Re: [kitten] Roman Danyliw's Discuss on draft-ietf-kitten-tls-channel-bindings-for-tls13-14: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Mon, 28 February 2022 23:04 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19B83A16BE; Mon, 28 Feb 2022 15:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxGby0yAdCj7; Mon, 28 Feb 2022 15:04:35 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CC3E3A16EB; Mon, 28 Feb 2022 15:04:31 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 21SN4Joj014294 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 28 Feb 2022 18:04:25 -0500
Date: Mon, 28 Feb 2022 15:04:19 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Sam Whited <sam@samwhited.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, KITTEN Working Group <kitten@ietf.org>, draft-ietf-kitten-tls-channel-bindings-for-tls13@ietf.org, kitten-chairs@ietf.org
Message-ID: <20220228230350.GE12881@kduck.mit.edu>
References: <164608463345.19675.8608334448565188645@ietfa.amsl.com> <ebda7696-3163-4ed8-a309-9123a6eaac1f@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <ebda7696-3163-4ed8-a309-9123a6eaac1f@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/sA8K1Q5UnVUtGoT8wKXzACcn6TU>
Subject: Re: [kitten] Roman Danyliw's Discuss on draft-ietf-kitten-tls-channel-bindings-for-tls13-14: (with DISCUSS and COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2022 23:04:38 -0000
Hi Sam, On Mon, Feb 28, 2022 at 05:39:08PM -0500, Sam Whited wrote: > > > On Mon, Feb 28, 2022, at 16:43, Roman Danyliw via Datatracker wrote: > > (a) 'tls-unique' is the default channel binding type for any > > application that doesn't specify one. > > > > (b) Servers MUST implement the "tls-unique" [RFC5929] channel > > binding type, if they implement any channel binding. > > > > Section 3 of this document says: > > > > (c) As "tls-unique" is not defined for TLS 1.3 (and greater), this > > document updates [RFC5801], [RFC5802], and [RFC7677] to use "tls- > > exporter" as the default channel binding over TLS 1.3 (and > > greater). Note that this document does not change the default > > channel binding for SCRAM mechanisms over TLS 1.2 [RFC5246], which > > is still "tls-unique". > > > > No problem with the guidance in (c). Without specific citations being > > made, I’m inferring that (c) is intended to “update”/clarify (a) in a > > TLS 1.3 context. > > > > To the issue of MTI, (c) is silent on the guidance in (b). Since “tls- > > unique” is not defined for TLS 1.3, how would an implementer comply in > > the case of a server that is TLS 1.3 only? Should this document make > > a statement to the effect of “tls-exporter” is MTI for any servers > > implementing TLS 1.3? > > I'm not sure that I understand the question; as you said, this updates > the use from "tls-unique" to "tls-exporter", but only when using TLS > 1.3. So in a TLS 1.3-only context you would use "tls-exporter" just as > you would use it when TLS 1.3 was being used even if TLS 1.2 is > also supported. I think Roman's concern is that the current text in this draft provides a clear statement that modifies the (a) portions of RFCs 5801/5802, but doesn't provide a clear statement that this draft also updates the (b) portions of 5801/5802. So we would presumably add another sentence like "additionally, this document updates ... to make 'tls-exporter' the mandatory to implement channel binding [if TLS 1.3 is implemented]". More wordsmithing is likely needed than my off-the-cuff phrasing here, and ideally would be able to reuse the "MUST implement" phrasing from the other documents. > > > Thanks for this document to ensure TLS 1.3 support in SCRAM and > > GSS-API. > > Thank you for the review! > > > ** The “updates” header doesn’t note RFC8446 but the abstract and > > Section 1 suggest that this document does update it. Per Martin > > Duke’s DISCUSS point (which I support), please clarify. > > I have fixed this in my next draft; this was accidentally removed when > applying suggested changes that were sent to me by another reviewer. With all due respect, I must object. My willingness to advance this document for IESG consideration was predicated on this document *not* having an "Updates:" relationship with RFC 8446, based on my assessment of IETF consensus. I understand that you feel strongly that the "Updates:" relationship should be present, but we can only add that relationship with IETF consensus, and I do not believe that such consensus is present. There is an appeals process (§6.5 of RFC 2026) that applies if you think my assessment of IETF consensus is flawed, and I'd be happy to hear about any factors that I may have missed in making that assessment. > > > ** Per Section 3 … this document updates [RFC5801], [RFC5802], and > > [RFC7677] to use "tls- exporter" as the default channel binding over > > TLS 1.3 (and greater). > > > > In what way is RFC7677 being updated? If RFC5802 is already updated > > to required tls-exporter for TLS 1.3 what additional guidance is > > needed for RFC7677? > > RFC7677 doesn't need to be updated in the sense that it just says to > do whatever RFC5802 says, but not mentioning it would be confusing, I > suspect. I suppose I can change the text to read something along the > lines of "RFC5802, and by extension RFC7677, are updated", but I > don't think it's strictly necessary. I think it's clear what the > changes are either way, but I'm happy to reword this if you think it > would be clearer. For Roman's benefit, the "updates: 7677" was added in response to an earlier reviewer's comments: https://mailarchive.ietf.org/arch/msg/kitten/DvDUpK3FvxNX09zuRwOJvAsKXig/ is a link to the middle of that thread. The rewording you propose here looks good to me, for what it's worth. Thanks, Ben
- [kitten] Roman Danyliw's Discuss on draft-ietf-ki… Roman Danyliw via Datatracker
- Re: [kitten] Roman Danyliw's Discuss on draft-iet… Sam Whited
- Re: [kitten] Roman Danyliw's Discuss on draft-iet… Benjamin Kaduk
- Re: [kitten] Roman Danyliw's Discuss on draft-iet… Sam Whited
- Re: [kitten] Roman Danyliw's Discuss on draft-iet… Alexey Melnikov
- Re: [kitten] Roman Danyliw's Discuss on draft-iet… Sam Whited