NIST *before* TLSv1.2 (rfc5246) was published, > TLSv1.2 (rfc5246) should have never *NEWLY* added support for > (sha1,rsa) in TLSv1.2 digitally_signed, but have used (sha256,rsa) > from the beginning. sha256 has been required for the TLSv1.2 PRF > and for HMAC-SHA256 of several cipher suites anyway, so there > was no excuse for not using sha256 in TLSv1.2 digitally_signed > in the first place. > > > -Martin > > -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call
- [TLS] Last Call: <draft-ietf-tls-md5-sha1-depreca… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-md5-sha1-dep… mrex
- Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-… Donald Eastlake
- Re: [TLS] Last Call: <draft-ietf-tls-md5-sha1-dep… tom petch
- Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-… Benjamin Kaduk