IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate

Christopher Wood <caw@heapingbits.net> Mon, 04 May 2020 17:08 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E014E3A0DB2 for <tls@ietfa.amsl.com>; Mon, 4 May 2020 10:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=WTPmnRXo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=v8fEyrGs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6rXRUKJ50bU for <tls@ietfa.amsl.com>; Mon, 4 May 2020 10:08:36 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DF1D3A0D7C for <tls@ietf.org>; Mon, 4 May 2020 10:08:32 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 991F75C0138 for <tls@ietf.org>; Mon, 4 May 2020 13:08:31 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Mon, 04 May 2020 13:08:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=tqTHf5JIXmpVUxvVjGR80eKnreoQTpI xSMB3qBZbNVc=; b=WTPmnRXoF4CNwQbwoJUexYaqAPmByKV8C+i7B24QFqKHuA0 KYQeXnKhy2QQMICdTbBExkUNXdMcc/wbK5Kkwr8sfZWI2OqMBsBLBijJwiZjV0OM qzJL6hZYdAU820IycqJSyigP8TV0x3ZUYf3zOR7wy5rgxzZp+itrrhG7MSv8brok N8IV6UviT9+b3E10wG0qiarp5O0PzBk+Dtc8bI/LIGM0NO7K3UyGLJgsAWbI34Uz rM7boYsS4KZmc1sfHlXXTxhYOEcL/HmWDRgKfBd2gpUCHlF/x2RNV6lOy4OIP6eB oVpV+ADjywhO91gh5LzY5d3YzPHwkEMiObaJHUA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=tqTHf5 JIXmpVUxvVjGR80eKnreoQTpIxSMB3qBZbNVc=; b=v8fEyrGsw9kHpuQxCGMOXL RhSJnIeOkDwKJQLzcx+WhpQXvya9lPiFmwYs2c2CqOyrULGJj3q+bRUQEisHPKlt CfpRZF9jseJ+kcPqlyRxfQBKJa38d5wfzLUGzK+u79jbsnnWFNgHnqEwr0qmUjCJ J6JMXv/5aCcmwrMHPWX0KnFhiT7ISJErLX4xXOqbfI58du8oFVBuoL2c8DcwNkwt DIeU8YQRwRN3N70Mdp5VBAGudMUYOCkRuQp0g+PRQJYOLK2PUOIIUdX/qN0bQh30 hUF3QcMcUI5ztjSCroJ6xIsIG+NyPsYnvANvSQnz5J3ZQgxKmlMRd4CxD7JXz16g ==
X-ME-Sender: <xms:D0ywXgbvnmLalKjHPXwjXru4uWEPeAVqUKSMNfZBRaZRt9HdEyR88A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeeggddutdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpedtffeuleevfe elheelffffgfelffejhfekteduhfeuleehteejhedvfffghfeuleenucffohhmrghinhep ghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:D0ywXg7AfZxJ5vsss6pnGSIG6MchTPPVi-V2LyVy_ry7iA3WDR0Grw> <xmx:D0ywXqAr_vdFiqCzhAsXnNhDW8V57FnpWCaUcMq9Je-iKTu3cAWizw> <xmx:D0ywXu9gg7MDuL6ouH2DXbKg51wrFxOjPDhAzyzBdyRZO-DQ91OHvQ> <xmx:D0ywXr20oWEcN81sNIH2rqfTHlpAzZKtQALsxrWDo2NHZXS7NerSHg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 051003C00A1; Mon, 4 May 2020 13:08:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <a1a9acae-2e74-498f-9844-fd7f3e3aa14e@www.fastmail.com>
In-Reply-To: <20200423174513.GA11390@sokka.flat11.house>
References: <508EEDF7-73D2-4BE6-AFBA-710E5A5AB41F@sn3rd.com> <315F2BCF-11E0-4FBD-8420-865F29A66AD1@akamai.com> <CAF8qwaDoLGm+SjPE8T3UaQ0HY_M+EuU=GuWGaxGaPwvqCDKxgQ@mail.gmail.com> <fe0d54d8-a923-4a77-be9a-3b263d7efeb7@redhat.com> <20191123134005.GA1224585@LK-Perkele-VII> <CAF8qwaBbhpYz+LoUJ-6wrbj=bB-MMkT4vjLmx7UScK42eB=1qg@mail.gmail.com> <20200423174513.GA11390@sokka.flat11.house>
Date: Mon, 04 May 2020 10:08:10 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wAiKjAEy73gjEKBIX9xcGJEE2NY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-md5-sha1-deprecate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 17:08:38 -0000

Thanks, Alessandro! We'll aim to merge this PR on Friday. We ask that folks review it before then. 

   https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/5

Thanks,
Chris, on behalf of the chairs

On Thu, Apr 23, 2020, at 10:45 AM, Alessandro Ghedini wrote:
> On Sun, Nov 24, 2019 at 11:27:26AM -0500, David Benjamin wrote:
> > On Sat, Nov 23, 2019 at 8:40 AM Ilari Liusvaara <ilariliusvaara@welho.com>
> > wrote:
> > 
> > > On Fri, Nov 22, 2019 at 08:18:47PM +0100, Hubert Kario wrote:
> > > > On Friday, 22 November 2019 03:25:24 CET, David Benjamin wrote:
> > > > > On Fri, Nov 22, 2019 at 8:35 AM Salz, Rich <rsalz@akamai.com> wrote:
> > > > >
> > > > > > > ...
> > > > > > SHA-1 signature hashes in TLS 1.2" draft available
> > > > > > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/.
> > > > > > Please review the document and send your comments to the list by
> > > 2359 UTC
> > > > > > on 13 December 2019.
> > > > > >
> > > > > > I just re-read this.  Looks good. Perhaps a sentence of rationale in
> > > ...
> > > > >
> > > > > To that end, the combination of client advice in sections 2 and 4 is a
> > > bit
> > > > > odd. Section 2 uses SHOULD NOT include MD5 and SHA-1, but section 4
> > > says
> > > > > the client MUST NOT accept the MD5 SHA-1, even if it included it. Why
> > > would
> > > > > the client include it in that case? It seems the two should either
> > > both be
> > > > > MUST NOT or both be SHOULD NOT.
> > > >
> > > > because it also influences certificate selection, and getting a
> > > certificate
> > > > signed with SHA-1 isn't an automatically disqualifying property?
> > > > (it may be an intermediate CA that's not used, it may be an explicitly
> > > > trusted
> > > > certificate, etc.)
> > >
> > > If you don't want SHA-1 exchange signatures, you darn sure do not want
> > > actual SHA-1 certificates that are not trust anchors anyway. And because
> > > TLS 1.2 does not have separate lists for exchange signatures and
> > > certificate signatures, the client needs to withdraw advertisment for
> > > both in order to not send a misleading offer.
> > >
> > 
> > Right, I had a longer discussion of the certificate-but-not-TLS case but
> > omitted it. :-) Basically what Ilari said. In particular, I believe older
> > versions of Schannel will, despite being able to sign SHA-256,
> > preferentially sign SHA-1 if the client offers it. This is inconvenient
> > when it comes to predicting breakage but is perfectly consistent with the
> > client's offer. When I last looked at this a few years ago, this accounted
> > for a nontrivial portion of SHA-1-negotiating servers on the web, so
> > rejecting SHA-1 while still advertising it is probably not the best
> > strategy.
> > 
> > Fortunately, we've already distrusted SHA-1 X.509 signatures on the web, so
> > hopefully that will simplify things. There is a risk that some servers'
> > trust anchors' (otherwise irrelevant) signatures are SHA-1 and they are
> > trying to match it against the signature algorithms list, but I expect the
> > SHA-1-preferring servers to be the deciding concern. Issues with
> > trust-anchor-checking servers can likely be worked around by configuring
> > the server to not send the trust anchor, which is desirable anyway.
> > 
> > (All of this may not apply to non-web deployments, of course.)
> > 
> > 
> > > And I expect that in practice, not sending SHA-1 in
> > > signature_algorithms would cause very little breakage on top of what
> > > is already broken due to using SHA-1 exchange signatures.
> > 
> > 
> > 
> > So I think both should be MUST NOT.
> 
> So, based on this discussion, I made the following PR to change this to MUST NOT
> https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/5
> 
> Thanks for the review!
> 
> Cheers
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email