IETF Logo Mail Archive

Re: [Secdispatch] Requesting agenda time for draft-vaughn-tlstm-update

Eric Rescorla <ekr@rtfm.com> Wed, 04 August 2021 18:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D5F3A0E96 for <secdispatch@ietfa.amsl.com>; Wed, 4 Aug 2021 11:04:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIvPzSxdPTW8 for <secdispatch@ietfa.amsl.com>; Wed, 4 Aug 2021 11:04:51 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DDCA3A0E90 for <secdispatch@ietf.org>; Wed, 4 Aug 2021 11:04:51 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id f6so3445211ioc.6 for <secdispatch@ietf.org>; Wed, 04 Aug 2021 11:04:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sMQKqOGx3z1Mi+c6WV8SInTeFD3rB4uqMZWe/h32ydo=; b=W1iFFetdX+tWp0YpxhFLiR11JC6uMotwsL5Dst/RpSDgXVOszVqkfShfedGAQIXopH 2p4+PVqOG59LMZej7M79oyvhhKHXs+Ix2ci5PpUz1rrib3uIfBhsXBzKz9t2Dh6wFEuB jgq2WfCTvQ4HYF+UMqcGtUhiHCasguscdTwdZHlskgnXQ6Dj7wb6/t3seM97xpGH26ky 0j5CXIsjQFVjib4lQ2TFBKW387Nj4UjfU77vhDlVKc5ntuyv3foghagljrMDYmpIewtG N5LKFdoKe6XW5cAsoEIUp/M0h1oj4+64Rk0DzT49fOt6c2PAOWEMMAE7usA0wBD0KgDN zZVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sMQKqOGx3z1Mi+c6WV8SInTeFD3rB4uqMZWe/h32ydo=; b=dblUf0N49itupeoo06RfI9ce0RHWI4l3YfVpbPDMzGwGLjAB69rzNHM0Ox/UEN2Hqu CCHqO6EU2/GmQ2MZr3G3cYw4u899puwH3j5sjnPvX7z7mCVc4sfh5Gt0mM3T8DJwvfYM eZA7L+twjc/NErkax7qeUZjrdoWRGcd5nPybs3roJd9OoqhPfwl9KP4mFDEuYdEBiZM7 iYDaVZJXMaTPNMouKq2rCUraTo8wjynaSAZO4hYmpKCfLSAWgET1okcliUDSriAAJIh8 xkWuM/WzK1eR5htq5LiFCQjIj9PYFdGJZdUr4SnFq9PW1X3IR4wMxvC7zT84rytTyWff tVTA==
X-Gm-Message-State: AOAM530A1TDABgki7USnZ/LKLle46Lk/nRl/WCFaHhY9tKiiJjaEfr6r yZKCXyrR9Go9VImo5a3ILjJWLZGKz8QjgI5z6X1XYQ==
X-Google-Smtp-Source: ABdhPJwvN5gGYayqe/kpNa6NaxL3UjQBFgqW4kcd54KTG7tTYbiMyPKm3NJTU/vfpjdJLMDsioUVjHvLNN1DUbNHVgk=
X-Received: by 2002:a05:6638:338f:: with SMTP id h15mr632339jav.135.1628100289228; Wed, 04 Aug 2021 11:04:49 -0700 (PDT)
MIME-Version: 1.0
References: <E01AA1FF-B905-4635-9174-518294AFF2A2@trevilon.com> <CABcZeBNhD1KwndZhRB7Qvho6ubycu+6EbvOYBM1tp5gEM5crOg@mail.gmail.com> <6CB9CF84-CF11-4386-A790-8FD9FCC0E0AD@trevilon.com>
In-Reply-To: <6CB9CF84-CF11-4386-A790-8FD9FCC0E0AD@trevilon.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 4 Aug 2021 11:04:13 -0700
Message-ID: <CABcZeBNUDDmhkQ0ymfX5zQbzYHomL6iKY1BL44ojk2yNe958Tg@mail.gmail.com>
To: Kenneth Vaughn <kvaughn@trevilon.com>
Cc: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000660c8f05c8bfa3b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/xcFNlkhn5Qj0M0HeT6OfyeXufGI>
Subject: Re: [Secdispatch] Requesting agenda time for draft-vaughn-tlstm-update
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 18:04:57 -0000

On Wed, Aug 4, 2021 at 10:56 AM Kenneth Vaughn <kvaughn@trevilon.com> wrote:

> Correct, TLS 1.2 provided separate one octet identifiers for the hash and
> signature algorithm. TLS 1.3 replaces the two identifiers with a single,
> two-octet cipher suite identifier that indicates a unique combination of
> hash and signature algorithm.
>

Just to clarify, this is not a "cipher suite" but rather a "signature
scheme". TLS cipher suites consist of the pair of AEAD and hash algorithms.


The former method provided for 255 hash algorithms and 255 signature
> algorithms - apparently, it was determined that some combinations did not
> make sense so the values were combined - meaning all 65535 values can be
> assigned to meaningful combinations but also meaning that we can no longer
> assume that the first octet uniquely identifies the hash algorithm by
> itself.
>

Yes, that's correct.


If the IANA continues to maintain the TLS 1.2 hash algorithm registry, I
> agree that there could be an easier fix for RFC 6353; but there does not
> seem to be any guarantee at present that this will happen as TLS 1.2 ages.
> This results in two possible paths forward:
>
> Option 1 is that we require the IANA to continue the maintenance of the
> 1.2 registry AND we create an update to RFC 6353 that clarifies that the
> 1.2 hash algorithm registry should still be used for the fingerprint, even
> when using TLS 1.3 (the update is needed as the mapping for 1.3 is
> ambiguous otherwise) OR
>

I don't understand this point. There's no dependency here on TLS 1.3 at
all. You're just using the registry. In fact, nothing stops you from using
hash algorithms which TLS 1.3 doesn't support at all.

Option 2 is that we update RFC 6353 with a new fingerprint algorithm that
> uses the 1.3 registry (and then there is no additional requirement on IANA)
>

I don't see how you can use either of the TLS 1.3 registries that include
hashes (signature scheme or cipher suite) as both have multiple entries for
the same hash algorithm (e.g., RSA and ECDSA with SHA-256, AES_128_GCM and
Chacha20Poly1305 with SHA-256). This is going to create an enormous amount
of confusion.


> Our proposal was based on the concept that, if we are updating RFC 6353
> anyway, we might as well decrease long-term maintenance issues for IANA
> (but recognizing that this is a bigger change on the standard and on
> implementations). But I agree that the work load could be shifted to IANA,
> which would simplify other issues. What is important is that we reach
> consensus on the approach to be followed and document the decision so that
> it is unambiguous. It's largely a question of who has to do the work.
>

I don't think continuing to maintain this registry will constitute an
appreciable amount of work for IANA. However, you could also just clone the
registry.

-Ekr


>
>
> Regards,
> Ken Vaughn
>
> Trevilon LLC
> 6606 FM 1488 RD #148-503
> Magnolia, TX 77354
> +1-936-647-1910
> +1-571-331-5670 cell
> kvaughn@trevilon.com
> www.trevilon.com
>
> On Aug 4, 2021, at 12:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Hi folks,
>
> I'm trying to follow the change in S 2.1 about the TLSTM fingerprint.
>
> In TLS 1.2, one represented signature algorithms as:
>
>       struct {
>             HashAlgorithm hash;
>             SignatureAlgorithm signature;
>       } SignatureAndHashAlgorithm;
>
> We found in TLS 1.3 that it was not really possible to mix-and-match
> them and so changed this to a two-byte SignatureScheme that represented
> the pair of hash and algorithm as well as any other values but without
> any other internal structure. E.g.,
>
>           rsa_pss_pss_sha256(0x0809),
>
> As I understand it, 6353 used the TLS 1.2 HashAlgorithm identifier to
> indicate which hash was used to make a fingerprint, and you're changing
> this because TLS 1.3 deprecated this field? If so, I don't think this
> is necessary: you're not referring to anything in TLS, you're just
> reusing the code point. So, I would probably not make any change
> here.
>
> -Ekr
>
>
>
>
>
> On Sun, Jun 27, 2021 at 7:31 PM Kenneth Vaughn <kvaughn@trevilon.com>
> wrote:
>
>> I would like to present https://datatracker.ietf.org/doc/draft-vaughn-tlstm-update-01/, a new version of the proposed update of RFC 6353 (TLSTM). Based on feedback from this group, and the recent IETF decision to finalize DTLS, the ITS community decided to keep support for DTLS in the update. The result of that decision was to reverse a number of changes in the text and it made more sense to write the proposed new version 01 as an update to RFC 6353 rather than a replacement of RFC 6353. The result is a shorter document where the changes are more evident.
>>
>> I would like to request 10-15 minutes at IETF meeting of the Security Dispatch group to discuss the possibility of launching an effort to continue the development of this document as an official IETF document.
>>
>> Regards,
>> Ken Vaughn
>>
>> Trevilon LLC
>> 6606 FM 1488 RD #148-503
>> Magnolia, TX 77354
>> +1-936-647-1910
>> +1-571-331-5670 cell
>> kvaughn@trevilon.com
>> www.trevilon.com
>>
>> _______________________________________________
>> Secdispatch mailing list
>> Secdispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdispatch
>>
>
>

v2.8.7 | Report a Bug | By Email