Re: Genart last call review of draft-ietf-tls-exported-authenticator-09

Nick Sullivan <nick@cloudflare.com> Thu, 19 September 2019 22:57 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CCE8120046 for <ietf@ietfa.amsl.com>; Thu, 19 Sep 2019 15:57:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOmfCUOZzu6f for <ietf@ietfa.amsl.com>; Thu, 19 Sep 2019 15:57:37 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ACF8120059 for <ietf@ietf.org>; Thu, 19 Sep 2019 15:57:37 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id b1so3413134vsr.10 for <ietf@ietf.org>; Thu, 19 Sep 2019 15:57:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a1rnjiqvDBtMybTh1hVUOcJ1rM0dRXGcPEtuvTjdQ4k=; b=JZWKD1hK0d5b/UiBpkJI/+zvdUvhp6lwmxs5hWbPdJ14wrB0YCiCUN7PvG/Iwcvwi4 JDajfPQ5N5ccTqTSuEFEeTkIm1qZFkvbksvvQUWYGNX9LGjmjGDxWXsmj2BJsQARmwYq Ui0MRZYWpnFuXZzWU+b7NvWhBvVRBJFj3gdx8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a1rnjiqvDBtMybTh1hVUOcJ1rM0dRXGcPEtuvTjdQ4k=; b=GDL+5sd2vmHNHiKvTSATYbxM0yULeHcGbKPQiZR8THTYSkTDxhUxduv9XSaTfACZOj 9FokyT2ppYXAUsjgsebX2RhoRIDqab3aKkq33rSLjOuWXNHBPdwPwnfMxinJLKLA7CfT RlWm6yGcCFCSk/n+Yc9fqpqioANZhb57kH2v6wsM8X6kHu5zgBNU5p9bmYGUuLAwImgE ZuB5ui9iduxcN/KTKlDEJX46j52ccXuvo1OODWgEHit2jTYL2NMCZQc16Ye15P1OK8a9 USi+1Mtw4emFPW6yepaB7hPkV44+zeyM8t66y6oLS0zxSKFYUHgaz78yWmvNTdEAcjMF TtsQ==
X-Gm-Message-State: APjAAAW6we68BVKOS0x6qnxAO1/uW0TAirQSsWWFL48Rzlo4tN9jjs6q iKaVQCvGee59DK17Grpt9lTUiplt9kg2n/abz716mw==
X-Google-Smtp-Source: APXvYqzTsgbNPzLQ1qY6g+fwR33q53s97lJS7KdD66ULnodmmv10Qi37BsIVPHzNJ485ocYFnR4lQ2DT5iDJbSasJOA=
X-Received: by 2002:a67:dc13:: with SMTP id x19mr294899vsj.172.1568933856400; Thu, 19 Sep 2019 15:57:36 -0700 (PDT)
MIME-Version: 1.0
References: <156249708979.14501.13745976049183757305@ietfa.amsl.com> <CAFDDyk8iG0R2rT7x-t7fHkFxcYBBkf8j1-mg1xbexoh8gXts6A@mail.gmail.com> <7BDE969A-7B5F-4979-B4E9-7E6C03C0A1B1@ericsson.com>
In-Reply-To: <7BDE969A-7B5F-4979-B4E9-7E6C03C0A1B1@ericsson.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 19 Sep 2019 15:57:20 -0700
Message-ID: <CAFDDyk_yoOu01nBPrBj_AVBugFRGUCOthYDysOuAGCrKNWG8dg@mail.gmail.com>
Subject: Re: Genart last call review of draft-ietf-tls-exported-authenticator-09
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-tls-exported-authenticator.all@ietf.org" <draft-ietf-tls-exported-authenticator.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000030254e0592efe1ef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/A__yZC7W7ISY8ueOWSfmdnroGrs>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 22:57:41 -0000

Thanks Christer,

Some answers to your questions inline. I'm not sure further changes along
the lines suggested here are needed, but I'm open to arguments that point
in that direction.

On Thu, Sep 19, 2019 at 1:55 AM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi Nick,
>
> Thanks for your reply! Please see inline.
>
> >>MIN_1:
> >>The last sentence of Section 1 says that the mechanism requires TLS
> version 1.2
> >>or later. Would it be useful to state that in a dedicated Applicability
> section?
> >
> > I'm disinclined to include an applicability section considering how
> short it would be.
> > I'm open to being convinced otherwise with examples.
>
> If others think it's clear enough (or, that it doesn't need to be that
> clear, because earlier versions will anyway disappear), I am fine to keep
> in in Section 1.
>
> ---
>
> >> MIN_2:
> >> Can the mechanism be used also for DTLS?
> >
> > I think the answer is yes. I don't see any reason to disallow the use of
> Exported Authenticators in DTLS.
>
> Would it be useful to clarify that?
>

Going through what the modified text would look like, it seems like a
substantial amount of re-writing (even the title!) for what amounts to an
unclear use case. Keeping in mind that DTLS 1.3 hasn't been finalized and
doesn't directly define exporters, I'm disinclined to define how EAs would
work with DTLS. If someone has a strong use case for EA in DTLS, it may be
worth considering it.


>
> ---
>
> >> MIN_3:
> >> The documents talk about additional certificates. If I only have one
> additional
> >> certificate, can I use that for multiple authenticators throughout the
> TLS
> >> session?
> >
> > Yes, there is nothing disallowing the creation of multiple exported
> authenticators with the same certificate.
>
> Would it be useful to clarify that?
>

I'm not convinced this is a realistic use case. Since exported
authenticators are based on the exporter, there is no inherent ordering. If
you re-authenticate with the same certificate, there's nothing asserting
freshness of the second certificate. Is there something in the text that
suggests that using a certificate multiple times is disallowed? If there's
no suggestion that this is not possible that needs to be corrected, I don't
see the benefit of calling out this specific use case.

>
> ---
>
> >> MIN_4:
> >> Section 3 and 4 say that the authenticator request and authenticator
> SHOULD be
> >> sent using TLS, and Section 1 says that the proof of authentication can
> be sent
> >>out-of-band. I think it would be useful to clarify whether both the
> >>authenticator request and authenticator can be sent out-of-band ( i.e.,
> not
> >>using the TLS connection that the additional authentication is associated
> >>with), and also to state whether it IS allowed to send the authenticator
> >>request and authenticator on the TLS connection they are associated with.
> >
> > Good point. I can clarify this a bit. Both the authenticator and
> authenticator request can be sent
> > through either the TLS connection they were derived from or another TLS
> connection altogether.
> > The important part is that they are sent over an encrypted and
> authenticated connection.
>
> Thanks!
>
> ---
>
> >> MIN_5:
> >> Section 5 talks about an endpoint sending an empty authenticator. But,
> what if
> >> the sender of the authenticator request does not receive anything?
> Does it
> >> simply move on? Does it terminate the TLS session? Is the action based
> on local
> >> policy?
> >
> > The TLS layer is stateless. The decision to time out or fail the
> connection if an authenticator request
> > is not responded to is left to higher-level protocols that leverage EAs.
> >
> >> MIN_6:
> >> Related to MIN_5, I can't find text about how endpoints inform each
> other about
> >> the support of the mechanism, so maybe a few words about that would be
> useful.
> >> And some words about backward compatibility with endpoints that don't
> support
> >> the mechanism.
> >
> > Adding an extension to signal support for exported authenticators was
> discussed at some point,
> > but it was decided that the higher-layer application should handle the
> signaling.
> >
> >> MIN_7:
> >> What happens if the validation of an authenticator fails? Does the
> requester
> >> simply move on? Does it terminate the TLS session? Is the action based
> on local
> >> policy?
> >
> > This is also up to the application-layer protocol. I'll add text
> covering MIN_5, MIN_6 and MIN_7.
>
> Thanks!
>
> ---
>
> >> ED_1:
> >> The document uses "session", "TLS connection" and "TLS communication"
> >> terminology. Is that intentional, or wouuld it be possible to use
> consistent
> >> terminology?
> > Good note. I'll standardize on "connection".
>
> Thanks!
>
> ---
>
> >> ED_2:
> >> Section 3 says: "The authenticator request is a structured message that
> can be
> >> created..." Section 4 says: "The authenticator is a structured message
> that can
> >> be exported..."
> >>
> >> In the 2nd paragraph of Section 4 it is stated that "authenticator" is
> sent
> >> based on an "authenticator request". I wonder if that could be stated
> already
> >> in the beginning of Section 4, to further clarify the difference
> between them.
> >> E.g.,
> >>
> >> "The authenticator is a structured message, triggered by an
> authenticator
> >> request, that can be exported from either party of a TLS connection."
> >
> > The issue is that servers can generate spontaneous exported
> authenticators without
> > an authenticator request.
>
> Where is this written? Did I miss it?
>

Section 4:

   An authenticator message can be constructed by either the client or
   the server given an established TLS connection, a certificate, and a
   corresponding private key.  Clients MUST NOT send an authenticator
   without a preceding authenticator request; *for servers an
   authenticator request is optional*.  For authenticators that do not
   correspond to authenticator requests, the certificate_request_context

   is chosen by the server.


>
> > Given this, the updated sentence would be:
> >
> > "The authenticator is a structured message, sometimes triggered by an
> authenticator
> > request, that can be exported from either party of a TLS connection."
> > Which I'm not sure is an improvement to readability.
>
> I agree that "sometimes triggered" does not improve readability, but
> doesn't there still always have to be at least one authenticator request
> before any authenticator is sent?
>
> Regards,
>
> Christer
>
>
>