Re: [kitten] last call: draft-ietf-kitten-tls-channel-bindings-for-tls13-02
Sam Whited <sam@samwhited.com> Fri, 12 March 2021 15:13 UTC
Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691223A120E for <kitten@ietfa.amsl.com>; Fri, 12 Mar 2021 07:13:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=KNkOq4mk; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=id8416aQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfU55XzHVr4x for <kitten@ietfa.amsl.com>; Fri, 12 Mar 2021 07:13:21 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F5B3A16F1 for <kitten@ietf.org>; Fri, 12 Mar 2021 07:12:18 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5BC535C006F for <kitten@ietf.org>; Fri, 12 Mar 2021 10:12:17 -0500 (EST)
Received: from imap34 ([10.202.2.84]) by compute4.internal (MEProxy); Fri, 12 Mar 2021 10:12:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=uyQ2L FUsEUDJBMDesl23gxBJkox1ZPvR0GGZ0VEyp4A=; b=KNkOq4mkaBpxUfbc0aoEi Mys78/1TUh5g01yIsc7Yzzamqpphr2JIMPeycdaq/Awufx4F1n2+ALptVLUX4aOm Vd2Zzd10sjFkBWZ8g0cVKGw0Rf7ULaIAcPwEh/L+SF2ebfdQ85Askk30o4YchTbz KNPa5EItg39/PHAjVjnC1Q+DqLkA3BeIImm8i56DPMxvVpfnA3/wYTHox0691Dgb JrEzswu43UQOVhaQ9cjb9FXmoU3uzCXC5bmxUvesoF3HHqEch4ioEclDXxQ8+Ogm XHe5tLeEYztvLFmv/Z8nf5KkUoNqp6GKvbrd8YS8Po8QTnaCqHDVyUvE3yWVEY7H g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=uyQ2LFUsEUDJBMDesl23gxBJkox1ZPvR0GGZ0VEyp 4A=; b=id8416aQTgtJ+GYUD8bOFCp/m3eKjWmX5KY253qXGU8j6IBr0sok5reeA CB+ktFJFn1h3OjCqJutyhIznyOOB8ZuQMHmaSHAdN3YYGEotLMpI0TMJBI/O58fZ fAVj+SpTd/4ky2cD3NQoJ6jmaOodkrIm5zjN43djPZHkeVZKhVBc0BwDWp8kearN IAi0o9OYEDLY0PhKhj9VVntriNPB5m0UJbAqnx8VLglxstIrJjo8JMN3r9izSIvK dKyMmBsbXuuuzplDltfw0Yx2UQptxQ5OOKGlIFhNQoYDmWtl9dOz5S5SUPD5kypR WRK4OEtp7+Tu4SNAFyjPyC1YiMVVQ==
X-ME-Sender: <xms:0YRLYEhXEJm2Cie_bnhlliEHNtq0wwUxxLXq9uD5hd2cDdoUEq3P8A> <xme:0YRLYND1tQh2yVonQDJJsrsQO9vjDE06En640iE8Udv4G_1AM_LWZClohxWlF1rYN x9_-v38y1G4oXpIGQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvvddgjeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg htthgvrhhnpedvffeuvdduhfefvdeiheeukeffhfekjeevgffggedtlefhhffhieevkedu vefhjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:0YRLYMHhciNahO2_xiLsUJbE4g4blUVgvZdt4k82lPZxLKQjY_yNTA> <xmx:0YRLYFTxjA_pWwUiIhuNK39nHGq3U2H3oMz-isy2biDP3EzNzk_Hqg> <xmx:0YRLYBz9h83cNUxsE8CUuioHKAIKn5njN4r-OBRaD0S3jxjtl3a9Jw> <xmx:0YRLYA9jCcO6qa9W_NalcayErAkT-5KUpspBJPtSyjQermcWnAIsHw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 04001280074; Fri, 12 Mar 2021 10:12:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-206-g078a48fda5-fm-20210226.001-g078a48fd
Mime-Version: 1.0
Message-Id: <8191e1be-cd88-4194-a4e9-4d771e653167@www.fastmail.com>
In-Reply-To: <CAKHUCzyWR0Oq+2P7LfaVFXMe+kDhqj9aWhUdeupTavmvHJ1CgQ@mail.gmail.com>
References: <jlgy2eu3j6s.fsf@redhat.com> <CAKHUCzyWR0Oq+2P7LfaVFXMe+kDhqj9aWhUdeupTavmvHJ1CgQ@mail.gmail.com>
Date: Fri, 12 Mar 2021 10:11:55 -0500
From: Sam Whited <sam@samwhited.com>
To: KITTEN Working Group <kitten@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ALlxJFn_KD2zord4Y66unEFodyQ>
Subject: Re: [kitten] last call: draft-ietf-kitten-tls-channel-bindings-for-tls13-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 15:13:23 -0000
Thank you, I've moved this into a new "Use with Legacy TLS" section under the security considerations. I think that "must" should remain lower case since it's on something a bit hand-wavy and doesn't mention any real behavior or changes to make. I'll wait a bit longer for more feedback then push an update with what I've got so far. Thanks again! —Sam On Fri, Mar 12, 2021, at 09:56, Dave Cridland wrote: > Hi Sam, Kittens, > > Summary: Yeah, ready, I think, but a tiny bit of wordsmithing might > benefit. > > Main Issue: > > Use with TLS 1.2 is not entirely clear. I think all the information is > there, but it's a little scattered, and I misread the "When TLS > renegotiation is enabled (pre TLS 1.3)" initially. While TLS 1.3 is > obviously desirable, there's enough TLS 1.2 out there that making this > clear would be a benefit. > > So I would personally extract the last paragraph of §2 and the first > from §3 into a new section (§2.1, §3.1, or something else). A > suggestion of actual text for this new version (mostly a cut and > paste). I'm not sure if the "must" wants to be a MUST here, either: > > Use with earlier TLS versions > > While it is possible to use this channel binding mechanism with TLS > versions below 1.3, extra precaution must be taken to ensure that > the chosen cipher suites always result in unique master secrets. > For more information see the Security Considerations section of > [RFC5705]. > > In addition, session renegotiation MUST NOT be enabled. When TLS > renegotiation is enabled the "tls-exporter" channel binding type is > not defined and implementations MUST NOT support it. > > If you use this suggestion, you may wish to include a "Other security > considerations are discussed throughout this document" in Security > Considerations, and you may wish to do that anyway. > > You may also want to drive home the point that people really ought to > just use 1.3. > > Many thanks for writing this document and riding it through, I fully > intend to implement as and when the APIs surface.
- [kitten] last call: draft-ietf-kitten-tls-channel… Robbie Harwood
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Watson Ladd
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Nico Williams
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Jonathan Hoyland
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Watson Ladd
- Re: [kitten] [TLS] last call: draft-ietf-kitten-t… Jonathan Hoyland
- Re: [kitten] last call: draft-ietf-kitten-tls-cha… Dave Cridland
- Re: [kitten] last call: draft-ietf-kitten-tls-cha… Sam Whited