Re: [TLS] Server Signature Algorithms

To: tls at ietf.org
Subject: Re: [TLS] Server Signature Algorithms
From: Michael D'Errico <mike-list at pobox.com>
Date: Sun, 01 Nov 2009 13:34:08 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=MotZn9LPl7mu VhQsxfY6BV8GHdk=; b=RbJKFdszYTEe0OaqMS9V5bUguWedVVz7vldasjvZTyG7 +Cp7UDBnG3ZHNX4GvnltRf15Nf1OJBuJvobmjtsfM8GCrAY6wNjBCfXIRVmRY0zL unk37ro6fxnHSfQkGcFv9LE1WLcSXXCF6fYMk0x8k2nbNJPW0ZYDs3+mxrqxgOA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=KxYdLv R8yFo8X8oVXL4R6Kb8BNZENHntvmBYMqBqNUYJyft7Lv2OzTpQLjnimxlBlUZaj7 Fz3tzdhsXGwTbGJKux3nU0Rx4lMzrJkrukMtRUV0lBFZ9X3WwPntVXc+ZhyGBdvj 9SbBF6ojvAlyHN3fQC8rQQ98VLKWXUe+H3YTI=
In-reply-to: <OFCFFB440A.DEB1CEA7-ON4A257661.007208C6-4A257661.007271E8 at au1.ibm.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <OFCFFB440A.DEB1CEA7-ON4A257661.007208C6-4A257661.007271E8 at au1.ibm.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

So instead of changing the existing signature_algorithms extension,
nothing would break by creating a new server_signature_algorithms
extension.  Client support would be advertised by sending an empty
extension to the server.  The server would show support by replying
with its list.

In this case, the server can leave the signature algorithms list in
CertificateRequest empty since it knows the client accepted its list
in the server hello extension.  The server MUST NOT send a different
list in CertificateRequest, since the client may have used the
information to start computing the hash for CertificateVerify and
thrown away the previous handshake messages.

Mike



Michael Gray wrote:

"Michael D'Errico" <mike-list at pobox.com> wrote:

There are now at least 3 instances where a TLS client needs to know the
server's list of supported signature algorithms:

    1. to compute the signature for the CertificateVerify message
    2. to compute the hash of the handshake messages in (1) without
       having to hold onto all of the messages
    3. to compute hashes for the proposed cached information extension

Rather than duplicate the list for each of these and any future needs,
it makes sense to send it once in a server hello extension.

The simplest option would be to use the existing signature algorithms
extension and make it symmetrical.  But if there is a deployed client
out there that aborts a connection if it receives a signature algorithm
extension, then a secondary option would be to create a new server-
signature-algorithms extension which is identical in structure to the
existing extension.

I would add that when the server sends its list of algorithms in the
extension, then it MUST NOT send a different list in the certificate
request message; in fact it SHOULD send an empty list.  TLS 1.3 can
decide whether to eliminate the list from CertificateRequest.


Currently our toolkit when operating as a client will abort the handshake
on this condition due to RFC 5246 in 7.4.1.4.1 saying: “Servers MUST NOT
send this extension”.

We could change our code to optionally (e.g. a non strict mode) accept
receiving the extension from a TLS Server as that would be IMHO relatively
harmless.  The problem I see would be if we enabled our Server side code to
optionally send this extension, that would open the door for existing TLS
Clients to abort the handshake.  We have no idea which Client (vendor) type
may be involved in a handshake and what revision of the implementation in
this area they might support i.e., there is no way for the Client to
indicate that it will tolerate the Server sending the extension.  IMHO It
is unfortunate version information is not included in each extension.  So
while I agree that this sounds a good move I would be concerned as to the
impact on system availability should any Server now be configured to start
sending this extension.  IMHO I think the horse might have already bolted
in this case :-(

Mick

Follow-Ups:
- Re: [TLS] Server Signature Algorithms
  - From: Wan-Teh Chang

References:
- Re: [TLS] Server Signature Algorithms
  - From: Michael Gray

Prev by Date: Re: [TLS] Server Signature Algorithms
Next by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Previous by thread: Re: [TLS] Server Signature Algorithms
Next by thread: Re: [TLS] Server Signature Algorithms
Index(es):
- Date
- Thread

Re: [TLS] Server Signature Algorithms

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.