IETF Logo Mail Archive

Re: [TLS] WGLC: draft-ietf-tls-tls13-19

Eric Rescorla <ekr@rtfm.com> Tue, 11 April 2017 18:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5A712EC14 for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 11:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.609
X-Spam-Level:
X-Spam-Status: No, score=-0.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B57biQFUnTu8 for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 11:45:49 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9BB12EC1C for <tls@ietf.org>; Tue, 11 Apr 2017 11:45:48 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id j9so2651605ywj.3 for <tls@ietf.org>; Tue, 11 Apr 2017 11:45:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SNGhUpbmPDu+/p42fTQ5e4h6NO13T0byoh9l1XUfExY=; b=jW2ux08m6NPqZR/6zmEIW4Qz4FF/TFdhKr7nUSVdbpoMj7tWfnTW0EabQk/7GTC00h H6cPNXj0A/uvIbMX6CHjaIlZWuuOZzEt0OCjLcdW/ZuiwA4mGwuEkXGD/AZt6ByrL2q+ eabNwpMfp2wUCJWReXxkIFnXD/KvWczdJXfyxefIOCjbe5DW3gH4uND/t1pYiKYGx2yx 8D7ZRuAa+RE1ZJsvpiy4tYPnzKldonarhvU0eLsiU7P0MZgNwud56ic7iLVyQFeZKgsh Io53PNRTt8MjtyinNjQcbGw08srYbwXO1sj/GUpiubdexFsICnJ0PKGwanvsjoQE9QFs JD4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SNGhUpbmPDu+/p42fTQ5e4h6NO13T0byoh9l1XUfExY=; b=p5b0T6p2H3s1Je53xZ7B1pBZ1dvgMZHGafzUYLHgmqEFZ+08E6kn5zYcl8XDCKE3Pc FlpOv9XtZ6SqFsSEow5IHm6hBCYn7wiDHqlc9inTiOOTmWGyx3PW0agdzkvaWlkQtsKM N91wzHYhXsUoTNOewgF64xiMWn+bxTNz6dV/lf3Qgl4+BfZ+WLgwfNiO+1nyT620kksy V1CZhv8gFFCu8HnUUn0EA3GZ1i7KPzqbHqqbcVpbrctfy3/voMSncWuQCkGMMq666GH1 JDJ8JgUTxdxMxTcWY5LNqWfx75Ugd9HhrmdvM/9Js1k+nD1R8slgl6cityYAm3kQC4Lg w4vA==
X-Gm-Message-State: AN3rC/6CYSR/3rVHd22xI1MjDQYMpMQsXh6EJkrrudVtzbZOcA6W9dP+zN1ITTlnd9odmiRjFeeQli3rBUE9Cw==
X-Received: by 10.129.76.85 with SMTP id z82mr6713857ywa.87.1491936347552; Tue, 11 Apr 2017 11:45:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Tue, 11 Apr 2017 11:45:07 -0700 (PDT)
In-Reply-To: <43ce161a-a107-5491-71e0-d6fecd9665a6@akamai.com>
References: <025D3ABD-199F-421A-9265-6F960135A3B7@sn3rd.com> <228B1CCF-088B-4F4C-B2FD-A20036B9224A@akamai.com> <CABcZeBPrLWoZkj176boM9mnqNL9GAPFNyyRxBazM-arNo1F=DA@mail.gmail.com> <43ce161a-a107-5491-71e0-d6fecd9665a6@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Apr 2017 11:45:07 -0700
Message-ID: <CABcZeBPHm0Q1L2Q1nWGC+U4pJ+C5x7PHG8HayRCDDci8yGDOQA@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f238e060fb6054ce8805f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-6bBsii6ofFAOu6A7ViXtcLVg8o>
Subject: Re: [TLS] WGLC: draft-ietf-tls-tls13-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 18:45:52 -0000

On Tue, Apr 11, 2017 at 11:27 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
>
> Yeah, I guess I snuck that fix into #936.  So much for keeping things
> separate...
>
> > Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding
> > definition that has not yet been defined.]]”, which should not make it
> > into the final spec!
>
> Fixed.
>
>
> It looks like that was just by removing the note.  Is a channel binding
> spec for 1.3 still a needed work item, then
>

Yeah, I think so.

-Ekr


>
> -Ben
>
>
>
> On Mon, Mar 27, 2017 at 11:23 PM, Kaduk, Ben <bkaduk@akamai.com> wrote:
>
>> On 3/13/17, 12:30, "Sean Turner" <sean@sn3rd.com> wrote:
>>
>>     This is a working group last call announcement for
>> draft-ietf-tls-tls13-19, to run through March 27.  Please send your reviews
>> to the list as soon as possible so we can prepare for any discussion of
>> open issues at IETF 98 in Chicago.
>>
>> As the price of running the WGLC right during the meeting lead-up, my
>> review comes in at the last minute.
>>
>> Generally, it is in good shape.  I think I still owe some text about what
>> we aim for and expect to achieve with respect to side channel resistance,
>> though at this point it may be too late to get that text in :(
>>
>> The following is basically a laundry list of the minor issues; I will
>> send editorial notes under separate cover, probably as a pull request.
>>
>> It was already mentioned that the “major differences from TLS 1.2”
>> section should not be a changelog, but I agree with that.
>>
>> Should Figure 4 (“message flow for a zero round trip handshake”) include
>> a “+ early_data” for the server’s flight?  (The legend for Figure 4 also
>> lacks the explanation for the ‘+’ symbol.)
>>
>> The language on page 30 is perhaps unclear:
>>
>>    Because TLS 1.3 forbids renegotiation, if a server receives a
>>    ClientHello at any other time, it MUST terminate the connection.
>>
>> Is that any TLS server, or just one that has negotiated and is using TLS
>> 1.3?
>>
>> In the description of legacy_compression_methods on page 31, we make
>> restrictions on “every TLS 1.3 ClientHello”, but do not say how such things
>> are identified.  (Hmm, maybe we also do so elsewhere in the document, too,
>> now that I search for where)  we explicitly define what a client
>> “considered to be attempting to negotiate using this specification (i.e., a
>> TLS 1.3 ClientHEello) on page 87, as supported_versions including 1.3.
>> Which, is maybe not the most future-proof thing.
>>
>> The description of version negotiation (to populate ServerHello.version)
>> on page 32 seems to leave undefined what the server should do when
>> receiving a ClientHello that does not contain a supported_versions
>> extension.  (Also, I don’t think “ClientHello.supported_versions
>> extension” is a well-defined syntax.)
>>
>> When covering the server_random version downgrade sentinels, we do not
>> mention what is to be done when downgrading to TLS 1.0, which I thought was
>> still a permitted version by this spec.
>>
>> It’s a little odd that we list in enum ExtensionType on page 35 a strict
>> subset of the extensions enumerated in the table on the following pages.
>>
>> Do we want to add some commentary about the extant SHA1 collisions when
>> we say that {rsa_pkcs1,dsa,ecdsa}_sha1 are only SHOULD NOT?
>>
>> I’ll note that we define 256 private use ECDHE group code points but only
>> four such FFDHE group code points.  Probably fine, but a bit surprising.
>>
>> Should we forbid duplicate entries in PreSharedKeyExtension.identities?
>>
>> Conversely, we might want to explicitly say that duplicate
>> OIDFilter.certificate_extension_oid fields should be expected in
>> OIDFilterExtensions, to enable the case where multiple values must be
>> present.  Or is that supposed to work by concatenating(?) the multiple
>> values’ DER encodings in the certificate_extension_values field?
>>
>> I’ll call out for Russ’s attention at the end of Section 4.4.3 where we
>> say that “implementations MUST NOT combine external PSKs with
>> certificate-based authentication.”  Is there any reason not to qualify that
>> as some sort of “don’t’ do it until it’s defined”?
>>
>> Should Alert.level be Alert.legacy_level?
>>
>> The editors copy has already removed the reference to RFC 4507, which is
>> obsoleted by RFC 5077 (and was not cited anywhere, anyway).
>>
>> Appendix B has a claim that “values listed as _RESERVED were used in
>> previous versions of TLS and are listed here for completeness”, though that
>> is not exactly true, e.g., for ContentType.invalid_RESERVED(0)
>>
>> Section C.3 notes that “Certificates should always be verified to ensure
>> proper signing by a trusted Certificate Authority”, which does not use RFC
>> 2119 language, but might be seen as in conflict with opportunistic
>> encryption in some circumstances.  I don’t object to this text, but it
>> seems worth mentioning.
>>
>> Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding
>> definition that has not yet been defined.]]”, which should not make it into
>> the final spec!
>>
>> -Ben
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=zDb_mbfXWxowypc9E4E6zZZ_lXTab2DcV9qm--twWoM&s=WD0bv4QMm5OHI8RqolDFScW-e1jMk-YNzkVmbC4cmEw&e=>
>>
>
>
>

v2.23.0 | Report a Bug | By Email