Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-http2-tls13-02: (with COMMENT)

David Benjamin <davidben@chromium.org> Thu, 17 October 2019 19:36 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9D0120A2E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 17 Oct 2019 12:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ui_Vz65-G8XU for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 17 Oct 2019 12:35:55 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2989312095D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 17 Oct 2019 12:35:55 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iLBWg-0001Bd-Gk for ietf-http-wg-dist@listhub.w3.org; Thu, 17 Oct 2019 19:33:34 +0000
Resent-Date: Thu, 17 Oct 2019 19:33:34 +0000
Resent-Message-Id: <E1iLBWg-0001Bd-Gk@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <davidben@google.com>) id 1iLBWe-0001An-Ot for ietf-http-wg@listhub.w3.org; Thu, 17 Oct 2019 19:33:32 +0000
Received: from mail-pg1-x533.google.com ([2607:f8b0:4864:20::533]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <davidben@google.com>) id 1iLBWc-0003yZ-VG for ietf-http-wg@w3.org; Thu, 17 Oct 2019 19:33:32 +0000
Received: by mail-pg1-x533.google.com with SMTP id t3so1916859pga.8 for <ietf-http-wg@w3.org>; Thu, 17 Oct 2019 12:33:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YjDp9Rku1eevz3zLbhFV+jXocCKSwdlgwLwvrbigG60=; b=fWhD6+07JUVTsGzvlLiw6iXcyRasZL+ifKQcmMagX7eaRtyfBIVDEEz5l4oCYvkAgD rIevrSy0lHNezMnR0xVWSAkqcH3zC/j9oqOw8iCY+C6bOw0NhG/KWK074xy1UsGSQMYz cKSRwoIzqlevUE86f2Ty6nwN7SqjLXiNxt6xw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YjDp9Rku1eevz3zLbhFV+jXocCKSwdlgwLwvrbigG60=; b=NzudE/upXsnbjV2mcLC6Zmn6QFJMtY80GFR8alDnLKOsLHOX74PcBLa87Hs8b/DRE8 g3NlkmZvELm5IgtqZYQXIlpulrez3mBtm6b0KyXG7oFx9BQPfYXU6+Yi/bk0U0szT9mU N357vur/dx+rKzKm5pqgbWCan3Dme1LKcJAZ/lMBpFYRO7eVeEoDvIeBgE8R+QUFYblf VyzUEWSMkIOEL3HWkRUIRY6Ty9tvjbo0rany1/r584VEYjrkFXD+vcih1qE+9WRsuJre DF7lylVIfd74Fexv+xmCmE2pboI1uHK+B+ugONLkj8POGegAwD7/1hcEgBZ16IYB6FRS AdBQ==
X-Gm-Message-State: APjAAAXAOB01v7jo/ZcHqWtgD+qYBS84mT4YeCuP/lkNn78C+7QUDtTp +4Urwy8W4QcKVx6WPQswVxLITAFGSf01tcOYArvT
X-Google-Smtp-Source: APXvYqyjxRIDpD5I/8fcgXXCelI5A6e7oA7/00IA7wBQTOe5QqF0zBVK/t8TN6R4En5prIh3wW0DlxrvkwBK48eN2u4=
X-Received: by 2002:a17:90a:cf98:: with SMTP id i24mr6101162pju.99.1571340808716; Thu, 17 Oct 2019 12:33:28 -0700 (PDT)
MIME-Version: 1.0
References: <157126123457.7868.4033205003897585278.idtracker@ietfa.amsl.com>
In-Reply-To: <157126123457.7868.4033205003897585278.idtracker@ietfa.amsl.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 17 Oct 2019 15:33:12 -0400
Message-ID: <CAF8qwaC-iyh3bhbU5__GGsQzwoYMuiXxhLoEMBCS6WicCzdCAQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-http2-tls13@ietf.org, Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b9ff760595204a33"
Received-SPF: pass client-ip=2607:f8b0:4864:20::533; envelope-from=davidben@google.com; helo=mail-pg1-x533.google.com
X-W3C-Hub-Spam-Status: No, score=-11.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iLBWc-0003yZ-VG b297760305d4dbb9be65927fbeda59ed
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Benjamin Kaduk's Yes on draft-ietf-httpbis-http2-tls13-02: (with COMMENT)
Archived-At: <https://www.w3.org/mid/CAF8qwaC-iyh3bhbU5__GGsQzwoYMuiXxhLoEMBCS6WicCzdCAQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37062
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Oct 16, 2019 at 5:27 PM Benjamin Kaduk via Datatracker <
noreply@ietf.org>; wrote:

> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-httpbis-http2-tls13-02: Yes
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2-tls13/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thanks for this; I just have some minor nit-level comments; no response
> necessary.
>
> Abstract
>
>    This document updates HTTP/2 to prohibit TLS 1.3 post-handshake
>    authentication, as an analog to existing TLS 1.2 renegotiation
>    restriction.
>
> nit: either "restrictions" or "the existing".
>

Done in https://github.com/httpwg/http-extensions/pull/955. (I'll merge to
the repository and publish a -03 shortly.)


> Section 1
>
>    TLS 1.3 [RFC8446] updates TLS 1.2 to remove renegotiation in favor of
>    separate post-handshake authentication and key update mechanisms.
>    The former shares the same problems with multiplexed protocols, but
>    the prohibition in HTTP/2 only applies to TLS 1.2 renegotiation.
>
> nit: I'd suggest referring to a specific RFC rather than "HTTP/2" --
> this document will in some sense become part of "HTTP/2" upon
> publication :)
>

Done.


> Section 3
>
>    HTTP/2 servers MUST NOT send post-handshake TLS 1.3
>    CertificateRequest messages.  HTTP/2 clients MUST treat TLS 1.3 post-
>    handshake authentication as a connection error (see Section 5.4.1 of
>    [RFC7540]) of type PROTOCOL_ERROR.
>
> nit: is it the authentication or the request thereof that is the
> connection error?
>

Reworded to say the message is the authentication error.


> Section 4
>
>    Unless the use of a new type of TLS message depends on an interaction
>    with the application layer protocol, that TLS message can be sent
>    after the handshake completes.
>
> I don't see anything better to say than this, but ... will
> draft-ietf-tls-exported-authenticator be considered to "depend on an
> interaction with the application layer protocol"?
> (Also, nit: hyphenate "application-layer".)
>

(Hyphenation fixed.)

draft-ietf-tls-exported-authenticator doesn't define a post-handshake TLS
message, so it hopefully shouldn't apply?