Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)

Chuck Lever <chuck.lever@oracle.com> Fri, 28 August 2020 18:07 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB4ED3A0FAB; Fri, 28 Aug 2020 11:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkNG2o_NeS-E; Fri, 28 Aug 2020 11:07:57 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 120A63A0FA9; Fri, 28 Aug 2020 11:07:56 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 07SI5OLd062398; Fri, 28 Aug 2020 18:07:55 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=Vl1ezbGHYg+KZVemHq3mZ1iPWfaJPPXoYbd9mY1I/t0=; b=fI9vTnKUheKALF2sFAOaVryzzAUzaysuuq3puzTxeYMboG3tNZch1JIEpWsWEeFIKYrX rSzsOSBABqIlpYGjIJ2e1wpU4caLudAnNoZtNCvM4cEWA6hX1UkONbvcRUy1pDx7G9Y1 0MoVp8dGIplyNax3qcCV7K66Z3OeUntDvX5IGaB7JcMwiGLZ/k5EOUJpr+1t5Yr1CJ1k tRbg+q/B4rO9/u535SbbSYHuT1wZrx4x7EHeEZVuHozNxaf6GOue80raiKcWq81Qkrol vy5+xpufqp8mLPZZNgi82ocQ7wB9mv5EZSQdA7nUwY9ZtSNTu8S/rRWbzZfih63LYKZk XA==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2120.oracle.com with ESMTP id 333w6ubwkv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 28 Aug 2020 18:07:55 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 07SI5Ukq108224; Fri, 28 Aug 2020 18:05:55 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3030.oracle.com with ESMTP id 333r9pvfh7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Aug 2020 18:05:55 +0000
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 07SI5sFN016072; Fri, 28 Aug 2020 18:05:54 GMT
Received: from anon-dhcp-152.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 28 Aug 2020 11:05:53 -0700
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <CADaq8jcecSj6u8J8hAn0rPSDBzwe4r165UK6zO71bhBdDN-7kg@mail.gmail.com>
Date: Fri, 28 Aug 2020 14:05:52 -0400
Cc: NFSv4 <nfsv4@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CE2766B-2AC7-4D25-8E07-62377BC59AAF@oracle.com>
References: <159409225571.12966.1097397622994927028@ietfa.amsl.com> <9BEC1316-A219-408F-AB27-74B28D702148@oracle.com> <0B907D1D-5818-46F7-9ADE-091D945A2A32@oracle.com> <CADaq8jejNL3NRVRi7DSD6TOK_0e6UOWZt=gt+kzCZL8JUO8kzA@mail.gmail.com> <7962DB37-E760-4A8C-8AE8-F1161D3E61BF@oracle.com> <CADaq8jcecSj6u8J8hAn0rPSDBzwe4r165UK6zO71bhBdDN-7kg@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9727 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 suspectscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008280131
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9727 signatures=668679
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 malwarescore=0 spamscore=0 priorityscore=1501 clxscore=1015 mlxscore=0 lowpriorityscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008280131
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/obGpZUTfO0Ep4mHLoQ00P2mitfw>
Subject: Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 18:07:59 -0000


> On Aug 26, 2020, at 2:21 PM, David Noveck <davenoveck@gmail.com> wrote:
> 
> 
> 
> On Wed, Aug 26, 2020 at 1:58 PM Chuck Lever <chuck.lever@oracle.com> wrote:
> 
> 
> > On Aug 24, 2020, at 4:40 PM, David Noveck <davenoveck@gmail.com> wrote:
> > 
> > 
> > 
> > On Mon, Aug 24, 2020 at 12:49 PM Chuck Lever <chuck.lever@oracle.com> wrote:
> > Hi nfsv4-
> > 
> > The latest updates to address Roman Danyliw's ballot comments have
> > been pushed to: 
> > 
> > https://chucklever.github.io/i-d-rpc-tls/draft-ietf-nfsv4-rpc-tls.html
> > 
> > Before I can reach closure on these comments, I'm still in need of
> > guidance for resolving the following issues with Section 5.2.2 of
> > rpc-tls.
> > 
> > (Ben's DISCUSS still remains. I plan to address those when closure
> > on Roman's comments has been reached).
> > 
> > 
> > > On Jul 8, 2020, at 11:43 AM, Chuck Lever <chuck.lever@oracle.com> wrote:
> > > 
> > > Hi Roman-
> > > 
> > > Here are my responses to your COMMENTs in Section 5.
> > > 
> > > 
> > >> On Jul 6, 2020, at 11:24 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> > >> 
> > >> ----------------------------------------------------------------------
> > >> COMMENT:
> > >> ----------------------------------------------------------------------
> > > 
> > >> ** Section 5.2.2 and 5.2.4.  Both 5.2.1 and 5.2.3 described what information
> > >> should be exposed by implementations.  These sections omit that information. 
> > >> For example, I would have expected Section 5.2.4 to discuss Token Binding IDs
> > > 
> > > PSK and Token Binding were added on request, and no further details were provided
> > > by the requesters.
> > 
> > Token Binding (Section 5.2.4) has been removed. However, Roman's
> > comment still stands for Certificate Fingerprints (Section 5.2.2).
> > 
> > Can anyone help?
> > 
> > I'll try to help.
> >  
> > 
> > 
> > >> ** Section 5.2.2.  Is there any MTI guidance on the kinds of digests to support
> > >> for these fingerprints?
> > > 
> > > I've had some difficulty with this.
> > 
> > That's putting it mildly.   The whole thing is kind of Sisyphean :-(
> >  
> > Originally the document required SHA-1, as
> > > it is the de facto standard algorithm for certificate fingerprinting.
> > 
> > That doesn't count for much.   After all, the de facto  standard for NFS authentication is AUTH_SYS.
> >   
> > However,
> > > subsequent security review pointed out that SHA-1 is deprecated.
> > 
> >  I can see that it would be hard to get this  accepted without the ability to the ability to argue cogently that SHA-1 weaknesses are not relevant in this case.
> > 
> > > 
> > > I changed the requirement to SHA-256, but this is problematic: most fingerprint
> > > implementations I'm aware of use SHA-1.
> > 
> > It appears it is too insecure to get through the IESG but not so insecure that people have stopped using it.
> >  
> > I have found no published document that
> > > suggests that SHA-1 is a problem for certificate fingerprinting, and no standard
> > > that specifically discusses certificate fingerprinting algorithms.
> 
> OK, but that doesn't mean the IESG will accept it.   Go ahead if you want to try it
> but if they object there is no point in continuing to knock your head against the wall.
> 
> > > 
> > > During Gen-ART review, the reviewer complained about the comparative:
> > > 
> > >  Implementations MUST support SHA-256
> > >  [FIPS.180-4] or stronger as the hash algorithm for the fingerprint.
> > 
> > I can see the "or stronger" being an issue.  It is often the case that it is not completely clear whether A is stronger than B.
> 
> Yes, "or stronger" was Gen-ART reviewer's complaint. I largely agree
> that the phrase is weasel-y.
> 
> 
> > > Suggesting that the document would need to provide a fixed list of particular
> > > algorithms here, rather than an open-ended requirement.
> > 
> > The only issue  I see if you can get a list including SHA-1 accepted.
> 
> I'm not sure that a list of digest algorithms is the right answer.
> 
> OK, If you think one will do, go for it.
>  
> 
> SHA-1 seems to be what everyone uses, and I haven't found any public
> document that states clearly that SHA-1 is not adequate for certificate
> fingerprinting.
> 
> Even RFC 4387 (in Section 2.2) defines a certificate fingerprint as the
> SHA-1 hash of a certificate.
> 
> That document was published fourteen years ago.   Perhaps it needs to
> be updated but we don't want to have to wait for that.
> 
> 
> > It is easier than SHA-1 alone but not a sure bet.   you might be able to sell it as a stop-gap, if there are ways to upgrade it later, especially if this is part of pushing AUTH-SYS towards the scrapheap of history.
> > 
> > SHA-1 + SHA-256 is one possible list.  The other is to include everything within the secure hash standard.
> 
> Can you provide a reference to "the secure hash standard?" 
> 
>  https://www.nist.gov/publications/secure-hash-standard
> 
> If that points
> to an RFC that can be obsoleted, that could be adequate. But again, I'm
> not sure that's the right thing to do if everyone else feels SHA-1 is
> adequate for the purpose of fingerprinting x.509 certificates.
> 
> I don't know what everyone else feels about this issue.   I don't a have real opinion
> as to SHA-1's adequacy for this purpose so I'm anxious about relying on SHA-1 with 
> no fallback. 
> 
> 
> > I'm think of rpc-tls allowing other layers in the stack to impose further restrictions on the algorithm to be used, e.g. 
> >       • Allowing ULPs to require specific hash algorithms.    This would allow us to get rpc-tls out now and upgrade it when draft-ietf-nfsv4-security is out.
> >       • Allowing RPC to require specific hash algorithms when used for particular purposes such as verifying the identity of a client host using AUTH_SYS.     This would allow us to get rpc-tls out now and upgrade it when an update to RFC5531 dealing with AUTH_SYS is out.

After thinking about it more, it probably is not sensible to
include the section on fingerprints. I'll remove it and move
on to Ben's DISCUSS comments.


--
Chuck Lever