On Sun, Nov 24, 2019 at 11:27:26AM -0500, David Benjamin wrote: > On Sat, Nov 23, 2019 at 8:40 AM Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > On Fri, Nov 22, 2019 at 08:18:47PM +0100, Hubert Kario wrote: > > > On Friday, 22 November 2019 03:25:24 CET, David Benjamin wrote: > > > > On Fri, Nov 22, 2019 at 8:35 AM Salz, Rich <rs...@akamai.com> wrote: > > > > > > > > > > ... > > > > > SHA-1 signature hashes in TLS 1.2" draft available > > > > > https://datatracker.ietf.org/doc/draft-ietf-tls-md5-sha1-deprecate/. > > > > > Please review the document and send your comments to the list by > > 2359 UTC > > > > > on 13 December 2019. > > > > > > > > > > I just re-read this. Looks good. Perhaps a sentence of rationale in > > ... > > > > > > > > To that end, the combination of client advice in sections 2 and 4 is a > > bit > > > > odd. Section 2 uses SHOULD NOT include MD5 and SHA-1, but section 4 > > says > > > > the client MUST NOT accept the MD5 SHA-1, even if it included it. Why > > would > > > > the client include it in that case? It seems the two should either > > both be > > > > MUST NOT or both be SHOULD NOT. > > > > > > because it also influences certificate selection, and getting a > > certificate > > > signed with SHA-1 isn't an automatically disqualifying property? > > > (it may be an intermediate CA that's not used, it may be an explicitly > > > trusted > > > certificate, etc.) > > > > If you don't want SHA-1 exchange signatures, you darn sure do not want > > actual SHA-1 certificates that are not trust anchors anyway. And because > > TLS 1.2 does not have separate lists for exchange signatures and > > certificate signatures, the client needs to withdraw advertisment for > > both in order to not send a misleading offer. > > > > Right, I had a longer discussion of the certificate-but-not-TLS case but > omitted it. :-) Basically what Ilari said. In particular, I believe older > versions of Schannel will, despite being able to sign SHA-256, > preferentially sign SHA-1 if the client offers it. This is inconvenient > when it comes to predicting breakage but is perfectly consistent with the > client's offer. When I last looked at this a few years ago, this accounted > for a nontrivial portion of SHA-1-negotiating servers on the web, so > rejecting SHA-1 while still advertising it is probably not the best > strategy. > > Fortunately, we've already distrusted SHA-1 X.509 signatures on the web, so > hopefully that will simplify things. There is a risk that some servers' > trust anchors' (otherwise irrelevant) signatures are SHA-1 and they are > trying to match it against the signature algorithms list, but I expect the > SHA-1-preferring servers to be the deciding concern. Issues with > trust-anchor-checking servers can likely be worked around by configuring > the server to not send the trust anchor, which is desirable anyway. > > (All of this may not apply to non-web deployments, of course.) > > > > And I expect that in practice, not sending SHA-1 in > > signature_algorithms would cause very little breakage on top of what > > is already broken due to using SHA-1 exchange signatures. > > > > So I think both should be MUST NOT.
So, based on this discussion, I made the following PR to change this to MUST NOT https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/5 Thanks for the review! Cheers _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
