[Lurk] review of draft-cairns-tls-session-key-interface-01
"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Sun, 03 April 2016 13:34 UTC
Return-Path: <thomas.fossati@nokia.com>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E63D12D55B; Sun, 3 Apr 2016 06:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62_imvdC7031; Sun, 3 Apr 2016 06:34:47 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A583F12D578; Sun, 3 Apr 2016 06:34:47 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id 5C3E555E0876; Sun, 3 Apr 2016 13:34:42 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id u33DYjAb002942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 3 Apr 2016 13:34:45 GMT
Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id u33DYi83018509 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 3 Apr 2016 15:34:44 +0200
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.8]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0195.001; Sun, 3 Apr 2016 15:34:44 +0200
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: "draft-cairns-tls-session-key-interface@ietf.org" <draft-cairns-tls-session-key-interface@ietf.org>
Thread-Topic: review of draft-cairns-tls-session-key-interface-01
Thread-Index: AQHRja2VvbyRpj+BFk2Jd1bnS0fsCw==
Date: Sun, 03 Apr 2016 13:34:44 +0000
Message-ID: <D3269D86.62A08%thomas.fossati@alcatel-lucent.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-originating-ip: [135.239.27.38]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C1D0F27785019E4F98918CCC4E09CAC5@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/lurk/h16EobB0NtgWz2c4OOQCQXQwteM>
Cc: "lurk@ietf.org" <lurk@ietf.org>
Subject: [Lurk] review of draft-cairns-tls-session-key-interface-01
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Apr 2016 13:34:49 -0000
Hi guys, I've just finished reading your draft. There's plenty of information & references in it, thank you. A few comments below: - The way the RSA interface is defined at the moment suffers from the "decryption oracle syndrome". We should really try to avoid this and let the LURK box produce the MS instead -- as you're also hinting in the DISCUSSION para of Section 5.1.1. - LURK has use cases that need high throughput: we really want to be able to fill the pipe between the Edge and Key Server, and also treat each transaction independently. That's why a UDP based protocol is attractive, vs. for example a HTTP2/TCP based one, which would incur HOL on packet loss. Also an efficient encoding like the CBOR/CoAP that you are proposing looks really great to keep the overhead at a minimum. I've never used CoAP in high throughput applications though (quite the opposite, really), so I'm not sure whether its default congestion control algorithm is OK for this scenario? Have you done any experiment? - It's too early to nit-pick on the wire format, I know, but I'd be nice to have an explicit transaction id in the LURK payloads so that the Edge Server can correlate the TLS handshake with the specific LURK transaction (for logging/debugging/analysis purposes). - The same comments I sent for draft-erb-lurk-rsalg yesterday about the lack of "LURK box capability" and "Cert/key rotation" interfaces. Happy to discuss this further f2f. Cheers, t
- [Lurk] review of draft-cairns-tls-session-key-int… Fossati, Thomas (Nokia - GB)
- Re: [Lurk] review of draft-cairns-tls-session-key… Daniel Migault
- Re: [Lurk] review of draft-cairns-tls-session-key… Fossati, Thomas (Nokia - GB)
- Re: [Lurk] review of draft-cairns-tls-session-key… Daniel Migault