Re: [TLS] PSS for TLS 1.3
mrex@sap.com (Martin Rex) Thu, 26 March 2015 09:31 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C75581ACE26 for <tls@ietfa.amsl.com>; Thu, 26 Mar 2015 02:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVdv0MP5uIOL for <tls@ietfa.amsl.com>; Thu, 26 Mar 2015 02:31:43 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66AEF1ACE29 for <tls@ietf.org>; Thu, 26 Mar 2015 02:31:42 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id A5DF84499A; Thu, 26 Mar 2015 10:31:39 +0100 (CET)
X-purgate-ID: 152705::1427362299-0000765A-4674720A/0/0
X-purgate-size: 2739
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7E64D446DA; Thu, 26 Mar 2015 10:31:39 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 749441B245; Thu, 26 Mar 2015 10:31:39 +0100 (CET)
In-Reply-To: <493A881F-9A1A-4AF7-A55F-85AC98D60F90@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Date: Thu, 26 Mar 2015 10:31:39 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150326093139.749441B245@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zRYZifagW5HXPYV1s0wccogKtmY>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 09:31:46 -0000
Russ Housley wrote: > > On Sun, Mar 22, 2015 at 10:38 PM, Peter Bowen <pzbowen@gmail.com> wrote: > On Sun, Mar 22, 2015 at 3:09 PM, Eric Rescorla <ekr@rtfm.com> wrote: >> During the interim we discussed discussion about adopting PSS for >> RSA signatures in TLS 1.3. >> >> Clearly, we will not be able to just adopt PSS because certificates >> will continue to be signed with PKCS#1 1.5. > > I would like to see TLS 1.3 allow certificates signed using PSS (RFC > 4055 and 3447) and provide a way to signal the server that such > certificates are supported. Originally, using certificates signed with PSS "just works" with SSLv3 and TLS, provided that the PKI-implementation called by the TLS stack implements it. (openssl-0.9.8 does not, Windows XP & 2003 do not). A problem was newly created in 2008 specifically for TLSv1.2 by the botched semantics of the TLSv1.2 signature_algorithms TLS extension, which conflates the algorithms used for "digitally_signed" within the TLS protocol and the algorithms used by CAs to issue certs. Most TLSv1.2 implementors seem to have delibertately (or accidentally) ignored the botched semantics of the TLSv1.2 signature_algorithm extension with respect to the signatures on certificates, however. > > I have wanted to see migration of signatures on certificates from > PKCS#1 v1.5 to PSS for many years. I think this is a nice step for > that to happen. The major problem with RSA-PSS is not the PKCS#1 v2.1 RSA-PSS signature transform, but the policy crap described in rfc4055. To reliably support RSA-PSS in TLS, we would have to first fix the TLSv1.2 signature_algorithms extension by replacing it with one that uses resonable semantics and clearly seperates the digitally-signed transform within the TLS protocol from the signatures on X.509 certificates, otherwise the installed base would have to limit itself to at most TLSv1.1. > > That said, I'd like to see this done in a way that also encourages the > transition to ECDSA for the signatures on the certificates. ECDSA is a well-known flawed signature scheme, and from the attacks that have been published, there currently seems to exists no implementation that will not leak the private key through online signatures. And for verification of offline signatures, RSA is much faster. Considering that NSA has been pushing ECDSA with NSA curves intensively long before the Snowden leaks, it would be silly to assume that their curves are not backdoored. We currently won't loose anything (of value) by obsoleting the ECDSA signature scheme and deprecating the NSA curves, by moving to safe curves and a less dangerous signature scheme than ECDSA. -Martin
- [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Brian Smith
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Peter Bowen
- Re: [TLS] PSS for TLS 1.3 Hanno Böck
- Re: [TLS] PSS for TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Salz, Rich
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Paterson, Kenny
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Martin Rex
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Russ Housley