Re: [TLS] Remove signature algorithms from cipher suites in 1.3

Brian Smith <brian@briansmith.org> Tue, 23 December 2014 18:20 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448041A1AB1 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 10:20:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jjh_e48W-qXo for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80FC31A1AAA for <tls@ietf.org>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
Received: by mail-oi0-f47.google.com with SMTP id v63so14727259oia.6 for <tls@ietf.org>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dqnnbiRjtjdDBMwgeyxz2nUSFMg5+ETOl2KW6y4YCqk=; b=kIhTox1tPCOciFleooihtLeRyPhdX++HIeDaJnO1kc96ssvfywQ9E36aww+uoI+csp c4uKjJr/9ZjN6oFtbwhaZ4WFpSVN/8oEP8s7iYW+SxEjSpZksR2Iqeri7u2RPFqlJKOE 4LccCx3sHjcQw+aWSjbhyd4zdoEnmKM3py9cFdsD/XKBWa2oYefAdzvGlPDZ2pWYHOpt 9rjYtMFvC4d4wxrC0z7qoREM+uFLzBGySs32Vz1MqBMOuTsox2GOLcmHz+ZcodggkfRC vw+nTppgPK40YnfOyFbwKIFVVIlq0zJ5M18A2euVN2g1F2wgZzR3fM54GbPlRxToGgEh 1FvQ==
X-Gm-Message-State: ALoCoQnmxMKOxS1CE7za+Dg+GPkYKnrmTQLDVKBKTXDLSmZiuC8Kx0v0JUjDVqBhKi2HfW5WhbK0
MIME-Version: 1.0
X-Received: by 10.202.177.8 with SMTP id a8mr6713828oif.92.1419358824931; Tue, 23 Dec 2014 10:20:24 -0800 (PST)
Received: by 10.76.71.228 with HTTP; Tue, 23 Dec 2014 10:20:24 -0800 (PST)
In-Reply-To: <54995BD6.8000504@delignat-lavaud.fr>
References: <5498DBCE.1070909@delignat-lavaud.fr> <CAFewVt7RiMfQTv=mkWAgUJLiy9+VSKGVT21QHauR36f4PZFp7g@mail.gmail.com> <54995BD6.8000504@delignat-lavaud.fr>
Date: Tue, 23 Dec 2014 10:20:24 -0800
Message-ID: <CAFewVt6cRnM9DKeGQbcvCh3jt5pnoo245V5UEuVEi5zSONf2YA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/t_sxWRMWwR_5SmQsl4Id-Gmu1xs
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 18:20:27 -0000

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>; wrote:
> Le 12/23/2014 7:07 AM, Brian Smith a écrit :
>> In theory, that sounds like a problem. Is it really a problem in
>> practice, if we're not concerned about the specific case of RSA-PSS? On
>> the other hand, nobody has ever seemed to want TLS_DHE_ECDSA_* cipher
>> suites, so it doesn't seem like it caused any problem.
>
> Right now, it isn't a problem in practice, but it is not clear either that
> DSA (maybe in danger of being removed?), ECDSA and PKCS#1v1.5 are a good set
> of signature algorithms to commit to for the long run. Even in the short
> term, a MAC-based signature scheme may be useful for PSK and resumption.

OK. It seems like whether we need to solve the problem of whether
cipher suites specify the signature algorithm *now* depends on whether
we're going to standardize a replacement for ECDSA, PKCS#1, and DSA
*now*. If we're not going to replace them now, then I don't think we
need to solve this problem now (for 1.3).

> It is currently impossible to get a non-RSA certificate signed by any public
> CA (I know because I tried hard to get one). Only Google can concretely
> deploy EC certs today. Hence, there's is currently NO alternative to RSA
> signatures for authentication.

I am surprised that you had so much trouble getting an ECC cert.
Please ping me off-list and I will help you with that. I agree with
the more general point that deploying ECDSA certificates is harder
than it should be. That is a fixable problem.

> By the way, it may be a good idea to recommend or mandate RFC6979-style
> deterministic ECDSA signatures in TLS to prevent entropy-exhaustion attacks
> against clients and servers. Off-topic though.

I think it is a good idea to at least explore making RFC6979-style
ECDSA mandatory for TLS 1.3 when ECDSA is used. I don't think it is
off-topic though. If we did that, that would resolve the main problem
with ECDSA, and that would reduce (perhaps eliminate) the need for
RSA-PSS or other new/uncommon signature schemes, which would greatly
reduce the motivation for making the change you propose.

Cheers,
Brian