IETF Logo Mail Archive

Re: [TLS] AD Review of draft-ietf-tls-tls13

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 22 May 2017 21:02 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84E71128AB0 for <tls@ietfa.amsl.com>; Mon, 22 May 2017 14:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYWti7hjl5jg for <tls@ietfa.amsl.com>; Mon, 22 May 2017 14:02:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B161273B1 for <tls@ietf.org>; Mon, 22 May 2017 14:02:19 -0700 (PDT)
Received: from [172.31.31.193] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 2AC407A32F1 for <tls@ietf.org>; Mon, 22 May 2017 21:02:19 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBOvRGar9ZLTo=tu+oUxRWtMucwr5Bk1dPY8C1mAa9asTg@mail.gmail.com>
Date: Mon, 22 May 2017 17:02:20 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <44D307FD-DBF7-4979-B4E0-76104F64D159@dukhovni.org>
References: <CAPZZOTgizE2n06V9wEtARFCXB7FP_eikW-K1k67bZG11kNhSAw@mail.gmail.com> <44AED5C2-B21C-442A-8412-9134D1C10BCD@dukhovni.org> <201705192143.19490.davemgarrett@gmail.com> <20170520054117.GM10188@localhost> <80AB5C55-41BA-471E-A55A-86E98299B652@dukhovni.org> <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com> <35E448DD-7F74-4563-9707-DFAB66125FAA@dukhovni.org> <89704888-5f4d-0021-74cb-4cea28c773bd@akamai.com> <ac704db142c04e7b8a836df711e9bc7f@usma1ex-dag1mb1.msg.corp.akamai.com> <1A619330-282A-44F0-871B-DF6D15850394@dukhovni.org> <CABcZeBOvRGar9ZLTo=tu+oUxRWtMucwr5Bk1dPY8C1mAa9asTg@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x--nfBiPBeNagvJ06WyC3_NNT0o>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 21:02:21 -0000

> On May 22, 2017, at 3:42 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Well, I certainly think past the Web PKI, because one of the cases I care about
> is WebRTC, which doesn't do any PKI validation at all.
> 
> In any case, I think there are two issues:
> 1. Forbid TLS 1.3 implementations from accepting MD5 and SHA-1.
> 2. Require a specific failure if the peer presents such a certificate.
> 
> There was pretty strong consensus to do #1 and I don't support removing
> it.

The operative word here is *was*.  Time has passed, and things have changed:

	1.  The motivating problem (broad use of weak hashes in Web PKI
            certificates) has become a non-problem.  The CAs and the browsers
 	    have moved on.

	2.  We've since had many discussions that make it clearer still that
	    layer violation into RFC5280 space is suboptimal.

	3.  While did not object strongly at the time, I've since seen that the
 	    language in question temps TLS stack authors to implement checks against
	    the specific certificate algorithms at the TLS layer, instead of at the
	    X509 verification layer where X509 security checks belong.

Surely there are some old GOST signature algorithms that could appear in certificates,
that TLS 1.3 does not prohibit, but which are not much stronger than SHA-1, and if not
GOST then something else.  Plucking out the specific code-points in question is both
insufficient and counter-productive.

It is time to revisit the previous consensus, because its motivation is no longer
relevant, and its negative consequences are more apparent.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email