Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reserved confusing #990

Merged
merged 4 commits into from
Apr 27, 2017
Merged

Reserved confusing #990

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4ea1d15
Align SignatureScheme ALL-CAPS-VERBS with RESERVED labels.
davidben Apr 26, 2017
980b3e3
Incorporate comments on PR#980.
ekr Apr 27, 2017
cc4eedd
Revised per Kaduk's comments
ekr Apr 27, 2017
52b3c92
More editorial by Kaduk
ekr Apr 27, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Incorporate comments on PR#980. 
1. Merge the legacy discussion for ecdsa_sha1 and rsa_pkcs1_sha1.
2. Restore the labels for the reserved dsa code points.
  • Loading branch information
@ekr
ekr committed Apr 27, 2017
commit 980b3e3460902361066264888bb079f1379d6710
33 changes: 18 additions & 15 deletions draft-ietf-tls-tls13.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2225,7 +2225,6 @@ SignatureSchemeList value:

enum {
/* RSASSA-PKCS1-v1_5 algorithms */
rsa_pkcs1_sha1(0x0201),
rsa_pkcs1_sha256(0x0401),
rsa_pkcs1_sha384(0x0501),
rsa_pkcs1_sha512(0x0601),
Expand All @@ -2245,17 +2244,18 @@ SignatureSchemeList value:
ed448(0x0808),

/* Legacy algorithms */
rsa_pkcs1_sha1(0x0201),
ecdsa_sha1(0x0203),

/* Reserved Code Points */
obsolete_RESERVED(0x0000..0x0200),
obsolete_RESERVED(0x0202),
dsa_sha1_RESERVED(0x0202),
obsolete_RESERVED(0x0204..0x0400),
obsolete_RESERVED(0x0402),
dsa_sha256_RESERVED(0x0402),
obsolete_RESERVED(0x0404..0x0500),
obsolete_RESERVED(0x0502),
dsa_sha384_RESERVED(0x0502),
obsolete_RESERVED(0x0504..0x0600),
obsolete_RESERVED(0x0602),
dsa_sha512_RESERVED(0x0602),
obsolete_RESERVED(0x0604..0x06FF),
private_use(0xFE00..0xFFFF),
(0xFFFF)
Expand Down Expand Up @@ -2304,18 +2304,21 @@ EdDSA algorithms
{{RFC8032}} or its successors. Note that these correspond to the
"PureEdDSA" algorithms and not the "prehash" variants.

ecdsa_sha1
: Indicates a signature algorithm using ECDSA and SHA-1. This value refers
solely to signatures which appear in certificates and is not defined for use
in signed TLS handshake messages.
Legacy algorithms
: Indicates algorithms which are being deprecated because they use
SHA-1 but are still permitted for backward compatibility,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure that we specifically need to call out SHA-1 as the only cause.
Maybe something about "because they use weak cryptography"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, looks like we are losing the 2119-SHOULD NOT be used, which I would prefer to retain.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, SHA-1 is the weak link here. So I feel like clarify is more accurate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll restore a SHOULD NOT

specifically RSA using RSASSA-PKCS1-v1_5 and ECDSA. These values
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this statement as written is accurate.
You can use either RSA or ECDSA without SHA-1, which is allowed in the real list of defined algorithms.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I was trying to rely on the SHA-1 above but maybe I got too clever.

refer solely to signatures which appear in certificates (see
{{server-certificate-selection}}) and are not defined for use in
signed TLS handshake messages. lients offering these values (e.g.,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'C'lients.

for backwards compatibility) MUST list them as the lowest priority
(listed after all other algorithms in SignatureSchemeList). TLS
1.3 servers MUST NOT offer a SHA-1 signed certificate unless no
valid certificate chain can be produced without it (see
{{server-certificate-selection}}).

{:br }

rsa_pkcs1_sha1 and ecdsa_sha1 SHOULD NOT be offered. Clients
offering these values (e.g., for backwards compatibility) MUST list them as the lowest
priority (listed after all other algorithms in SignatureSchemeList).
TLS 1.3 servers MUST NOT offer a SHA-1
signed certificate unless no valid certificate chain can be produced without it
(see {{server-certificate-selection}}).

The signatures on certificates that are self-signed or certificates that are
trust anchors are not validated since they begin a certification path (see
Expand Down