Re: [kitten] last call: draft-ietf-kitten-tls-channel-bindings-for-tls13-02
Sam Whited <sam@samwhited.com> Fri, 12 March 2021 15:13 UTC
Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 691223A120E
for <kitten@ietfa.amsl.com>; Fri, 12 Mar 2021 07:13:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01,
RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=samwhited.com header.b=KNkOq4mk;
dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=id8416aQ
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QfU55XzHVr4x for <kitten@ietfa.amsl.com>;
Fri, 12 Mar 2021 07:13:21 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
[66.111.4.26])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 93F5B3A16F1
for <kitten@ietf.org>; Fri, 12 Mar 2021 07:12:18 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
by mailout.nyi.internal (Postfix) with ESMTP id 5BC535C006F
for <kitten@ietf.org>; Fri, 12 Mar 2021 10:12:17 -0500 (EST)
Received: from imap34 ([10.202.2.84])
by compute4.internal (MEProxy); Fri, 12 Mar 2021 10:12:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com;
h=mime-version:message-id:in-reply-to:references:date:from:to
:subject:content-type:content-transfer-encoding; s=fm2; bh=uyQ2L
FUsEUDJBMDesl23gxBJkox1ZPvR0GGZ0VEyp4A=; b=KNkOq4mkaBpxUfbc0aoEi
Mys78/1TUh5g01yIsc7Yzzamqpphr2JIMPeycdaq/Awufx4F1n2+ALptVLUX4aOm
Vd2Zzd10sjFkBWZ8g0cVKGw0Rf7ULaIAcPwEh/L+SF2ebfdQ85Askk30o4YchTbz
KNPa5EItg39/PHAjVjnC1Q+DqLkA3BeIImm8i56DPMxvVpfnA3/wYTHox0691Dgb
JrEzswu43UQOVhaQ9cjb9FXmoU3uzCXC5bmxUvesoF3HHqEch4ioEclDXxQ8+Ogm
XHe5tLeEYztvLFmv/Z8nf5KkUoNqp6GKvbrd8YS8Po8QTnaCqHDVyUvE3yWVEY7H
g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=content-transfer-encoding:content-type
:date:from:in-reply-to:message-id:mime-version:references
:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
:x-sasl-enc; s=fm2; bh=uyQ2LFUsEUDJBMDesl23gxBJkox1ZPvR0GGZ0VEyp
4A=; b=id8416aQTgtJ+GYUD8bOFCp/m3eKjWmX5KY253qXGU8j6IBr0sok5reeA
CB+ktFJFn1h3OjCqJutyhIznyOOB8ZuQMHmaSHAdN3YYGEotLMpI0TMJBI/O58fZ
fAVj+SpTd/4ky2cD3NQoJ6jmaOodkrIm5zjN43djPZHkeVZKhVBc0BwDWp8kearN
IAi0o9OYEDLY0PhKhj9VVntriNPB5m0UJbAqnx8VLglxstIrJjo8JMN3r9izSIvK
dKyMmBsbXuuuzplDltfw0Yx2UQptxQ5OOKGlIFhNQoYDmWtl9dOz5S5SUPD5kypR
WRK4OEtp7+Tu4SNAFyjPyC1YiMVVQ==
X-ME-Sender: <xms:0YRLYEhXEJm2Cie_bnhlliEHNtq0wwUxxLXq9uD5hd2cDdoUEq3P8A>
<xme:0YRLYND1tQh2yVonQDJJsrsQO9vjDE06En640iE8Udv4G_1AM_LWZClohxWlF1rYN
x9_-v38y1G4oXpIGQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvvddgjeefucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr
mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg
htthgvrhhnpedvffeuvdduhfefvdeiheeukeffhfekjeevgffggedtlefhhffhieevkedu
vefhjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe
hsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:0YRLYMHhciNahO2_xiLsUJbE4g4blUVgvZdt4k82lPZxLKQjY_yNTA>
<xmx:0YRLYFTxjA_pWwUiIhuNK39nHGq3U2H3oMz-isy2biDP3EzNzk_Hqg>
<xmx:0YRLYBz9h83cNUxsE8CUuioHKAIKn5njN4r-OBRaD0S3jxjtl3a9Jw>
<xmx:0YRLYA9jCcO6qa9W_NalcayErAkT-5KUpspBJPtSyjQermcWnAIsHw>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
id 04001280074; Fri, 12 Mar 2021 10:12:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-206-g078a48fda5-fm-20210226.001-g078a48fd
Mime-Version: 1.0
Message-Id: <8191e1be-cd88-4194-a4e9-4d771e653167@www.fastmail.com>
In-Reply-To: <CAKHUCzyWR0Oq+2P7LfaVFXMe+kDhqj9aWhUdeupTavmvHJ1CgQ@mail.gmail.com>
References: <jlgy2eu3j6s.fsf@redhat.com>
<CAKHUCzyWR0Oq+2P7LfaVFXMe+kDhqj9aWhUdeupTavmvHJ1CgQ@mail.gmail.com>
Date: Fri, 12 Mar 2021 10:11:55 -0500
From: "Sam Whited" <sam@samwhited.com>
To: "KITTEN Working Group" <kitten@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ALlxJFn_KD2zord4Y66unEFodyQ>
Subject: Re: [kitten]
=?utf-8?q?last_call=3A_draft-ietf-kitten-tls-channel-bi?=
=?utf-8?q?ndings-for-tls13-02?=
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 15:13:23 -0000
Thank you, I've moved this into a new "Use with Legacy TLS" section under the security considerations. I think that "must" should remain lower case since it's on something a bit hand-wavy and doesn't mention any real behavior or changes to make. I'll wait a bit longer for more feedback then push an update with what I've got so far. Thanks again! —Sam On Fri, Mar 12, 2021, at 09:56, Dave Cridland wrote: > Hi Sam, Kittens, > > Summary: Yeah, ready, I think, but a tiny bit of wordsmithing might > benefit. > > Main Issue: > > Use with TLS 1.2 is not entirely clear. I think all the information is > there, but it's a little scattered, and I misread the "When TLS > renegotiation is enabled (pre TLS 1.3)" initially. While TLS 1.3 is > obviously desirable, there's enough TLS 1.2 out there that making this > clear would be a benefit. > > So I would personally extract the last paragraph of §2 and the first > from §3 into a new section (§2.1, §3.1, or something else). A > suggestion of actual text for this new version (mostly a cut and > paste). I'm not sure if the "must" wants to be a MUST here, either: > > Use with earlier TLS versions > > While it is possible to use this channel binding mechanism with TLS > versions below 1.3, extra precaution must be taken to ensure that > the chosen cipher suites always result in unique master secrets. > For more information see the Security Considerations section of > [RFC5705]. > > In addition, session renegotiation MUST NOT be enabled. When TLS > renegotiation is enabled the "tls-exporter" channel binding type is > not defined and implementations MUST NOT support it. > > If you use this suggestion, you may wish to include a "Other security > considerations are discussed throughout this document" in Security > Considerations, and you may wish to do that anyway. > > You may also want to drive home the point that people really ought to > just use 1.3. > > Many thanks for writing this document and riding it through, I fully > intend to implement as and when the APIs surface.
- [kitten] last call: draft-ietf-kitten-tls-channel… Robbie Harwood
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Watson Ladd
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Nico Williams
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Jonathan Hoyland
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Watson Ladd
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Jonathan Hoyland
- Re: [kitten] last call: draft-ietf-kitten-tls-cha… Dave Cridland
- Re: [kitten] last call: draft-ietf-kitten-tls-cha… Sam Whited