IETF Logo Mail Archive

Re: [TLS] Request for review: Next Protocol Negotiation Extension

Marsh Ray <marsh@extendedsubset.com> Wed, 18 August 2010 15:52 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A39723A6848 for <tls@core3.amsl.com>; Wed, 18 Aug 2010 08:52:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[AWL=0.577, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O75ZOrKTv5Kl for <tls@core3.amsl.com>; Wed, 18 Aug 2010 08:51:57 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id D47843A68CB for <tls@ietf.org>; Wed, 18 Aug 2010 08:51:55 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OlkwI-0001Ek-Sd; Wed, 18 Aug 2010 15:52:30 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id A49FE608A; Wed, 18 Aug 2010 15:52:29 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18temHWwkmeOpQG/ai+FXqtl8MG7aNZie0=
Message-ID: <4C6C01BE.8080009@extendedsubset.com>
Date: Wed, 18 Aug 2010 10:52:30 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTi=5H_0hGzxMmfNU0hLS=5psW6J3c2to756OT--7@mail.gmail.com> <4C69938A.9080808@gnutls.org> <AANLkTin3eQHNJPuVuVw09FbPUF4RBk7n9RFbc7EaFbM+@mail.gmail.com> <AANLkTi=dfCZNndm678OFkCZdzRhzfmRvBmZVLUD5-ueF@mail.gmail.com> <4C6AB936.1070801@extendedsubset.com> <AANLkTimgjqQMdwqL_xZXGSG5hSMLqDtYH62t698e_hx9@mail.gmail.com> <4C6AD7EA.4040307@extendedsubset.com> <000401cb3e4f$456f6d60$d04e4820$@briansmith.org> <4C6B1BAA.5060303@pobox.com> <AANLkTi=QzEmzuhX=rKkTFjVvWxP5r_0zcVHq00L-4JoS@mail.gmail.com> <4C6B8189.5080406@extendedsubset.com> <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com>
In-Reply-To: <AANLkTi=9TLG4f5eZ6h6duYKvcVueT53H26WNZpWV6TKS@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Request for review: Next Protocol Negotiation Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 15:52:00 -0000

On 08/18/2010 03:42 AM, Adam Barth wrote:
>
> I think your confusion might be stemming from confusing me with Adam
> Langley.  Although we're both named Adam, we're are, in fact,
> different people with different interests.

My memory is unpredictable sometimes, but how could I forget Adam Barth?

You sat directly to my right on Sept 29, 2009 at that meeting in
Mountain View. You wore, I believe, a white tshirt with colored trim.
Possibly denim shorts and flip-flops? Unshaven. Pretty much the opposite 
of your current Twitter icon! You had a small white Mac. I wondered if 
you really did all your document reading and writing on that thing. I 
wasn't watching what you were typing, but I did notice you were IM-ing a 
bunch.

Adam Langley, however, I don't recall ever having met in person.

---------

Forgive me for chopping up the thread, I think we're getting to the 
substance of the issue:

About the non-normative text it appears that "the motivation in the 
draft is outdated". So this review will have to disregard it.

 > To solve a particular design problem, one IETF working group
 > is considering a design that makes use of technology designed by
 > another IETF working group.  It seems quite appropriate for that
 > working group to ask for advice from the experts in the other working
 > group.

But there's nothing in draft-agl-tls-nextprotoneg-00 about that. If it 
really is building on another WG's work I'd expect a stable normative 
reference and a mapping relating the definitions in that standard to the 
new protocol elements.

Try this: Find someone who's technical, but not involved WebSockets, to 
read the I-D. Then ask them to explain it back to you.

For an I-D describing an extension to TLS, I'd expect it would include 
enough details that a person "skilled in the art" could implement it 
correctly and make testable predictions about the behavior of the 
resulting system. Probably it should even do something demonstrably 
useful to someone.

Yet, on the face of it, this I-D is completely meaningless. It proposes 
a new TLS extension with absolutely no defined semantics. It amounts to 
an empty Client Hello extension, a Server Hello extension containing 
unbounded arbitrary data, and a new handshake message containing up to 
512 bytes such that "The format of this data is not specified in this 
draft".

Allowing big quantities of arbitrary data immediately before the 
Finished message concerns me from a cryptographic perspective. It also 
seems like simple implementation errors could permit attacks where an 
endpoint confuses the new message with a Finished message, or vice-versa.

Other proposals have suggested sending opaque data in one direction or 
another and were not accepted, largely on the grounds that permitting 
non-semantic data in the handshake (data that the TLS RFCs were 
prohibited from interpreting) could only lead to interoperability issues 
(or even de facto usurpation of the protocol by entities outside the 
IETF processes). I realize that that is absolutely not the intent here.

In the opinion of this reviewer, draft-agl-tls-nextprotoneg-00 needs 
substantial rework before it should move ahead in the standardization 
process.

Suggested actions:


1. This appears to be a basic authentication problem. The I-D should 
give a rationale for:

1a. TLS already does strong authentication, and there are plenty of 
other well-understood schemes (from simple to complex). Why are these 
not sufficient?

1b. Couldn't this be done in the app data layer? Is the motivation just 
to save a round trip? Surely plenty of other protocols could shave off a 
round trip with custom TLS extensions, why does this case in particular 
justify it?


2. Decide if it's really (A) specific to WebSockets or it's a (B) 
generally useful mechanism. B is an ambitious project in its own right, 
there's no shame in A.

If A: Get the WebSockets spec solid enough to implement from and serve 
as a stable normative reference.

If B: Define the contents of the fields well enough that they can be 
unambiguously implemented, tested, and interoperate. The protocols being 
authenticated should map to some IANA registry.

- Marsh

v2.23.0 | Report a Bug | By Email