Re: [TLS] Remove signature algorithms from cipher suites in 1.3

Brian Smith <> Tue, 23 December 2014 18:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 448041A1AB1 for <>; Tue, 23 Dec 2014 10:20:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Jjh_e48W-qXo for <>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80FC31A1AAA for <>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
Received: by with SMTP id v63so14727259oia.6 for <>; Tue, 23 Dec 2014 10:20:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dqnnbiRjtjdDBMwgeyxz2nUSFMg5+ETOl2KW6y4YCqk=; b=kIhTox1tPCOciFleooihtLeRyPhdX++HIeDaJnO1kc96ssvfywQ9E36aww+uoI+csp c4uKjJr/9ZjN6oFtbwhaZ4WFpSVN/8oEP8s7iYW+SxEjSpZksR2Iqeri7u2RPFqlJKOE 4LccCx3sHjcQw+aWSjbhyd4zdoEnmKM3py9cFdsD/XKBWa2oYefAdzvGlPDZ2pWYHOpt 9rjYtMFvC4d4wxrC0z7qoREM+uFLzBGySs32Vz1MqBMOuTsox2GOLcmHz+ZcodggkfRC vw+nTppgPK40YnfOyFbwKIFVVIlq0zJ5M18A2euVN2g1F2wgZzR3fM54GbPlRxToGgEh 1FvQ==
X-Gm-Message-State: ALoCoQnmxMKOxS1CE7za+Dg+GPkYKnrmTQLDVKBKTXDLSmZiuC8Kx0v0JUjDVqBhKi2HfW5WhbK0
MIME-Version: 1.0
X-Received: by with SMTP id a8mr6713828oif.92.1419358824931; Tue, 23 Dec 2014 10:20:24 -0800 (PST)
Received: by with HTTP; Tue, 23 Dec 2014 10:20:24 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 23 Dec 2014 10:20:24 -0800
Message-ID: <>
From: Brian Smith <>
To: Antoine Delignat-Lavaud <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<>" <>
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Dec 2014 18:20:27 -0000

Antoine Delignat-Lavaud <> wrote:
> Le 12/23/2014 7:07 AM, Brian Smith a écrit :
>> In theory, that sounds like a problem. Is it really a problem in
>> practice, if we're not concerned about the specific case of RSA-PSS? On
>> the other hand, nobody has ever seemed to want TLS_DHE_ECDSA_* cipher
>> suites, so it doesn't seem like it caused any problem.
> Right now, it isn't a problem in practice, but it is not clear either that
> DSA (maybe in danger of being removed?), ECDSA and PKCS#1v1.5 are a good set
> of signature algorithms to commit to for the long run. Even in the short
> term, a MAC-based signature scheme may be useful for PSK and resumption.

OK. It seems like whether we need to solve the problem of whether
cipher suites specify the signature algorithm *now* depends on whether
we're going to standardize a replacement for ECDSA, PKCS#1, and DSA
*now*. If we're not going to replace them now, then I don't think we
need to solve this problem now (for 1.3).

> It is currently impossible to get a non-RSA certificate signed by any public
> CA (I know because I tried hard to get one). Only Google can concretely
> deploy EC certs today. Hence, there's is currently NO alternative to RSA
> signatures for authentication.

I am surprised that you had so much trouble getting an ECC cert.
Please ping me off-list and I will help you with that. I agree with
the more general point that deploying ECDSA certificates is harder
than it should be. That is a fixable problem.

> By the way, it may be a good idea to recommend or mandate RFC6979-style
> deterministic ECDSA signatures in TLS to prevent entropy-exhaustion attacks
> against clients and servers. Off-topic though.

I think it is a good idea to at least explore making RFC6979-style
ECDSA mandatory for TLS 1.3 when ECDSA is used. I don't think it is
off-topic though. If we did that, that would resolve the main problem
with ECDSA, and that would reduce (perhaps eliminate) the need for
RSA-PSS or other new/uncommon signature schemes, which would greatly
reduce the motivation for making the change you propose.