Re: [secdir] Secdir last call review of draft-ietf-tls-exported-authenticator-09

Yaron Sheffer <> Mon, 04 November 2019 10:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4AC6D12096E; Mon, 4 Nov 2019 02:20:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.837
X-Spam-Status: No, score=-0.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.159, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WogOAV2_phdv; Mon, 4 Nov 2019 02:20:50 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 76622120100; Mon, 4 Nov 2019 02:20:49 -0800 (PST)
Received: by with SMTP id l10so16353480wrb.2; Mon, 04 Nov 2019 02:20:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=ipg6iU+jMB5XAKE2RJKv2PW3WR1ODcyvdnHRVdOYAxU=; b=tZrrbM0AOvdQIwHO19lIPT9Yzc+iBtiw2fEk03FIj6dWnRK5rXAt6atAWn8lkMfMrD mpcIhgCduFJnWrOe9fJUULVVZA8Fl9Z7dEWuzH6Ao8lSVd/z0NG435NiSgMCtk9+3xCc 8yaNdEbrGicJyAmxPNO49cB1mKUPTZtibm4TGY5YHUvJwntpDtxX65I3/r+Q9QYF15oC VwdkMuhDkJLajY48ATYJprBCqvNEautTRpORsqwHNjpeRBPKZfJqx0RMTeLldYa4xx03 EkCFctcwRP7ZdEo1l73sF5ptIHuk6AcvZACApcwIitardFWmiGLd5huPOOnu7+yLfZs8 U+yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=ipg6iU+jMB5XAKE2RJKv2PW3WR1ODcyvdnHRVdOYAxU=; b=HIGPzO/UNryFda5GjmwrnpCcgGaBnEhBzD3eHU1+Qr494JayGO22BZ/GLqgFKKf6DI mNPCdRKn8wNTtOBCv1QxicbmPXU/9X/e8++jDCeyo54lhsxfOeVCdBfJVuhjsscm8obx zo8rLAgwT3L6dK2RLVY/Rf2A16k/5AkyTTckWWRDUjpwwAJVQQeY+0sStXUADZGxEFLj 6hBEw+D83YAoveRRCQaD/kJ2FW6r9Z4ITAfcmAKYwQvYkPdjpC4Ej1TPqGeZMF/Fw2r8 uaLjsUWXuHUeQ2f++G+am8B2eUJe1/IumMxjwreJGAeTLURY/Eg+pmH1PyCSH5BLPI2p agyw==
X-Gm-Message-State: APjAAAWqkDC0j47h2taI8+CRfr1/YA2bcZff0s+r8xTXivcfwIe5lAXj S1JteVXo96HrNck1kdsEUm92rNEb
X-Google-Smtp-Source: APXvYqxXoizjVjo3t133xDZSZMCiHWi3hoQIwfCi/sE7fAIicKWF9YoPzrj41gXKMxyWDSmBM1cFIA==
X-Received: by 2002:adf:fd4a:: with SMTP id h10mr20993447wrs.90.1572862847815; Mon, 04 Nov 2019 02:20:47 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id h205sm17923358wmf.35.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Nov 2019 02:20:46 -0800 (PST)
User-Agent: Microsoft-MacOutlook/10.1e.0.191013
Date: Mon, 04 Nov 2019 12:20:45 +0200
From: Yaron Sheffer <>
To: Nick Sullivan <>
CC:,,, "<>" <>
Message-ID: <>
Thread-Topic: Secdir last call review of draft-ietf-tls-exported-authenticator-09
References: <> <> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3655714846_1726106478"
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-ietf-tls-exported-authenticator-09
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Nov 2019 10:20:52 -0000

Hi Nick,


Apologies for not responding on time.


I may be missing some follow-on discussions, but:

Ben suggested that we mention that QUIC is also an option, even if informatively, in addition to the “SHOULD use TLS” statement.
I think we left my question re: back-fitting this protocol into the IANA TLS registry open. Quoting: 

YS: 7.1: this is changing TLS 1.3 by allowing this extension in Cert Request! I think it's a really bad idea. Better to hack special support to existing libraries, allowing this specific extension for this special case, than to change the base protocol. Otherwise, this document should UPDATE 8446.


NS: This is a good point and one that we struggled a bit with during design. We needed to allow SNI in the CertificateRequest message because it can be client-generated in this context. I'd be ok with creating a different extension for this, but it's rather elegant to re-use it in this context. *I'd like to hear some opinions from the working group* on this point


BK: Or, since extension codepoints are cheap, just use a new codepoint.





From: Nick Sullivan <>
Date: Monday, November 4, 2019 at 04:49
To: Yaron Sheffer <>
Cc: <>, <>, <>, "<>" <>
Subject: Re: Secdir last call review of draft-ietf-tls-exported-authenticator-09


Following up,


Yaron, do the responses by myself and Benjamin along with the does the following PR sufficiently address your comments/concerns?


On Wed, Sep 18, 2019 at 4:55 PM Nick Sullivan <> wrote:

Hi Yaron,


Thank you for your thorough review. My answers will be inline, and I'll incorporate some of Ben's replies if necessary. Here's a PR with proposed changes in response to your comments:


On Tue, Jul 16, 2019 at 12:59 PM Yaron Sheffer via Datatracker <> wrote:

Reviewer: Yaron Sheffer
Review result: Has Issues

The document is generally clear in both its motivation and the proposed

I think it's playing a bit too liberal with TLS 1.3, in sort-of but not quite
deprecating renegotiation, and in changing the IANA registry in a way that
actually changes the protocol. Details below.

Other comments:

* Abstract: please reword to make it clear that it's the proof (not the cert)
that is portable.


Proposed text here:

This document describes a mechanism in Transport Layer Security (TLS) for peers to
provide a proof of ownership of a certificate.  This proof can be exported
by one peer, transmitted out-of-band to the other peer, and verified by the receiving peer.


* Introduction: TLS 1.3 post-handshake auth "has the
disadvantage of requiring additional state to be stored as part of the TLS
state machine." Why is that an issue is practice, assuming this feature is
already supported by TLS libraries? Also, are we in effect deprecating this TLS
1.3 feature because of the security issue of the mismatched record boundaries?


My understanding is that post-handshake authentication as defined in the TLS 1.3 RFC is not implemented in many (any?) TLS 1.3 libraries and some implementors would prefer to use exported authenticators.


* "For simplicity, the mechanisms... require", maybe a normative REQUIRE?

I'm fine with this.


* Authenticator Request: please clarify that we use the TLS 1.3 format even when
running on TLS 1.2.

 Updated, though it might be a bit unnecessary.


* Also, I suggest to change "is not encrypted with a
handshake key" which is too specific to "is sent unencrypted within the normal
TLS-protected data".

This specific text is meant to differentiate the wire format of this message from that of the CertificateRequest message, which is encrypted with the handshake key. The specificity is warranted.


* Before diving into the detailed messages in Sec. 3, it
would be nice to include a quick overview of the message sequence.

There are two message types and three potential sequences. I've added a short overview.


* Sec. 3:
"SHOULD use TLS", change to MUST. There's no way it can work otherwise anyway.

As Ben noted, this could be any secure channel with equivalent security to TLS, such as QUIC. We shouldn't forbid other secure out-of-band mechanisms.


* "This message reuses the structure to the CertificateRequest message" -
repeats the preceding paragraph.



* Sec. 4: again, SHOULD use TLS -> MUST.

Again, I don't see the need for a MUST here.


* Is
there a requirement for all protocol messages to be sent over a single TLS
connection? If so, please mention it. Certainly this is true for the
Authenticator message that must be sent over a single connection and cannot be
multiplexed by the high-level protocol. I think this protocol actually assumes
"nice" transport properties (no message reorder, reliability) that also require
a single, clean TLS connection.

There is no such requirement. Message ordering is managed by the application layer protocol that utilizes exported authenticators.


* Why no authenticator request for servers?
Don't we care about replay? OTOH if the client wants to detect replays, it
would need to keep state on received authenticators, which would be very messy.

I'm not sure I understand. It's possible to use authenticator requests for servers.


* 4.1: when referencing Exporters, mention this is Sec. 7.5 of [TLS1.3].

Added  "Sec. 7.5"


* The
discussion of Extended Master Secret only applies to TLS 1.2 - please clarify
that, plus I suggest to reword this paragraph which I find hard to parse.



4.2: "the extensions are chosen from the TLS handshake." - What does it mean
exactly, and how does an application even know which extensions were used at
the TLS layer? Reading further, we mention "ClientHello extensions." Maybe the
authenticator should also include a ClientHello message to indicate supported
extensions. Assuming we can peek into ClientHello contradicts the hopeful "even
if it is possible to implement it at the application layer" in Sec. 6.


This could be clearer. Effectively, the Certificate message in the Authenticator needs

to be constructed in a similar manner to how a Certificate message would be created

in a TLS handshake. Namely, it can only contain extensions that were present in either

the client hello or a preceding CertificateRequest.


You're right that this makes an assumption that the party creating the Authenticator

has access to the TLS handshake state. This implies that even if the Authenticator

is created in the application space, an additional API needs to be exposed to share

that information.


* 4.2.1:
the first sentence of the section is incomplete.




* Can I use TLS 1.3-specific
extensions (oid_filters) if I'm running on a TLS 1.2 connection? Is there a
situation where a certificate is acceptable for TLS 1.3 connections but not for
TLS 1.2 connections?

Yes TLS 1.3-specific extensions are allowed, the CertificateRequest message is TLS 1.3-compatible.


* "using a value derived from the connection secrets" - I
think we should recommend a specific construction here to ensure people do it

This was a suggestion from the Additional Certificates use case ( I'm not sure we should get into the details here.


* 4.2.3: Are we computing HMAC(MAC-key, Hash(a || b || c || d))? If
so, please say so.

Yes, I'll put that in.


* 4.2.4: "a constant-time comparison" - why is it actually
required, what is the threat? An attacker can do very little because each
authenticator being sent is different.

As Ben noted, this was a safety note added during review.


* 5: please say explicitly which
messages are used in this case to construct the authenticator.



* 6.1: the
"MUST" is strange in a section that's only supposed to be informative. Also,
the library may provide this extension (and possibly others) without requiring
it as input.

How else do you propose wording the requirement that this API fail if the connection doesn't support EAs?


* 6.4: "The API MUST return a failure if the
certificate_request_context of the authenticator was used in a previously
validated authenticator." Are we requiring the library to keep previous
contexts for replay protection? If so, please make it explicit.

I think this can be a SHOULD based on the burden replay protection places on the implementation. 


*  7.1: this is
changing TLS 1.3 by allowing this extension in Cert Request! I think it's a
really bad idea. Better to hack special support to existing libraries, allowing
this specific extension for this special case, than to change the base
protocol. Otherwise, this document should UPDATE 8446.


This is a good point and one that we struggled a bit with during design. We needed to allow SNI in the CertificateRequest message because it can be client-generated in this context. I'd be ok with creating a different extension for this, but it's rather elegant to re-use it in this context. I'd like to hear some opinions from the working group on this point


* 8: I think the
Security Considerations is the right place to talk about interaction between
this protocol and TLS 1.3 (or 1.2) renegotiation. Even if we simply RECOMMEND
not to do it. Or else explain the use cases where renegotiation is still useful
if there are any.


I'm not sure this document should be prescriptive about use cases. This doc is providing a new capability that may be leveraged at the application to replace the functionality of existing mechanisms, but I'm not convinced the evaluation of the trade-offs of different mechanisms should be contained in this document.