IETF Logo Mail Archive

Re: [kitten] Status update on draft-ietf-kitten-tls-channel-bindings-for-tls13-15

Sam Whited <sam@samwhited.com> Wed, 04 May 2022 13:38 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DECDC157B55 for <kitten@ietfa.amsl.com>; Wed, 4 May 2022 06:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=Zybp4bu5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Wkh/8kiF
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XZnmKlr5nzL for <kitten@ietfa.amsl.com>; Wed, 4 May 2022 06:38:47 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA439C157B50 for <kitten@ietf.org>; Wed, 4 May 2022 06:38:47 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 24D133200953; Wed, 4 May 2022 09:38:45 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Wed, 04 May 2022 09:38:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1651671524; x= 1651757924; bh=JjylQOsds65KEkFJi4UcWJkl8l6XHsZ76gnBxFr6YtM=; b=Z ybp4bu5sIQ0X+hX3DJ9/vJ5vL1C8NDQo3Xn8zbCCT5SEhnvBojof2Gv8X/bYruW7 jLZSE1knxeLp4H9tq1mvL1SAFKtgSgNMOl7jH2+UfKHDrYT/x+k3GHeiEDOmvHH9 Tk80/FfJre5Ubd+mn/RwRVSuoJk/xeB4NfW3Ya3JOSpN+zcuNesZa33Am0312QNB vE1jBKxzjjMxNJYPvCKLwkDI+a/sYqpcptoFMB5Fmafmm7GAOcROXb1sKekwGrau kXQYXoqScWP3ouM4/MnFziVTASNkV0i4MVJCOzVGCs07ZjIIqUGoRBlnvVM82T/n tGUPLZiYG1po1sJ0FMocQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1651671524; x=1651757924; bh=JjylQOsds65KE kFJi4UcWJkl8l6XHsZ76gnBxFr6YtM=; b=Wkh/8kiFtcRr8CGOyjN8X9SZxgRnG fYOExSMExQd0LY62fHT3alnQmgw5QAo5ePokYCWFAbsrbfYIbYQkungafBOOVpEt 4vae1Ss6kUYwu+FxNAvX1Jrgdf/6UVM0LBKOLyeUzUdtoC2fyHDko6fHPA1zA8su IY1XK2o+Yhth/Gk9PHKEyF2TTe6pvcK4g+nuLfbweVSpzfgyo7WEsl0q7D3FVgSz f3n5kce6SRVMQYQ/WQujc50qmE0Aacy2IRA1eP1TScVLBHuxwuUrQFIqQckFR1Gl 7HiYOX3jQlZvsDIoSuw5SZRyBtQ+f+43QZrmXsnrEvG9rE9dtenQovMIQ==
X-ME-Sender: <xms:5IFyYogQuXQ8nGKmI_axMWxlpgFws238wmqQmSWlPPFLHgymMks4tQ> <xme:5IFyYhBW_GzxI1A1GYuVWX-QC_IS3HYmmT9nrldDMH-n38hfS9uEKjUVeUU_wtmsS n3iAi4D0AwnSXmHEQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdelgdeijecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgfgsehtqhertderreejnecuhfhrohhmpedfufgr mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg htthgvrhhnpeeludfgveehhfeffeefkeejfffhheeiheeugfduuefgheejkeehjeejjefh heffleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:5IFyYgFd40pQDEp4foX7EQmXSPQZBWMek1IwZ9oWIyEkQXEo8FZIRA> <xmx:5IFyYpTrLAjQuhLbHwz1ltFYwQhrqQzLFJ_tzl2y5mgQgz11kjeGFg> <xmx:5IFyYlwKe5eL78FCjn4SE0QW0fJ09lHTecz_4mo1cHXtDFB3XfKpPQ> <xmx:5IFyYmpV1gf3KviJMtdB7oMBRLsVpJlxsMZhjrhFMdindeCAcMZiUA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4AF02BC005D; Wed, 4 May 2022 09:38:44 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-591-gfe6c3a2700-fm-20220427.001-gfe6c3a27
Mime-Version: 1.0
Message-Id: <861ed39c-21ef-45f3-875f-34ba92bd340a@www.fastmail.com>
In-Reply-To: <CAGL5yWbkvTnYon2smL+RZ1+SDG=f2=TrivhP23e7336K6cg2Dw@mail.gmail.com>
References: <9365ee48-162a-4b1f-20b5-4f3853e43201@isode.com> <52B1911E-5D62-49F1-91AC-D4B9476A9CA2@aiven.io> <f1e8c499-49c7-c41c-c641-a51c0f2010e2@isode.com> <CAGL5yWbkvTnYon2smL+RZ1+SDG=f2=TrivhP23e7336K6cg2Dw@mail.gmail.com>
Date: Wed, 04 May 2022 09:38:24 -0400
From: Sam Whited <sam@samwhited.com>
To: Paul Wouters <paul.wouters@aiven.io>, Alexey Melnikov <alexey.melnikov@isode.com>
Cc: KITTEN Working Group <kitten@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/EGtbhv_I1vBJoU3SgO4y7ihT7GQ>
Subject: Re: [kitten] Status update on draft-ietf-kitten-tls-channel-bindings-for-tls13-15
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 13:38:52 -0000

It seems that I was wrong about there being no consensus since it does
seem like everyone is speaking in favor of making this change and no one
but me is in support of leaving it as is. I still strongly feel that the
WG is incorrect and that leaving it off is a bad idea, but in the
interest of cooperation I will make the change.

—Sam

On Mon, May 2, 2022, at 15:37, Paul Wouters wrote:
> On Tue, Apr 26, 2022 at 6:35 PM Alexey Melnikov
> <alexey.melnikov@isode.com> wrote:
>
>> On 25/04/2022 16:34, Paul Wouters wrote:
>> > i am confused how an Updates: call is depending on consensus.
>> > either it
>> updates something said in that document or it doesn't.
>> >
>> > in theory this cannot be a subjective call?
>>
>> The shortish version of the argument is as follows:
>>
>> 1) The desire to include "Updates: RFC 8446" header in draft-ietf-kitten-tls-channel-bindings-for-tls13-
>>    15 is to make the new TLS 1.3 channel binding "tls-exporter" be
>>    discoverable by SASL/GSSAPI implementors.
>>
>> 2) "Updates" header is typically used to make implementors of the
>>    updated RFC be aware of important fixes (in particular changes in
>>    behavior) or mandatory extensions. In the past it was sometimes
>>    used by optional extensions, but this practice is not generally
>>    supported now.
>>
>> 3) TLS WG now uses higher bar for other documents to include
>>    "Updates: RFC 8446". Optional extensions (such as draft-ietf-kitten-tls-channel-bindings-for-tls13-
>>    15) don't meet this bar.
>>
>> 4) draft-ietf-kitten-tls-channel-bindings-for-tls13-15 doesn't define
>>    a mandatory-to-implement extension for TLS 1.3 implementations.
>>    Because of
>> 2) and 3) it must not include "Updates: RFC 8446". Additionally,
>>    implementors can discover this extension through a) IANA registry
>>    of channel bindings or b) through Updates: 5801 (SCRAM) or
>>    Updates: 5929 (Channel Bindings for TLS). RFC 5801 is the most
>>    likely reason why people would implement any TLS channel binding
>>    in the first place.
>>
>> Best Regards,
>>
>> Alexey
>>
>
> Thanks for the update. Based on this, plus Ben Kaduk's investigation
> into the consensus, plus my own reading that I believe that there is
> no need for an Update: clause. I set my ballot to DISCUSS to resolve
> this issue before the document can proceed.
>
> As suggested, an Errata can be filed for 8446 to leave a pointer that
> the statement is no longer correct.
>
> Sam, as the author of a WG document, you should be making the change
> requested by the WG. If you really are not planning to make this
> change, the WG chair can either add another author to make the change
> or we can make the changes in AUTH48. But obviously, the easiest is if
> you would just proceed with this as per WG request.
>
> Thank you,
>
> Paul
>
>
>
>
>
>>
>> > Sent from my iPhone
>> >> On Apr 25, 2022, at 16:11, Alexey
>> >> Melnikov<alexey.melnikov@isode.com>
>> wrote:
>> >>
>> >> Quick status update on this.
>> >>
>> >> draft-ietf-kitten-tls-channel-bindings-for-tls13-15 includes
>> >> "Updates:
>> RFC 8446".
>> >>
>> >> After reviewing various mailing list discussions, I confirm that
>> inclusion of this header in the draft doesn't represent IETF
>> consensus. So the header needs to be taken out. Sam, I know that this
>> is not what you personally prefer, but are you willing to make the
>> change?
>> >>
>> >> The document also needs to have a "Yes" ballot from one of current
>> >> IESG
>> members. So I separately asked Paul Wouters (our new Sec AD) to do
>> the document review.
>> >>
>> >> Best Regards,
>> >>
>> >> Alexey, as a KITTEN chair
>> >>
>> >>
>>

-- 
Sam Whited

v2.23.0 | Report a Bug | By Email