IETF Logo Mail Archive

Re: [TLS] Summary of discussion regarding spontaneuous authentication

Joseph Salowey <joe@salowey.net> Tue, 28 October 2014 04:27 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4C11A0377 for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 21:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dsy-ZrMc8QuU for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 21:27:28 -0700 (PDT)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4FE71A0364 for <tls@ietf.org>; Mon, 27 Oct 2014 21:27:27 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id cs9so4786461qab.23 for <tls@ietf.org>; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jPacNwar1CiXhr6fPkPG44GXD4UL2ZgJu8ruElIx1yM=; b=ALdCDQnDDk7821nrwn3C+zCpA2hp5yisrNm/suR5BPiaJbztvXRu7K1l4Y/WFARoiX wqK4RksjioVz6MRf5dzV8+9kNbLgxdjXarDzwIYdF3C3OH0aAnS0JBMzRqRfKDtx+xis o2a3QOfpN59Jtz8P4dlVM1AquupywMeDJlvybeU5xN9LwDXmxd3AZ4fZF+6aG0Glh/6d jvw8kW5tv0Hy4KRXZTNkjMQ16CixHXlZ+5E8B+gee55J1Aswy1g3VrJJdLdRzSfPftat WbCn7mO9Y1zKFEMfcygm4rrQMKxQD9Q+A4Wgneh4zFPJQP9oqnLNpfsEWV/JnzgGrz4S bR/A==
X-Gm-Message-State: ALoCoQmYnK2ejIuzmrec5AGYdveDybpwxjcBKdOwz4p/FPNfhNoMCqUsDItCTBBbQKJz0NctU3/J
MIME-Version: 1.0
X-Received: by 10.140.104.114 with SMTP id z105mr960359qge.75.1414470446545; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
Received: by 10.96.155.202 with HTTP; Mon, 27 Oct 2014 21:27:26 -0700 (PDT)
X-Originating-IP: [67.168.161.122]
In-Reply-To: <CABcZeBNvtOi9UuQGdbuxvPGqZqRx+ZCw9CvMp830Dpq47WwxVg@mail.gmail.com>
References: <CABkgnnUAhEV=wLZyTew=ne7VgSq50XYR3Fo5EfjNXc8=_hbpyg@mail.gmail.com> <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com> <20141022125359.GA18704@LK-Perkele-VII> <CABkgnnW=aVzsi+cq=icpn4z9PjFuoiu_LQz_mnfeyPPom6LROQ@mail.gmail.com> <20141022132623.GA19894@LK-Perkele-VII> <CABkgnnVe3T56ia-bxgqNrpF_vXQD=T7xisrZb0Szu+L1X05+NQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C4F98@USMBX1.msg.corp.akamai.com> <CABcZeBNvtOi9UuQGdbuxvPGqZqRx+ZCw9CvMp830Dpq47WwxVg@mail.gmail.com>
Date: Mon, 27 Oct 2014 21:27:26 -0700
Message-ID: <CAOgPGoBMqevV6FbjtP3V_E8bsKVZAfV9rWphTAwBBOfeauZzzw@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a1134f4b683b9d6050674100b"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3MFPVPdejFx322DbyRwRayYST8E
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 04:27:31 -0000

On Mon, Oct 27, 2014 at 3:07 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> One way to handle this would be to separate out the things that indicate
> cryptographic capabilities from those that indicate proposed identity.
>
> Specifically, CertificateRequest currently contains:
>
>       struct {
>           ClientCertificateType certificate_types<1..2^8-1>;
>           SignatureAndHashAlgorithm
>             supported_signature_algorithms<2^16-1>;
>           DistinguishedName certificate_authorities<0..2^16-1>;
>       } CertificateRequest;
>
>
> But as is noted in 5246, there is redundancy here:
>
>    The interaction of the certificate_types and
>    supported_signature_algorithms fields is somewhat complicated.
>    certificate_types has been present in TLS since SSLv3, but was
>    somewhat underspecified.  Much of its functionality is superseded by
>    supported_signature_algorithms.  The following rules apply:
>
>
> And since we have removed the non-signing modes in 1.3, arguably we *just*
> need signature_algorithms to specify the cryptographic parameters. Further,
> I would argue that the certificate_authorities field is an practice a mess
> and doesn't belong at the TLS layer (note that we don't have an analog to
> it for the client to tell the server which CAs it supports). [0]
>
>
[Joe]  While I'm not a huge fan of the certificate authorities list, I'm
not sure that punting this to the application layer is the right thing to
do.  Some uses of TLS do not have a way to signal this in a higher layer.
For example, there are some EAP-TLS clients that will choose what
certificate to use based on this information from the server.   It may be
possible to extend EAP-TLS to send a client identity hint or similar
information in the first message from the server, but there really isn't
space in EAP-TLS for non-tls data.   An alternate approach would be the
client makes a guess as to which cert to use and if it isn't right then the
server sends a message encoded in TLS that tells the client what to do.
I'm not overly excited about wither of these approaches since they will
require changes to the applications.




> I would argue that the natural thing to do is to keep the cryptographic
> pieces
> in TLS but move them into the extensions (to match what the client sends).
> Specifically, in TLS 1.3 do:
>
> 1. Modify https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 to let the
> server send the SignatureAlgorithms extension in the ServerHello.
>
> 2. Allow the server to send the Supported Elliptic Curves extension
> https://tools.ietf.org/html/rfc4492#section-5.1.1 in the ServerHello.
>
>
> This would have a number of advantages:
>
> 1. A more symmetric design since you would use the same extensions in
> both directions.
>
> 2. A more expressive (and yet simpler) cryptographic negotiation design
> since we could indicate both algorithms and groups.
>
> 3. Push off the clumsy PKI-based part into the application while leaving
> the
> TLS-relevant crypto part in TLS.
>
> 4. It's consistent with both server-solicited and unsolicited
> authentication
> because the client knows what kinds of certificate it is allowed to
> deliver.
>
> If we make this change, we could still leave CertificateRequest in place,
> but
> it could be empty, just indicating that the server wants some kind of
> client
> auth and let the client decide. We might also allow the client to say that
> he is going to provide it and let the server say OK, to match MT's CANT
> draft. The point is that this would leave us with an orthogonal design that
> detached capabilities from requests.
>
>
[Joe]  I'm not convinced about pushing the PKI part to the application yet,
but I like the rest of the concept.


> -Ekr
>
>
>
>
>
>
>
>
>
> On Wed, Oct 22, 2014 at 8:59 AM, Salz, Rich <rsalz@akamai.com> wrote:
>
>> > I tend to think that we need a more general mechanism for indicating
>> > support for certificate types and signature algorithms.  Maybe we could
>> > unconditionally include those in the early handshake instead.
>>
>> Yes.  In two years when MSFT and Google start deprecating SHA-2 for
>> Keccak, it'd be nice to know which cert chain to send.  Or when I don't
>> know whether to send an RSA or ECDSA certificate next year.
>>
>> --
>> Principal Security Engineer, Akamai Technologies
>> IM: rsalz@jabber.me Twitter: RichSalz
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email