Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
mrex@sap.com (Martin Rex) Mon, 13 July 2015 17:45 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AE91B2CB5 for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV9JXH39SCwp for <tls@ietfa.amsl.com>; Mon, 13 Jul 2015 10:45:07 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 134911B2CC3 for <tls@ietf.org>; Mon, 13 Jul 2015 10:45:06 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 7CD1A2A8AA; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
X-purgate-ID: 152705::1436809503-0000413A-34B513B6/0/0
X-purgate-size: 1964
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 6F6F940494; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 66E451A1DD; Mon, 13 Jul 2015 19:45:03 +0200 (CEST)
In-Reply-To: <BLUPR03MB1396DF5184A7E3DFAF3F11028C9C0@BLUPR03MB1396.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Mon, 13 Jul 2015 19:45:03 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150713174503.66E451A1DD@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xpLCJBDKw4_J4pyLZcsPNM1lxEA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 17:45:08 -0000
Andrei Popov wrote: > > I think a good design is to have the client explicitly advertise any > algorithms the client is willing/able to support, and for the server > to honor the client's capabilities. A good design provides robust interop and good backwards-interoperability, and a reasonble default set of algorithms to be unconditionally available. Why TLSv1.2 did imply availability of sha256WithRsaEncryption by default, is beyond my understanding. The rfc5246 PDU Definition for ClientHello clearly makes HelloExtensions and optional (MAY) feature for clients and the acceptance of extension-less ClientHellos a mandatory (MUST) feature for Servers. Similarily, Appendix E allows the use of a SSL Version 2 CLIENT-HELLO instead of and extension-less TLS ClientHello, It has already been observed by others, a server can not make up signatures with client-requested signature schemes at will during the TLS handshake, but can only pick from the set of existing server certificates that have been preconfigured by the server admin -- and often this may be just one single server certificate. The server responding with an ambiguous "handshake_failure" if the admin-configured server cert does not fit the silly "implicit" algs that a server boldly assumes based on the design-flawed wording in rfc5246 7.4.1.4.1 in absence of ClientHelloExtensions is is a bad idea, and if the client-visible behaviour is a silent connection closure (this is what Microsoft IIS does) it is the worst possible outcome. This behaviour is completely indistinguishable from that of defective extensions-intolerant and TLS-version intolerant servers! Would the server respond with the next best fit (the way this has been and still is being done, even by Microsoft SChannel, for SSLv3, TLSv1.0 and TLSv1.1), then the client can at least produce a meaningful error message and show the certificates that it can not process. -Martin
- [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Ilari Liusvaara
- Re: [TLS] TLS 1.3 draft-07 sneak peek Ilari Liusvaara
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Ilari Liusvaara
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hanno Böck
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hubert Kario
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hubert Kario
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hubert Kario
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Thomson
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hubert Kario
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Quynh Dang
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Watson Ladd
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dang, Quynh
- Re: [TLS] TLS 1.3 draft-07 sneak peek Quynh Dang
- [TLS] MTI Extensions (was Re: TLS 1.3 draft-07 sn… Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek William Whyte
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dang, Quynh
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hanno Böck
- Re: [TLS] TLS 1.3 draft-07 sneak peek Jeffrey Walton
- Re: [TLS] TLS 1.3 draft-07 sneak peek Peter Gutmann
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dang, Quynh
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Martin Rex
- Re: [TLS] TLS 1.3 draft-07 sneak peek Ilari Liusvaara
- Re: [TLS] TLS 1.3 draft-07 sneak peek Karthikeyan Bhargavan
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Salz, Rich
- [TLS] Deprecate SHA1 for signatures in TLS 1.3 (w… Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] TLS 1.3 draft-07 sneak peek Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Salz, Rich
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Karthikeyan Bhargavan
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Ilari Liusvaara
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Thomson
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Salz, Rich
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Thomson
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Salz, Rich
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Thomson
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] TLS 1.3 draft-07 sneak peek Hubert Kario
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Yoav Nir
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Hubert Kario
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] TLS 1.3 draft-07 sneak peek Jeffrey Walton
- Re: [TLS] TLS 1.3 draft-07 sneak peek Jeffrey Walton
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Yoav Nir
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Hubert Kario
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Henrik Grubbström
- Re: [TLS] TLS 1.3 draft-07 sneak peek Salz, Rich
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Watson Ladd
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- [TLS] Explicit error expectations (was Re: Deprec… Dave Garrett
- Re: [TLS] Explicit error expectations (was Re: De… Viktor Dukhovni
- Re: [TLS] Explicit error expectations (was Re: De… Dave Garrett
- Re: [TLS] Explicit error expectations (was Re: De… Ilari Liusvaara
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Ilari Liusvaara
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Ilari Liusvaara
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Henrik Grubbström
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Ilari Liusvaara
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Eric Rescorla
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Dave Garrett
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- [TLS] DANE & TLS 1.3 (was Re: Deprecate SHA1 for … Dave Garrett
- Re: [TLS] DANE & TLS 1.3 (was Re: Deprecate SHA1 … Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Hubert Kario
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Rex
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Thomson
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Andrei Popov
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Martin Thomson
- Re: [TLS] Deprecate SHA1 for signatures in TLS 1.… Viktor Dukhovni