Reserved confusing #990
Merged
Reserved confusing #990
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Values in RESERVED labels, per the note at the top of Appendix B, MUST
NOT be sent. This conflicts other text which tags ecdsa_sha1 and
dsa_sha1 as SHOULD NOT.
Back in early drafts, {*, dsa} and {sha1, ecdsa} were not tagged
RESERVED and were merely SHOULD NOT in the text:
https://tools.ietf.org/html/draft-ietf-tls-tls13-11#section-6.3.2.1
Then things were redone as SignatureScheme with the intent of preserving
SHOULD NOTs and MUST NOTs. Accordingly, dsa_* values were defined, and
with SHOULD NOTs in prose.
tlswg#404
That was followed up by a cleanup change which left dsa_* values in
there, but not defined. Intentionally or not, this took away the SHOULD
NOT and left it with something unclear.
tlswg@bed7281
Then the RESERVED tag was added, in response to the cleanup.
Intentionally or not, this kicked in the Appendix B MUST NOT, which
means TLS 1.3 implementations are forbidden from offering DSA to TLS 1.2
servers. Nonetheless, the SHOULD NOT reference to the now non-existent
and verboten dsa_sha1 remained.
tlswg#434
Next, an oversight in PR tlswg#404 was "corrected". PR tlswg#404 was intended to
leave SHOULD NOTs and MUST NOTs as-is but downgraded {sha1, ecdsa} to a
MUST NOT by omission. However, I did not notice the Appendix B text, so
my correction was, in fact, a no-op.
tlswg#488
Restoring ecdsa_sha1 was motivated by existing many implementations
still offering {sha1, ecdsa} at TLS 1.2, so it was not clear whether
removing it was realistic yet. (Notably, dependence on {sha1, rsa} aka
rsa_pkcs1_sha1 is known to be prevalent.) Since then, BoringSSL has
removed ecdsa_sha1, so that is some evidence it is unnecessary. NSS
still offers it, however.
So now we have a small mess on our hands. This PR attempts to bring
things to a self-consistent picture. Implementations I'm involved with
no longer offer ecdsa_sha1 or dsa_*, so I am personally fine with any
self-consistent option. For this PR, I went with:
Since PR#488 was accepted and even called out in the changelog, my
interpretation was that it should end at SHOULD NOT. That I failed to
actually implement originally is a bug.
DSA is less clear, but since there were two changes by two separate
people who chipped away at the SHOULD NOT, my interpretation is to leave
it at MUST NOT. I have taken the two changes to their logical
conclusion, removing the named dsa_*_RESERVED values and references to
non-existent dsa_sha1.
1. Merge the legacy discussion for ecdsa_sha1 and rsa_pkcs1_sha1. 2. Restore the labels for the reserved dsa code points.
kaduk
reviewed
Apr 27, 2017
draft-ietf-tls-tls13.md
Outdated
| specifically RSA using RSASSA-PKCS1-v1_5 and ECDSA. These values | ||
| refer solely to signatures which appear in certificates (see | ||
| {{server-certificate-selection}}) and are not defined for use in | ||
| signed TLS handshake messages. lients offering these values (e.g., |
draft-ietf-tls-tls13.md
Outdated
|
|
||
| Legacy algorithms | ||
| : Indicates algorithms which are being deprecated because they use | ||
| SHA-1 but are still permitted for backward compatibility, |
There was a problem hiding this comment.
I'm not sure that we specifically need to call out SHA-1 as the only cause.
Maybe something about "because they use weak cryptography"?
There was a problem hiding this comment.
Hmm, looks like we are losing the 2119-SHOULD NOT be used, which I would prefer to retain.
There was a problem hiding this comment.
Well, SHA-1 is the weak link here. So I feel like clarify is more accurate.
There was a problem hiding this comment.
I'll restore a SHOULD NOT
draft-ietf-tls-tls13.md
Outdated
| Legacy algorithms | ||
| : Indicates algorithms which are being deprecated because they use | ||
| SHA-1 but are still permitted for backward compatibility, | ||
| specifically RSA using RSASSA-PKCS1-v1_5 and ECDSA. These values |
There was a problem hiding this comment.
I don't think this statement as written is accurate.
You can use either RSA or ECDSA without SHA-1, which is allowed in the real list of defined algorithms.
There was a problem hiding this comment.
Ah, I was trying to rely on the SHA-1 above but maybe I got too clever.
kaduk
reviewed
Apr 27, 2017
draft-ietf-tls-tls13.md
Outdated
| Legacy algorithms | ||
| : Indicates algorithms which are being deprecated because they use | ||
| algorithms with known weaknesses, specifically SHA-1 when used | ||
| either with RSA using RSASSA-PKCS1-v1_5 or ECDSA. These values |
There was a problem hiding this comment.
How about "specifically SHA-1, which is used in this context with either RSASSA-PKCS1-v1_5 or ECDSA"?
There was a problem hiding this comment.
Looks like "used" got dropped in the merge, FWIW.
draft-ietf-tls-tls13.md
Outdated
| {{server-certificate-selection}}) and are not defined for use in | ||
| signed TLS handshake messages. Endpoints SHOULD NOT these algorithms | ||
| but are permitted to do so solely for backward compatibility. Clients | ||
| offering these values (e.g., for backwards compatibility) MUST list |
There was a problem hiding this comment.
The now-doubled "for backward[s] compatibility" may be overkill.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.