IETF Logo Mail Archive

Re: Artart last call review of draft-ietf-mile-rolie-10

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 13 October 2017 14:21 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B511320C9; Fri, 13 Oct 2017 07:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f__3lQf2T95D; Fri, 13 Oct 2017 07:21:04 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463EA120720; Fri, 13 Oct 2017 07:21:04 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id l188so10435190pfc.6; Fri, 13 Oct 2017 07:21:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=71cgjs9Yt2MqZcSaV5HJSutli3rMlIiG6jtDQWbNGSQ=; b=sI0R2R25ZLgqxlnkvsVOj3cUEQJlDJMjvHrPiJJhdFmaTcor/P/mbJF33MlhJtkU0D jz6b1KEe3gG+9m/kyniRP+4pLasNn3FnZqVfverwE1oAmR0eJ9GQWP8opjlzxstjhzHE PcEr0bwg9n0GpS8bbyqzzTrwMPEduPioHqzbgSngT9x8k/preXx3t7H+iWi4Kfxgr4Zz +IFUlehMgZZtnKgLjUA8ZHzglNYs7IB8PZZ+PziRmFTKAojmoe0DhdNNy0Z2lQNWjx9E Fyns6Fb7RhhjNtgEOhLzTGLJRj1old+h56/3/YEgL8HLGlPe4vl522ap39Nb3e0dHlII fxUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=71cgjs9Yt2MqZcSaV5HJSutli3rMlIiG6jtDQWbNGSQ=; b=Fq42EVeYl6MDfuXtGS669MOlKTAaGw03otBF12AN5SFQceQgJuaCOgiz5SB2wzfmQZ ZJ0nItl/BAU9nL13dIrHOZEG5V6Qqw+FRE0Ek9K1Xka2BY5nnj7B5gO7iMbKm708WxEk cvdG57vZ+5AU7LHuNd7ZbwYjW7qMDAEeoWkQP8j8kK9KsAhF0oShZCQwfYAPnrfz/tMS ItgLCGVbtXCa4KCtJVm3MVhRaLOssHaX6+JS3MZRVHJ0GmwuQrukvErumWZNbE85OAAZ Czqi0ZcczLWrceknuJLCukqK/bymDT1f81eAv8dLZd5mJ4rRGD9ZadJ6MRMxE0O2u8G+ uI/Q==
X-Gm-Message-State: AMCzsaUYC8BAd2YsveacDIVnGK9oRKxBhsIKBH3Pe6PJm9FKeD6HXdGI 0lSxl17lbpmuvZ5x71utYnMyhnEYUXriXEbzKws=
X-Google-Smtp-Source: AOwi7QAXF5iZCwosIRCer0YIDh/8hPLrKycPws4yc47QdQ2BbEq7TATycBWK+/hmLKtbUQp7WGDEdIOXQHBMA7pKFyE=
X-Received: by 10.101.83.12 with SMTP id m12mr1450021pgq.153.1507904463823; Fri, 13 Oct 2017 07:21:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.186.194 with HTTP; Fri, 13 Oct 2017 07:20:23 -0700 (PDT)
In-Reply-To: <CABkgnnU=FJvYzjK0B8z3Ry=W9DXzd98Miw8YB2cP9r0tFeef8A@mail.gmail.com>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com> <20171009235717.GN96685@kduck.kaduk.org> <CABkgnnXdq6GKBXrowPTva1MU+X6WSMR2uB7df-2oHaKv=_2rdA@mail.gmail.com> <CAHbuEH5C_GAkeLj6Pda5usY4PYXb1uwY8jzwnnvAV6Ao7v+d2A@mail.gmail.com> <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com> <1D786709-4F2C-4D39-B55D-A4F9EBE82C99@gmail.com> <CABkgnnU=FJvYzjK0B8z3Ry=W9DXzd98Miw8YB2cP9r0tFeef8A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 13 Oct 2017 10:20:23 -0400
Message-ID: <CAHbuEH7dC7TcgzYmEEjfRh5HHcu4Mu1eOm9MWzq8EH9v3EGTmw@mail.gmail.com>
Subject: Re: Artart last call review of draft-ietf-mile-rolie-10
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, ART Area <art@ietf.org>, MILE IETF <mile@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, draft-ietf-mile-rolie.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/xphVXVBoPHXlTSxVva8jgTG1-3Y>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 14:21:06 -0000

The telechat prep delayed my response.  Inline.

On Mon, Oct 9, 2017 at 11:45 PM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On Tue, Oct 10, 2017 at 2:05 PM, Kathleen Moriarty
> <kathleen.moriarty.ietf@gmail.com> wrote:
>> I'll review and see if the WG participants can as well.  I think there will be many applications to follow with high security requirements and no tolerance for replay attacks.
>
> That is true, but it's not clear to me that this is a protocol that is
> intolerant of replay.  AtomPub follows a pattern that limits exposure
> fairly well.  The primary thing to safeguard in ROLIE is the
> confidentiality of the content, and replay won't generally compromise
> that.  The sorts of things you might see is duplicate resource
> creation (we recommend against POST in early data for that reason; we
> also recommend against PUT), and the sort of traffic analysis and
> timing side channel information that reveals if resources exist or
> have been updated (which shouldn't be an issue here).

I see what you are saying and that makes sense, but you also lose
forward secrecy with 0RTT and that is a problem.  I think we need to
accept that there will be uses of HTTP that will not allow for 0RTT.
In the draft you mentioned in the HTTP working group, section 3 even
starts out with, "When a server enables early data", meaning it won't
always be appropriate.  I do think that draft should be more clear on
the risks, with a pointer back to Section 2.3 of TLS 1.3.

I think there will also be cases where HTTP is used and the profile
isn't a fit.  Since some implementations of TLS 1.3 keep the streams
separate (0RTT and full negotiation), just using the full negotiation
stream will reduce configuration problems for implementers.  Lots of
security problems are the result of configuration mistakes and if we
can avoid them in places where it matters, we should.

The systems running ROLIE will be ones that enterprises will regard as
high value assets. Replay attack and lack of forward secrecy aren't
acceptable.  The same will be true of many other HTTP enabled
services.  A performance gain isn't worth the trade off.  Even with
the profile you've created, the server has the option to not enable
early data, although that's not as clear as I think it should be in
the draft and is something that would be good to improve,  If
developers implementing the HTTP profile only look at this draft, they
have to have enough context to understand the implications that they
must in turn ensure implementors of their code/applications using code
have the information to make appropriate decisions for their
environment.  I hope that's helpful enough for an update of your
profile draft.

My opinion is that for ROLIE, there is no need for 0RTT.  I'm not sure
a slight delay in publication would matter much since TLS 1.3 is
getting closer to publication.  If it is, we could also play with the
language so it's an informational reference if there is a rush.

Thanks for your thoughtful review.



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email