Re: [TLS] WGLC: draft-ietf-tls-tls13-19
Eric Rescorla <ekr@rtfm.com> Tue, 11 April 2017 18:45 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5A712EC14 for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 11:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.609
X-Spam-Level:
X-Spam-Status: No, score=-0.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B57biQFUnTu8 for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 11:45:49 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9BB12EC1C for <tls@ietf.org>; Tue, 11 Apr 2017 11:45:48 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id j9so2651605ywj.3 for <tls@ietf.org>; Tue, 11 Apr 2017 11:45:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SNGhUpbmPDu+/p42fTQ5e4h6NO13T0byoh9l1XUfExY=; b=jW2ux08m6NPqZR/6zmEIW4Qz4FF/TFdhKr7nUSVdbpoMj7tWfnTW0EabQk/7GTC00h H6cPNXj0A/uvIbMX6CHjaIlZWuuOZzEt0OCjLcdW/ZuiwA4mGwuEkXGD/AZt6ByrL2q+ eabNwpMfp2wUCJWReXxkIFnXD/KvWczdJXfyxefIOCjbe5DW3gH4uND/t1pYiKYGx2yx 8D7ZRuAa+RE1ZJsvpiy4tYPnzKldonarhvU0eLsiU7P0MZgNwud56ic7iLVyQFeZKgsh Io53PNRTt8MjtyinNjQcbGw08srYbwXO1sj/GUpiubdexFsICnJ0PKGwanvsjoQE9QFs JD4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SNGhUpbmPDu+/p42fTQ5e4h6NO13T0byoh9l1XUfExY=; b=p5b0T6p2H3s1Je53xZ7B1pBZ1dvgMZHGafzUYLHgmqEFZ+08E6kn5zYcl8XDCKE3Pc FlpOv9XtZ6SqFsSEow5IHm6hBCYn7wiDHqlc9inTiOOTmWGyx3PW0agdzkvaWlkQtsKM N91wzHYhXsUoTNOewgF64xiMWn+bxTNz6dV/lf3Qgl4+BfZ+WLgwfNiO+1nyT620kksy V1CZhv8gFFCu8HnUUn0EA3GZ1i7KPzqbHqqbcVpbrctfy3/voMSncWuQCkGMMq666GH1 JDJ8JgUTxdxMxTcWY5LNqWfx75Ugd9HhrmdvM/9Js1k+nD1R8slgl6cityYAm3kQC4Lg w4vA==
X-Gm-Message-State: AN3rC/6CYSR/3rVHd22xI1MjDQYMpMQsXh6EJkrrudVtzbZOcA6W9dP+zN1ITTlnd9odmiRjFeeQli3rBUE9Cw==
X-Received: by 10.129.76.85 with SMTP id z82mr6713857ywa.87.1491936347552; Tue, 11 Apr 2017 11:45:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Tue, 11 Apr 2017 11:45:07 -0700 (PDT)
In-Reply-To: <43ce161a-a107-5491-71e0-d6fecd9665a6@akamai.com>
References: <025D3ABD-199F-421A-9265-6F960135A3B7@sn3rd.com> <228B1CCF-088B-4F4C-B2FD-A20036B9224A@akamai.com> <CABcZeBPrLWoZkj176boM9mnqNL9GAPFNyyRxBazM-arNo1F=DA@mail.gmail.com> <43ce161a-a107-5491-71e0-d6fecd9665a6@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Apr 2017 11:45:07 -0700
Message-ID: <CABcZeBPHm0Q1L2Q1nWGC+U4pJ+C5x7PHG8HayRCDDci8yGDOQA@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f238e060fb6054ce8805f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-6bBsii6ofFAOu6A7ViXtcLVg8o>
Subject: Re: [TLS] WGLC: draft-ietf-tls-tls13-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 18:45:52 -0000
On Tue, Apr 11, 2017 at 11:27 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote: > > Yeah, I guess I snuck that fix into #936. So much for keeping things > separate... > > > Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding > > definition that has not yet been defined.]]”, which should not make it > > into the final spec! > > Fixed. > > > It looks like that was just by removing the note. Is a channel binding > spec for 1.3 still a needed work item, then > Yeah, I think so. -Ekr > > -Ben > > > > On Mon, Mar 27, 2017 at 11:23 PM, Kaduk, Ben <bkaduk@akamai.com> wrote: > >> On 3/13/17, 12:30, "Sean Turner" <sean@sn3rd.com> wrote: >> >> This is a working group last call announcement for >> draft-ietf-tls-tls13-19, to run through March 27. Please send your reviews >> to the list as soon as possible so we can prepare for any discussion of >> open issues at IETF 98 in Chicago. >> >> As the price of running the WGLC right during the meeting lead-up, my >> review comes in at the last minute. >> >> Generally, it is in good shape. I think I still owe some text about what >> we aim for and expect to achieve with respect to side channel resistance, >> though at this point it may be too late to get that text in :( >> >> The following is basically a laundry list of the minor issues; I will >> send editorial notes under separate cover, probably as a pull request. >> >> It was already mentioned that the “major differences from TLS 1.2” >> section should not be a changelog, but I agree with that. >> >> Should Figure 4 (“message flow for a zero round trip handshake”) include >> a “+ early_data” for the server’s flight? (The legend for Figure 4 also >> lacks the explanation for the ‘+’ symbol.) >> >> The language on page 30 is perhaps unclear: >> >> Because TLS 1.3 forbids renegotiation, if a server receives a >> ClientHello at any other time, it MUST terminate the connection. >> >> Is that any TLS server, or just one that has negotiated and is using TLS >> 1.3? >> >> In the description of legacy_compression_methods on page 31, we make >> restrictions on “every TLS 1.3 ClientHello”, but do not say how such things >> are identified. (Hmm, maybe we also do so elsewhere in the document, too, >> now that I search for where) we explicitly define what a client >> “considered to be attempting to negotiate using this specification (i.e., a >> TLS 1.3 ClientHEello) on page 87, as supported_versions including 1.3. >> Which, is maybe not the most future-proof thing. >> >> The description of version negotiation (to populate ServerHello.version) >> on page 32 seems to leave undefined what the server should do when >> receiving a ClientHello that does not contain a supported_versions >> extension. (Also, I don’t think “ClientHello.supported_versions >> extension” is a well-defined syntax.) >> >> When covering the server_random version downgrade sentinels, we do not >> mention what is to be done when downgrading to TLS 1.0, which I thought was >> still a permitted version by this spec. >> >> It’s a little odd that we list in enum ExtensionType on page 35 a strict >> subset of the extensions enumerated in the table on the following pages. >> >> Do we want to add some commentary about the extant SHA1 collisions when >> we say that {rsa_pkcs1,dsa,ecdsa}_sha1 are only SHOULD NOT? >> >> I’ll note that we define 256 private use ECDHE group code points but only >> four such FFDHE group code points. Probably fine, but a bit surprising. >> >> Should we forbid duplicate entries in PreSharedKeyExtension.identities? >> >> Conversely, we might want to explicitly say that duplicate >> OIDFilter.certificate_extension_oid fields should be expected in >> OIDFilterExtensions, to enable the case where multiple values must be >> present. Or is that supposed to work by concatenating(?) the multiple >> values’ DER encodings in the certificate_extension_values field? >> >> I’ll call out for Russ’s attention at the end of Section 4.4.3 where we >> say that “implementations MUST NOT combine external PSKs with >> certificate-based authentication.” Is there any reason not to qualify that >> as some sort of “don’t’ do it until it’s defined”? >> >> Should Alert.level be Alert.legacy_level? >> >> The editors copy has already removed the reference to RFC 4507, which is >> obsoleted by RFC 5077 (and was not cited anywhere, anyway). >> >> Appendix B has a claim that “values listed as _RESERVED were used in >> previous versions of TLS and are listed here for completeness”, though that >> is not exactly true, e.g., for ContentType.invalid_RESERVED(0) >> >> Section C.3 notes that “Certificates should always be verified to ensure >> proper signing by a trusted Certificate Authority”, which does not use RFC >> 2119 language, but might be seen as in conflict with opportunistic >> encryption in some circumstances. I don’t object to this text, but it >> seems worth mentioning. >> >> Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding >> definition that has not yet been defined.]]”, which should not make it into >> the final spec! >> >> -Ben >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=zDb_mbfXWxowypc9E4E6zZZ_lXTab2DcV9qm--twWoM&s=WD0bv4QMm5OHI8RqolDFScW-e1jMk-YNzkVmbC4cmEw&e=> >> > > >
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Benjamin Kaduk
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- [TLS] WGLC: draft-ietf-tls-tls13-19 Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Yoav Nir
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dave Garrett
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Olivier Levillain
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Kaduk, Ben
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dave Garrett
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Kyle Nekritz
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Olivier Levillain
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Hubert Kario
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dr Stephen Henson
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Martin Thomson
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Benjamin Kaduk