Re: [TLS] Secdir last call review of draft-ietf-tls-exported-authenticator-09

Benjamin Kaduk <bkaduk@akamai.com> Thu, 21 November 2019 02:40 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C824120840 for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 18:40:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVkJ4GlcQeXx for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 18:40:29 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2437912018B for <tls@ietf.org>; Wed, 20 Nov 2019 18:40:29 -0800 (PST)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id xAL2aFl4027349; Thu, 21 Nov 2019 02:40:27 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=jan2016.eng; bh=FhXlK8ahmhw9pq4Pqw24DIvKJNnRVavbzhg5b2vFt5s=; b=fck/psvKW8UbLMEQ94LY6R4wXmB08dyKFM6o1Z8oHWZYjhHNOZ7vV1FZ9QYYx0DIS0d6 yDNmYjpQ3hPymXYoy7N317UVhfsANRX4XJ7czyuQP0n2XLH+Yk68Bld1SEGJFdLokJFK zFqCzNfDLemkCFu+ZwCj0haT9hiba2Z2b7d8Cd2c4tEX4m8I59+ynkY6kjGBw5i/FrMD 7jKoqD1QWkWYirlap25HzyYcjgm4mv2pMg//raYZvYcbWRhSlzeijJaydQGAeEqGR1jr e2636bwWLRRxT8sVijnRrqJCodulweI44XDUrXQ/TtUKT75J2QRpNXszo9o4Guh7KiT6 Nw==
Received: from prod-mail-ppoint8 (prod-mail-ppoint8.akamai.com [96.6.114.122] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2wafywp5us-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Nov 2019 02:40:27 +0000
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.16.0.27/8.16.0.27) with SMTP id xAL2aAQp016490; Wed, 20 Nov 2019 21:40:26 -0500
Received: from prod-mail-relay14.akamai.com ([172.27.17.39]) by prod-mail-ppoint8.akamai.com with ESMTP id 2wadb1rvsk-8; Wed, 20 Nov 2019 21:40:24 -0500
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay14.akamai.com (Postfix) with ESMTP id EA4C480D1A; Thu, 21 Nov 2019 02:40:21 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1iXcOK-00050B-Jx; Wed, 20 Nov 2019 18:40:20 -0800
Date: Wed, 20 Nov 2019 18:40:20 -0800
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: tls@ietf.org
Message-ID: <20191121024019.GW20609@akamai.com>
References: <156330717256.15259.2193942101748847069@ietfa.amsl.com> <CAFDDyk_xvfDFK1_G3aqr9b5J6a-62=tjpdraXHGDpeiHdk10tA@mail.gmail.com> <CAFDDyk8sOw-G72KoJ76dS_etmO3zsJ58HuAkhAysFQPG2U-R0Q@mail.gmail.com> <D8E32D23-AE51-48BD-9B01-64F73DED0BFD@gmail.com> <CAFDDyk-s0jMnZy_mEAct15kwQG5cEZpyonDJxf+d9gQ6YBisGA@mail.gmail.com> <20191118225035.GS20609@akamai.com> <CAFDDyk86++0rn0KcrWixVGVc4wQ9G5vv+17Hx7ftvZuoAVs_9Q@mail.gmail.com> <430940ff-60f0-4ddd-9d71-9fe8b8ca9cae@www.fastmail.com> <ff1bff1b-049d-4e78-9533-4085c741fac8@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ff1bff1b-049d-4e78-9533-4085c741fac8@www.fastmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-20_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=956 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210022
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-20_08:2019-11-20,2019-11-20 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 bulkscore=0 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1015 mlxscore=0 mlxlogscore=963 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911210021
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1kZTAwEpMW6Vq64XHVKWOM-b8pU>
Subject: Re: [TLS] Secdir last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 02:40:30 -0000

On Thu, Nov 21, 2019 at 10:35:34AM +0800, Martin Thomson wrote:
> On Tue, Nov 19, 2019, at 11:21, Martin Thomson wrote:
> > On Tue, Nov 19, 2019, at 10:56, Nick Sullivan wrote:
> > > The text could be amended to say something like:
> > >  "the allowed extensions for client-generated authenticator requests 
> > > need to have CH listed, and for server-generated authenticator requests 
> > > need to have CR listed"
> > > The only current extension that supports CR, but not CH is oid_filters, 
> > > which is not relevant to client-initiated authenticator requests.
> > 
> > I like this resolution.
> 
> After discussion at the meeting, I think that I would also be OK with a new Client Certificate Request message type.  That means defining what extensions are valid, but I think that this can be done quickly by copying Certificate Request and adding SNI.  I think that some code might be able to use the tuple of (role, message type) to decide on what extensions are valid, but a new message type would be a more cautious approach.

I would also be okay with a ClientCertificateRequest.  It may not strictly be needed, but it's the safe/conservative option.

-Ben