Re: [Lurk] review of draft-erb-lurk-rsalg-00
"Erb, Samuel" <serb@akamai.com> Thu, 19 May 2016 14:47 UTC
Return-Path: <serb@akamai.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E4A12D11E; Thu, 19 May 2016 07:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15gJ9t4QlkXJ; Thu, 19 May 2016 07:47:24 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id BDE3712D1DC; Thu, 19 May 2016 07:47:21 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 105D7496C3C; Thu, 19 May 2016 14:47:21 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id E4693496C2A; Thu, 19 May 2016 14:47:20 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1463669240; bh=B8dqEJoZl/ergZMzeSS2+GPE7HmABO1brFr4ayJCgOE=; l=18308; h=From:To:CC:Date:References:In-Reply-To:From; b=Ff2Eu11DuU2oz61aBUBDy1lnrT8L4aoDk8OB2UuSwDPpaRb13dzIDS2Q2o4cfWOiH lfh9U/5uwimqewGEkXk2tbancmVLVEZ7TCdscJzb/0x8oQAeQdiIbtGJ6ORTZVXQeo FumnamO0cvjnXUH5f69Mfx7/rebxNQrEYcN8KnyA=
Received: from email.msg.corp.akamai.com (ustx2ex-cas5.msg.corp.akamai.com [172.27.25.34]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id E13331E07C; Thu, 19 May 2016 14:47:20 +0000 (GMT)
Received: from USTX2EX-DAG1MB4.msg.corp.akamai.com (172.27.27.104) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 19 May 2016 09:47:18 -0500
Received: from USTX2EX-DAG1MB4.msg.corp.akamai.com ([172.27.6.134]) by ustx2ex-dag1mb4.msg.corp.akamai.com ([172.27.6.134]) with mapi id 15.00.1130.005; Thu, 19 May 2016 09:47:17 -0500
From: "Erb, Samuel" <serb@akamai.com>
To: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>, "draft-erb-lurk-rsalg@ietf.org" <draft-erb-lurk-rsalg@ietf.org>
Thread-Topic: review of draft-erb-lurk-rsalg-00
Thread-Index: AQHRjSgxLdvcKsY9MEOp/jtebfUpbJ/AsSEA
Date: Thu, 19 May 2016 14:47:17 +0000
Message-ID: <9A3C81C9-7256-4037-BCB7-2855063EDE98@akamai.com>
References: <D32606D6.629BA%thomas.fossati@alcatel-lucent.com>
In-Reply-To: <D32606D6.629BA%thomas.fossati@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.44.55]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3546499638_555826988"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/lurk/V75npBxY2dAW5lfX1ev_B7n7qH0>
Cc: "lurk@ietf.org" <lurk@ietf.org>
Subject: Re: [Lurk] review of draft-erb-lurk-rsalg-00
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 14:47:29 -0000
Hi Thomas, Thanks for the comments & apologies for the slow reply. Comments in line as [SE] Thanks, Sam From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Date: Saturday, April 2, 2016 at 5:39 PM To: "draft-erb-lurk-rsalg@ietf.org" <draft-erb-lurk-rsalg@ietf.org> Cc: "lurk@ietf.org" <lurk@ietf.org> Subject: review of draft-erb-lurk-rsalg-00 Hi, thanks for the draft. The RSALG idea is really nice. A few comments: - Re: missing support for TLSv1.x x>2. We should probably think this a bit more: TLSv1.3 would probably be in the wild by the time LURK is finished? [SE] I agree – I’m not aware of any significant changes for TLSv1.3 for this draft? I could be wrong about this. The changes I see to watch out for are: - SignatureAlgorithm -> SignatureScheme https://tlswg.github.io/tls13-spec/#rfc.section.6.3.2.1 - 0RTT, but that appears to be resumption only https://tlswg.github.io/tls13-spec/#rfc.section.6.2.3 - There is no explicit requirement on the LURK box in terms of the algorithms it needs to support. What is the assumption? Probably there should to be an interface to allow the Server to know about the LURK box capabilities, so that it can negotiate TLS parameters with the client that won't fail the handshake mid-air? [SE] The LURK box should communicate it’s list of SignatureAlgorithm/SignatureScheme’s as it looks like that list will be more complex with TLSv1.3 (based on the link above) - I see the Server Key Exchange is still TBD, though a few things can be extrapolated from Section 4. I might be missing something, but I don't understand how the {client,server}_version fields would be relevant to a server_kx request? Which makes me wonder whether the request types could be refined a bit: it looks like server_kx and rsalg requests are different enough to be separate entities? Also, a RFC7627 version of rsalg would be quite different from the one currently defined. Any intention to support it? [SE] You’re correct – the client/server version fields likely should be removed from the server key exchange request (assuming no differences with TLSv1.3). [SE] For an RFC7627 version of RSALG, the client/server random fields could be made into a single variable length field? Is there overlap between a need to use RSALG (/RSA decryption) and RFC7627 support? (I wish I had data on that) - Last para of Section 3.2: "An attacker who later gains access to KeyOwner [...]" s/KeyOwner/Server/? [SE] Sorry, still need to update that. What was meant there was access to a Server (which can then contact a KeyOwner). - Cert/key rotation functionality is missing and I really think this should really be a requirement for any LURK proposal. [SE] I agree. A solution here does need to keep in mind that this may be many-to-many Servers to KeyOwners. Initial cert setup likely requires a message of some kind (with some arbitrary “cert application use” field?). Key rotation may just be a signal to go through the initial setup again (possibly via some sort of additional parameter in each response to signify the certificate has been rotated?). There's a further point that I'm not very sure (I'd like to hear other people's opinion): the security of TLS is not limited to the signature/decryption process. A good pseudo-random source at the Server is also critical. Would it be within LURK scope to let the Key Owner audit relevant session parameters? This could help if the Server is compromised -- or if it's just misbehaving. [SE] If the goal is only auditing, simulating a real connection (as a client) may be a better path for this. For both server_kx and rsalg, you would receive server/client random values. Cheers, Thomas.
- [Lurk] review of draft-erb-lurk-rsalg-00 Fossati, Thomas (Nokia - GB)
- Re: [Lurk] review of draft-erb-lurk-rsalg-00 Erb, Samuel
- Re: [Lurk] review of draft-erb-lurk-rsalg-00 Fossati, Thomas (Nokia - GB)