IETF Logo Mail Archive

Re: [kitten] Status update on draft-ietf-kitten-tls-channel-bindings-for-tls13-15

tom petch <daedulus@btconnect.com> Thu, 28 April 2022 16:11 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A43C15EB45 for <kitten@ietfa.amsl.com>; Thu, 28 Apr 2022 09:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.757
X-Spam-Level:
X-Spam-Status: No, score=-8.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q50vx0-iA-CN for <kitten@ietfa.amsl.com>; Thu, 28 Apr 2022 09:11:40 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on070f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::70f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19DDCC15EB42 for <kitten@ietf.org>; Thu, 28 Apr 2022 09:11:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GfnHsopVuBP3P5dFDc5snOQMHLrNIQBrIzQ9/qTRR9bhuaArl8iC3x8KQUyDhCnf9/hUQrIHFoXozoxWrzDJQznL+AZ+tWUloC8Y82YHfDt0KwRnkDMWPkje0tdV1+ICNUVAejZ3jFZGnzWslfSAXUmCXplB+aJ/0GHSEqZgKearyZdodbsScD0yAU5EiX4pYvtG7BD9H5HrACaJmb+HOMNIX1VqznHoTsTIghwUBr+v63MaoMnEm49VLRfycN6V/F6LYx2fyJ92CcoYLiCkYNxJw7gnJ08H9cUdy08mwlhY6SyxaxrcaO7XKQAQizkB0G0HWxzO8NxVfC8snq9qdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=c9rVyRu2vMZeUmBsmd5IJ1/e8+O0Vd8Sembk6XGgPx0=; b=M+2UpTiGNOLJ1VzaYF41OyoCTeNSIYBguveuRBEr2BrGfXjTV0kNfpSz0KXfl+wFLDiRNsgOXrQUers4iEoGV8uT2VGaVkalP++ojDj6W3KocCXmcOZrgXyflQGK7rGEZwSV/jQGgZPEa9WCONnDfTaGSdb7+ARhSH0827HkW4aUV8O+ddiVFvFkUJB5r4C7AIuD/nLy0Pb9y87UfwxhaDZmVAT1QweKkwTA+G2uJsXor31UGFQNFKs8xVIi9zq5LCVxzwH7+bkCWneVTE0zZ/m/NIXgr/5CGv5OMlv2xWKzF2YQKAKykuhN27tNq3D8/2lHqCfPzBGCl8e0RYdopQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c9rVyRu2vMZeUmBsmd5IJ1/e8+O0Vd8Sembk6XGgPx0=; b=vJeZusaMRQR8hV5MAd0jd+MGwu14TEPtCL01VPnFPZCFthigANETO6JevJte67Seis46qFDKgiv0UtCevWmG7rXzeCmVo3Uf/wD7HCww4sWN0xYv3jqTMyfVv2Jr+TcMgDPn0uYI4+sOUSZREcaeQqMh7r3BcjtxRbOcQxXxt0c=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by DB7PR07MB5660.eurprd07.prod.outlook.com (2603:10a6:10:90::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.10; Thu, 28 Apr 2022 16:11:35 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::9c36:eb0d:f01c:82e5]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::9c36:eb0d:f01c:82e5%7]) with mapi id 15.20.5206.014; Thu, 28 Apr 2022 16:11:35 +0000
To: Alexey Melnikov <alexey.melnikov@isode.com>, Paul Wouters <paul.wouters@aiven.io>
References: <9365ee48-162a-4b1f-20b5-4f3853e43201@isode.com> <52B1911E-5D62-49F1-91AC-D4B9476A9CA2@aiven.io> <f1e8c499-49c7-c41c-c641-a51c0f2010e2@isode.com>
Cc: kitten@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <626ABCB2.9000605@btconnect.com>
Date: Thu, 28 Apr 2022 17:11:30 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <f1e8c499-49c7-c41c-c641-a51c0f2010e2@isode.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: LO2P265CA0512.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:13b::19) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3436fa03-b853-43b6-4b4a-08da2931c451
X-MS-TrafficTypeDiagnostic: DB7PR07MB5660:EE_
X-Microsoft-Antispam-PRVS: <DB7PR07MB5660BCD11293A30625FC10FEC6FD9@DB7PR07MB5660.eurprd07.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HCwgYwsEXgOm/FiuEP42Dz2yGwK8Hyg9L7KSdHNOA0ZOCwpuHxUdz3/325k8cxJhtgelydt/pQmEWBfIOsZ+/2snwUz/DAuC5l6ikrtpebIiFzGAdoIMe5ubx+K5Yoqlo97wgwNm8cXB7a9Y9f89cKsSMfmBIOJsszWCieaGsJJPw7TJalCHQe5fCIYfhxRK6s2IJ/NJqSdH36AzeJKIW5RT6iZC6BKGoDlfnZE+1jjAAlyNwulY+MptklJORj6tJwpWVcMN1Q4wptK8shEafOqkBDgh/6Vuqvvt07YXm8Jkn+iUJuGMUtdb0W8eIgiy471e4tu0vGCs/NloWE6fuPROT6pxBe3k+HM6PNaTttcCajJyYjQ2SMfBhQNiYMu3+UUFrGxTH9sGkLyqzt31vG5UK8q8NK5zeVOZcA8UzTaIWIas6/dZU+Zt1sEzzIkwQXAxSqM4gV1rvhii9bQ83o62txoE+2fLlP5CnVW1TZvGp7/wbhymdkfuRj+gopFz2VIHrQDtBtMH7MFqwryaX6aWHavS+akeZzZA0rUami8WxtBcvvlDh1EgQ+uv4fkx+qnigar1rsISHssRoNj5dJ/j7YQeUrskHpHC17QSgF+ykZ9DOfGpuoLPex6p3pablLu15+qjpqJwW+T+F3rfMZ9ynKmChbLLjrByDFm5L/tZ7kuRypG0O41wQ+PFN8qf3CLDx5/jgxS074hIYto83stkZbCdnaGWJrHRhDdKiP6GlQSzB6QEOQ3eQHJFstmWd15clac2NNHswKxKyUi/ZQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(38350700002)(5660300002)(6512007)(26005)(186003)(2616005)(86362001)(66556008)(38100700002)(8936002)(83380400001)(66476007)(82960400001)(15650500001)(8676002)(2906002)(4326008)(66946007)(6506007)(53546011)(87266011)(52116002)(966005)(6486002)(33656002)(6666004)(36756003)(316002)(110136005)(508600001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: iwn+DjQhbViq+mC6yzsdCcJFi5L1ixev2QzPhbeLFPd9LeWBQ56Z0h4x03NABklxrFV1/sUVuu+AtaProU0PauQYrRiBqRHEGsAidINbqcp7rtPBupH1GSZwWBTfgfMBfLT4OqV0riR0BqUO+vbA0wkFif4Tw8LZFedCh+DavjFE8LLY400Qqp4SY40bwFst8lI/H2e7JsY3SMBixH9jWCMyvhkfid5wwi/G3m0QKxvcGNSjGPsBwAvGjqJIaRG7qfSJ5a1X87CPaJNy5zcsjkfnIKacCTR+DTBqkJCTcJeNpQkk9RE/BhJxkldhutV7GUxbzF3i8jEeJ1cNXnEhFZgYoHrMbHy9AsHL5TdprkjA5Ft/ijdappbq/w6ABCPVBhGnWHCR+hVnD2s/UHyXI+V63aG/8+cEj6rdT3rZiJcxM9ZUSx+SFVBSuw0OKCO5qwhG1VpVlVIqUzYdzAp6dtD9zn9itzLZetvS05BlBifoypG9EjI+I9dkeo9IGoYGPKoBpOvpiygpwTz2edlnN53qZ8U386jlinpqfyeNh0KFB2dwQY9eTyCotw/Uu7thlbDypJBk2W+lplFrsRcrC0G9ccQJ/5oQJRo3fEJNVlyIY/kw1ujsUzknHqN90QublRuedpSYS9tLzU4MzJLd9qPOTuuj5NdIUDQCPt3trzSRqTTneQa2ZIq5BZuD4ZSgI3i7+2MNzK2xzcokmbM/tAf0iSN8OhcYnXk76a6GU9trzGedLVzGMAyajOEylap/wNH9bHqi22fg3Ra1V7NsO6EGxFXJLCKCWF9PK75EcC0jPpbSd+oZMSDbpgfPtW4AcMPPZLQ/jiqeXCpUSfgYLWOF6cpFcaUnQm77f6KLPv82V6i9tI5BagwkrEFeqxRPH9+s8haMGN1twxsVfr4CMmKUs/ExrgzGTyoBj2tQ5S12VSjJDR+TtZN41FJXG6XL1Y8HXhs+JJwkNOrvgU/XgnrEnSwxhmXleRqASxOkj2aCsaNBRHNFvzoa2bncBnUUXwYmOen5SEIsk+QEmaYdF5k29oPsb+mpgF89Mew021eOrLQxdjy5ggzR/QvWRPj1+H1LC+XiTWsASE870UNMyNCkWKYty8FtewyRUzHWHezhJo7xdfUZbA7W95ADn6O3ujzAqEmgW++O+Yes4CcHmg5gDuldtnQ/AfYhA3uiD4PMgEzdZgM861xxaWbjtnAgJDJ6GYtpjO5m3nD7zUqnRP1ygkxVXUaYvwNOKkIg5fWJf2MqaT7IvJqm9HrqjPb/zYVY9SFSufhnC7/iekINzglR9oG9H2XAvhxCg0IHtgmqelwMIIqW+aWz7a+wXA9bafOjzV0+5AjMCTp3GYZKUd8GUAMhr+GyA1sIy/RU5N+hR5ZAohzbgFvm9c6hUdgZ2Sw5d9ToDNjuykHIpMFRjwtKG4TPMET3aOIVtefKeD88x+cuYHQcQjYOdWGVQoc6bytp/zef8frMG9kUZB+4ujnkcF5wixR5ZNufBxybbnjCIcU1B8Ozs/SND/ktc/p5fVNisFiSZulYZaTg4EQU34Ram5hU0p2vhzwTjLA1sSC2vbVALVnVJ8UNHRzf8SXPvbQ1wxDSBHWjGk1b9iv68X4QQavpOfEpk/nspM/+DXOEerSKLkXR6dzfS5QBu8ix1Ayv9dUfDLNNPVAEncw/jByMhAMHuKULPl6tVxRibGTAr1Dl+9DAay27GHIdCqBwP7vqsEMmXmfK5AIQ88mcbk1K4t9F20VmBL8MSOdriXk=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3436fa03-b853-43b6-4b4a-08da2931c451
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2022 16:11:35.1876 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: JooTTCNreGNtjK6sGxI2CYjN/sHX0dnGt6hgNqd1tzGd/+9qHZbya/BmVvieHeVqLbT737MKA4DFpNiv3oB8ng==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5660
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ivGauUd-1qma1-2glSVE-ieGPyI>
Subject: Re: [kitten] Status update on draft-ietf-kitten-tls-channel-bindings-for-tls13-15
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 16:11:41 -0000

On 26/04/2022 17:35, Alexey Melnikov wrote:
> On 25/04/2022 16:34, Paul Wouters wrote:
>> i am confused how an Updates: call is depending on consensus. either
>> it updates something said in that document or it doesn't.
>>
>> in theory this cannot be a subjective call?
>
> The shortish version of the argument is as follows:
>
> 1) The desire to include "Updates: RFC 8446" header in
> draft-ietf-kitten-tls-channel-bindings-for-tls13-15 is to make the new
> TLS 1.3 channel binding "tls-exporter" be discoverable by SASL/GSSAPI
> implementors.
>
> 2) "Updates" header is typically used to make implementors of the
> updated RFC be aware of important fixes (in particular changes in
> behavior) or mandatory extensions. In the past it was sometimes used by
> optional extensions, but this practice is not generally supported now.
>
> 3) TLS WG now uses higher bar for other documents to include "Updates:
> RFC 8446". Optional extensions (such as
> draft-ietf-kitten-tls-channel-bindings-for-tls13-15) don't meet this bar.
>
> 4) draft-ietf-kitten-tls-channel-bindings-for-tls13-15 doesn't define a
> mandatory-to-implement extension for TLS 1.3 implementations. Because of
> 2) and 3) it must not include "Updates: RFC 8446". Additionally,
> implementors can discover this extension through a) IANA registry of
> channel bindings or b) through Updates: 5801 (SCRAM) or Updates: 5929
> (Channel Bindings for TLS). RFC 5801 is the most likely reason why
> people would implement any TLS channel binding in the first place.

Alexey

My initial reaction was that you were spot on but re-reading the I-D and 
RFC, the problem is that RFC8446 says that there are no channel bindings 
which is rather off-putting.  If it had said 'at this time' 'for future 
study' or some such then I would not see a problem.  It is the somewhat 
dogmatic 'are not defined for TLS1.3' that I think will mislead people 
and warrants an update.

Perhaps an Erratum for RFC8446 would do the trick.

Tom Petch

>
> Best Regards,
>
> Alexey
>
>> Sent from my iPhone
>>> On Apr 25, 2022, at 16:11, Alexey
>>> Melnikov<alexey.melnikov@isode.com>  wrote:
>>>
>>> Quick status update on this.
>>>
>>> draft-ietf-kitten-tls-channel-bindings-for-tls13-15 includes
>>> "Updates: RFC 8446".
>>>
>>> After reviewing various mailing list discussions, I confirm that
>>> inclusion of this header in the draft doesn't represent IETF
>>> consensus. So the header needs to be taken out. Sam, I know that this
>>> is not what you personally prefer, but are you willing to make the
>>> change?
>>>
>>> The document also needs to have a "Yes" ballot from one of current
>>> IESG members. So I separately asked Paul Wouters (our new Sec AD) to
>>> do the document review.
>>>
>>> Best Regards,
>>>
>>> Alexey, as a KITTEN chair
>>>
>>>
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email