Re: [TLS] Summary of discussion regarding spontaneuous authentication
Joseph Salowey <joe@salowey.net> Tue, 28 October 2014 04:27 UTC
Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4C11A0377 for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 21:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dsy-ZrMc8QuU for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 21:27:28 -0700 (PDT)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4FE71A0364 for <tls@ietf.org>; Mon, 27 Oct 2014 21:27:27 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id cs9so4786461qab.23 for <tls@ietf.org>; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jPacNwar1CiXhr6fPkPG44GXD4UL2ZgJu8ruElIx1yM=; b=ALdCDQnDDk7821nrwn3C+zCpA2hp5yisrNm/suR5BPiaJbztvXRu7K1l4Y/WFARoiX wqK4RksjioVz6MRf5dzV8+9kNbLgxdjXarDzwIYdF3C3OH0aAnS0JBMzRqRfKDtx+xis o2a3QOfpN59Jtz8P4dlVM1AquupywMeDJlvybeU5xN9LwDXmxd3AZ4fZF+6aG0Glh/6d jvw8kW5tv0Hy4KRXZTNkjMQ16CixHXlZ+5E8B+gee55J1Aswy1g3VrJJdLdRzSfPftat WbCn7mO9Y1zKFEMfcygm4rrQMKxQD9Q+A4Wgneh4zFPJQP9oqnLNpfsEWV/JnzgGrz4S bR/A==
X-Gm-Message-State: ALoCoQmYnK2ejIuzmrec5AGYdveDybpwxjcBKdOwz4p/FPNfhNoMCqUsDItCTBBbQKJz0NctU3/J
MIME-Version: 1.0
X-Received: by 10.140.104.114 with SMTP id z105mr960359qge.75.1414470446545; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
Received: by 10.96.155.202 with HTTP; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
X-Originating-IP: [67.168.161.122]
In-Reply-To: <CABcZeBNvtOi9UuQGdbuxvPGqZqRx+ZCw9CvMp830Dpq47WwxVg@mail.gmail.com>
References: <CABkgnnUAhEV=wLZyTew=ne7VgSq50XYR3Fo5EfjNXc8=_hbpyg@mail.gmail.com> <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com> <20141022125359.GA18704@LK-Perkele-VII> <CABkgnnW=aVzsi+cq=icpn4z9PjFuoiu_LQz_mnfeyPPom6LROQ@mail.gmail.com> <20141022132623.GA19894@LK-Perkele-VII> <CABkgnnVe3T56ia-bxgqNrpF_vXQD=T7xisrZb0Szu+L1X05+NQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C4F98@USMBX1.msg.corp.akamai.com> <CABcZeBNvtOi9UuQGdbuxvPGqZqRx+ZCw9CvMp830Dpq47WwxVg@mail.gmail.com>
Date: Mon, 27 Oct 2014 21:27:26 -0700
Message-ID: <CAOgPGoBMqevV6FbjtP3V_E8bsKVZAfV9rWphTAwBBOfeauZzzw@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a1134f4b683b9d6050674100b"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3MFPVPdejFx322DbyRwRayYST8E
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 04:27:31 -0000
On Mon, Oct 27, 2014 at 3:07 PM, Eric Rescorla <ekr@rtfm.com> wrote: > One way to handle this would be to separate out the things that indicate > cryptographic capabilities from those that indicate proposed identity. > > Specifically, CertificateRequest currently contains: > > struct { > ClientCertificateType certificate_types<1..2^8-1>; > SignatureAndHashAlgorithm > supported_signature_algorithms<2^16-1>; > DistinguishedName certificate_authorities<0..2^16-1>; > } CertificateRequest; > > > But as is noted in 5246, there is redundancy here: > > The interaction of the certificate_types and > supported_signature_algorithms fields is somewhat complicated. > certificate_types has been present in TLS since SSLv3, but was > somewhat underspecified. Much of its functionality is superseded by > supported_signature_algorithms. The following rules apply: > > > And since we have removed the non-signing modes in 1.3, arguably we *just* > need signature_algorithms to specify the cryptographic parameters. Further, > I would argue that the certificate_authorities field is an practice a mess > and doesn't belong at the TLS layer (note that we don't have an analog to > it for the client to tell the server which CAs it supports). [0] > > [Joe] While I'm not a huge fan of the certificate authorities list, I'm not sure that punting this to the application layer is the right thing to do. Some uses of TLS do not have a way to signal this in a higher layer. For example, there are some EAP-TLS clients that will choose what certificate to use based on this information from the server. It may be possible to extend EAP-TLS to send a client identity hint or similar information in the first message from the server, but there really isn't space in EAP-TLS for non-tls data. An alternate approach would be the client makes a guess as to which cert to use and if it isn't right then the server sends a message encoded in TLS that tells the client what to do. I'm not overly excited about wither of these approaches since they will require changes to the applications. > I would argue that the natural thing to do is to keep the cryptographic > pieces > in TLS but move them into the extensions (to match what the client sends). > Specifically, in TLS 1.3 do: > > 1. Modify https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 to let the > server send the SignatureAlgorithms extension in the ServerHello. > > 2. Allow the server to send the Supported Elliptic Curves extension > https://tools.ietf.org/html/rfc4492#section-5.1.1 in the ServerHello. > > > This would have a number of advantages: > > 1. A more symmetric design since you would use the same extensions in > both directions. > > 2. A more expressive (and yet simpler) cryptographic negotiation design > since we could indicate both algorithms and groups. > > 3. Push off the clumsy PKI-based part into the application while leaving > the > TLS-relevant crypto part in TLS. > > 4. It's consistent with both server-solicited and unsolicited > authentication > because the client knows what kinds of certificate it is allowed to > deliver. > > If we make this change, we could still leave CertificateRequest in place, > but > it could be empty, just indicating that the server wants some kind of > client > auth and let the client decide. We might also allow the client to say that > he is going to provide it and let the server say OK, to match MT's CANT > draft. The point is that this would leave us with an orthogonal design that > detached capabilities from requests. > > [Joe] I'm not convinced about pushing the PKI part to the application yet, but I like the rest of the concept. > -Ekr > > > > > > > > > > On Wed, Oct 22, 2014 at 8:59 AM, Salz, Rich <rsalz@akamai.com> wrote: > >> > I tend to think that we need a more general mechanism for indicating >> > support for certificate types and signature algorithms. Maybe we could >> > unconditionally include those in the early handshake instead. >> >> Yes. In two years when MSFT and Google start deprecating SHA-2 for >> Keccak, it'd be nice to know which cert chain to send. Or when I don't >> know whether to send an RSA or ECDSA certificate next year. >> >> -- >> Principal Security Engineer, Akamai Technologies >> IM: rsalz@jabber.me Twitter: RichSalz >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Summary of discussion regarding spontaneuou… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Tom Ritter
- Re: [TLS] Summary of discussion regarding spontan… Ilari Liusvaara
- Re: [TLS] Summary of discussion regarding spontan… Manuel Pégourié-Gonnard
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Ilari Liusvaara
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Manuel Pégourié-Gonnard
- Re: [TLS] Summary of discussion regarding spontan… Watson Ladd
- Re: [TLS] Summary of discussion regarding spontan… Eric Rescorla
- Re: [TLS] Summary of discussion regarding spontan… Watson Ladd
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Ilari Liusvaara
- Re: [TLS] Summary of discussion regarding spontan… Martin Rex
- Re: [TLS] Summary of discussion regarding spontan… Salz, Rich
- Re: [TLS] Summary of discussion regarding spontan… Tom Ritter
- Re: [TLS] Summary of discussion regarding spontan… Joseph Salowey
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Andrei Popov
- Re: [TLS] Summary of discussion regarding spontan… Manuel Pégourié-Gonnard
- Re: [TLS] Summary of discussion regarding spontan… Eric Rescorla
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Joseph Salowey
- Re: [TLS] Summary of discussion regarding spontan… Martin Thomson
- Re: [TLS] Summary of discussion regarding spontan… Joseph Salowey
- Re: [TLS] Summary of discussion regarding spontan… Peter Gutmann
- Re: [TLS] Summary of discussion regarding spontan… Santosh Chokhani