IETF Logo Mail Archive

Re: [POSH] Comments/questions on draft-miller-posh-00

"Matt Miller (mamille2)" <mamille2@cisco.com> Wed, 31 July 2013 08:19 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: posh@ietfa.amsl.com
Delivered-To: posh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2176E21F9ED8; Wed, 31 Jul 2013 01:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKwdZ3dJ3Ze5; Wed, 31 Jul 2013 01:19:27 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id D298221F9926; Wed, 31 Jul 2013 01:18:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8075; q=dns/txt; s=iport; t=1375258732; x=1376468332; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Ce2D2l5ln2Ixo4YMdF+p0KNDSOmhs+500y8if15tgto=; b=HgwfOAXnObnw5jsqFR37bja+ODqc9d41RCGe1PqyFZvuM6M6WAyu6Ydq Mn3SINkHV3RGkAuWoqa5iaGrIQ1OYf6xH1BdlEqd6YrlK2Aspz0Wn6Z8G rGN0+QTaI4KzmZzE5Ng728enEWGqxcppIIoTSk0OgK06NPXnFZiMSi+sp Y=;
X-Files: smime.p7s : 4136
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhQFACLH+FGtJXHB/2dsb2JhbABbgwaBBb4cgRgWdIIkAQEBAwF5BQsCAQgOFCQCMCUCBA4FCAaHfAa4T49NFhsHgxhxA5ASgS2CSZUjgxSBaCMf
X-IronPort-AV: E=Sophos; i="4.89,785,1367971200"; d="p7s'?scan'208"; a="241677481"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-6.cisco.com with ESMTP; 31 Jul 2013 08:18:51 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r6V8Ipet003705 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 31 Jul 2013 08:18:51 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.159]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0318.004; Wed, 31 Jul 2013 03:18:51 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Philipp Hancke <fippo@goodadvice.pages.de>
Thread-Topic: [POSH] Comments/questions on draft-miller-posh-00
Thread-Index: AQHOieYn3zcp/gJiFUS1gabrGyMGtpl5G7oAgAWplgCAAAfhAA==
Date: Wed, 31 Jul 2013 08:18:50 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED9411EE55C3F@xmb-aln-x11.cisco.com>
References: <CAPms+wRR_ZtLq94mRCDVXEW9WyZeDmYx+1hU+zCXV1fT0GSZ+g@mail.gmail.com> <51F401CE.9080803@stpeter.im> <51F8C1CE.1010701@goodadvice.pages.de>
In-Reply-To: <51F8C1CE.1010701@goodadvice.pages.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.77.137]
Content-Type: multipart/signed; boundary="Apple-Mail=_3AB2945B-0B72-416B-B783-F10050DB8279"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "<posh@ietf.org>" <posh@ietf.org>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [POSH] Comments/questions on draft-miller-posh-00
X-BeenThere: posh@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion about PKIX Over Secure HTTP <posh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/posh>, <mailto:posh-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/posh>
List-Post: <mailto:posh@ietf.org>
List-Help: <mailto:posh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/posh>, <mailto:posh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 08:19:48 -0000

On Jul 31, 2013, at 9:50 AM, Philipp Hancke <fippo@goodadvice.pages.de>
 wrote:

> Am 27.07.2013 19:22, schrieb Peter Saint-Andre:
> [...]
>>> Similarly, I can't see anything obviously wrong with letting the
>>> application handshake complete, then performing the POSH
>>> operations before deciding the application connection is not
>>> suitable and should be terminated before being used.  Is the MUST
>>> in this section mandating the order of operations necessary for
>>> some other reason?
>> 
>> As mentioned above, the MUST here is perhaps a bit silly because it's
>> so obvious. I think there is a better way to word it...
> 
> While implementing this I found another reason why this MUST doesn't work.
> 
> In XMPP we want DNA to have the ability to multiplex several domain pairs, with multiple remote domains.
> 
> However, at the time of the TLS handshake we only know a single remote domain (taken from the stream's from).
> 
> At any later time, the remote end may use this <db:result/> stuff to add another remote domain. This might trigger the POSH dance and clearly happens after the TLS handshake is done.
> 
> I would suggest removing this MUST.

These are all good points.

I will note that there is general queasiness with suspending disbelief on a connection, accepting the TLS handshake but then actually verifying  (and potentially failing) the connection because of TLS failings; not the least of which is the potential for abuse is very very great.  This also means that any error reporting that one might get from their TLS implementations for better error reporting is lost.

However, the multiplexing case is important for XMPP (not sure about others).  We need to allow for that to work.

I'll confer with my co-author, and we'll try to come up with some text that preserved the intent without being overly constricting.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

v2.23.0 | Report a Bug | By Email