[TLS] Will CAs decide server signing algorithms in TLS 1.2?

To: tls at ietf.org
Subject: [TLS] Will CAs decide server signing algorithms in TLS 1.2?
From: Simon Josefsson <simon at josefsson.org>
Date: Wed, 25 Apr 2007 13:57:56 +0200
Cc:
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.98 (gnu/linux)

The Signature structure has changed, and the current text in section
7.4.3 says:

   If the SignatureAlgorithm being used to sign the ServerKeyExchange
   message is DSA, the hash function used MUST be SHA-1. If the
   SignatureAlgorithm it must be the same hash function used in the
                     ^^^^^^^^^^^^^^^^
   signature of the server's certificate (found in the Certificate)
   message. This algorithm is denoted Hash below. Hash.length is the
   length of the output of that algorithm.

I can't parse the second sentence here.  What is the intention here?

I'm assuming that the intention is to say that the SignatureAlgorithm
must be the same as the signing algorithm in the server certificate.

It seems weird that the CA who signs the server certificate will
implicitly decide which signature algorithm is used inside TLS between
all servers and clients.

As far as I can tell, it is not possible for a server or client to
negotiate the use of another hash algorithm (for the purpose of key
exchange and certificate verification) than what the CA used to sign the
certificates with, given the above text.  That seems sub-optimal.

Two examples of real-world problems:

1) A server and/or client have RSA-SHA1 certificates.  They wish to use
   RSA-SHA256 in the ServerKeyExchange and CertificateVerify messages,
   but they can't negotiate that.

2) A server and/or client have RSA-MD5 certificates (there are many of
   these out there).  They wish to use RSA-SHA1 or RSA-SHA256 in the
   ServerKeyExchange and CertificateVerify messages, but they can't
   negotiate that.

An argument that using RSA-SHA256 (or RSA-SHA1), when the server
certificate is signed using RSA-SHA1 (or RSA-MD5), do not increase the
security is flawed.  It is possible for clients to check a server's
certificate fingerprint out of band, and essentially thus trust the
server certificate directly.  In this situation, the signature algorithm
used in the server certificate is never used for verification, and thus
does not influence the overall security.  This is what some
implementations use to achieve "leap-of-faith" security against
untrusted servers.  With the current text, the overall security is
restricted by what the server and client CA's have chosen.

I predict that RSA-SHA256 certificates will cost ten times as much as
RSA-SHA1 certificates if this text stays...

/Simon

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Will CAs decide server signing algorithms in TLS 1.2?
  - From: Pasi.Eronen

Prev by Date: [TLS] I-D ACTION:draft-ietf-tls-suiteb-00.txt
Next by Date: [TLS] Update on draft-ietf-tls-suiteb
Previous by thread: [TLS] I-D ACTION:draft-ietf-tls-suiteb-00.txt
Next by thread: RE: [TLS] Will CAs decide server signing algorithms in TLS 1.2?
Index(es):
- Date
- Thread

[TLS] Will CAs decide server signing algorithms in TLS 1.2?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.