Re: [TLS] Deprecating tls-unique for TLS 1.3
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 04 November 2015 06:44 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E461A8A08 for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 22:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0-QQSLud5ey for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 22:44:45 -0800 (PST)
Received: from statler.isode.com (statler.isode.com [217.34.220.151]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC2A1ACEBC for <tls@ietf.org>; Tue, 3 Nov 2015 22:44:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1446619475; d=isode.com; s=selector; i=@isode.com; bh=JTOR7jzL3y2OQOTyb98cYeTIxf8WSUeTl4vCGaBcY+8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=plHiEguohOGKY373T47xg9WkA/EO0nsoHVMpFpMCiRJUkh9ReF037CEgiQB4frbg/doDxH n3cbOz1NrWirYaZJ9jodhaYMglYI0De7xvkr5tW108jkIV4rVOZCHBCOynE65uDY7CMHX4 XzkEtdiaD65wmxdX1Lgrs1hNDc3KB60=;
Received: from [133.93.32.122] (dhcp-32-122.meeting.ietf94.jp [133.93.32.122]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <Vjmo7AAlTl5z@statler.isode.com>; Wed, 4 Nov 2015 06:43:54 +0000
To: Eric Rescorla <ekr@rtfm.com>
References: <F7D995DF-98C9-4093-AA6A-8EA251E7274C@isode.com> <CABcZeBMbQyePbr8TQe8SuT5dLDcOoS8Ni6BjnBpKFtwqboMk1g@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <5639A8D8.1060400@isode.com>
Date: Wed, 04 Nov 2015 15:42:32 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
In-Reply-To: <CABcZeBMbQyePbr8TQe8SuT5dLDcOoS8Ni6BjnBpKFtwqboMk1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-transfer-encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-8rDHLR6hiR7wsLsf6nVLtqCCmU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating tls-unique for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 06:44:48 -0000
On 04/11/2015 11:13, Eric Rescorla wrote: > Can you expand on this a bit? Perhaps propose some text. So, tls-unique is defined in RFC 5929 as: Description: The first TLS Finished message sent (note: the Finished struct, not the TLS record layer message containing it) in the most recent TLS handshake of the TLS connection being bound to (note: TLS connection, not session, so that the channel binding is specific to each connection regardless of whether session resumption is used). If TLS renegotiation takes place before the channel binding operation, then the first TLS Finished message sent of the latest/ inner-most TLS connection is used. Note that for full TLS handshakes, the first Finished message is sent by the client, while for abbreviated TLS handshakes (session resumption), the first Finished message is sent by the server. This is currently independent of the version of TLS used. This is also broken for TLS 1.2 due to the triple handshake vulnerability. I don't think we can just redefine this for TLS 1.3 and expect this to work, because APIs for getting this information out of TLS libraries are going to be different if Exporters are used. Also, if "tls-unique" is redefined, an old implementation of "tls-unique" would be unable to talk to a new implementation. For example if one end is IMAP client using SCRAM or GS2 against IMAP server implementing the same. I think there is desire to fix this for both TLS 1.2 and 1.3. I think the best way would be to take Simon's draft-josefsson-sasl-tls-cb-03 (Channel Bindings for TLS based on the PRF) and update it for TLS 1.3. I think conceptually what Simon did is very similar to what was proposed in the TLS meeting today. > -Ekr > > > On Wed, Nov 4, 2015 at 11:12 AM, Alexey Melnikov > <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com>> wrote: > > Just to clarify, I think it is fine to define TLS 1.3 replacement > for tls-unique using Exporters. But I suggest for interoperability > this should be defined as a new channel binding with a new name, as > opposed to just redefining tls-unique.
- [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Eric Rescorla
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Yoav Nir
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Karthikeyan Bhargavan
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Andrei Popov