Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 15 February 2020 08:55 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24788120071 for <tls@ietfa.amsl.com>; Sat, 15 Feb 2020 00:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEFB8jCNKdkB for <tls@ietfa.amsl.com>; Sat, 15 Feb 2020 00:55:40 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5A712006D for <tls@ietf.org>; Sat, 15 Feb 2020 00:55:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id CB71722F; Sat, 15 Feb 2020 10:55:35 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id TuuJ735CC0lU; Sat, 15 Feb 2020 10:55:32 +0200 (EET)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 673D472; Sat, 15 Feb 2020 10:55:30 +0200 (EET)
Date: Sat, 15 Feb 2020 10:55:29 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Nick Sullivan <nick@cloudflare.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20200215085529.GA1659089@LK-Perkele-VII>
References: <158093501262.12877.10966121264461280401@ietfa.amsl.com> <20200209140242.GA1489626@LK-Perkele-VII> <CAFDDyk_VTbe5CQG1A_d=eQtp-uK+-vHOm_HwMp6AePbMPakDOA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFDDyk_VTbe5CQG1A_d=eQtp-uK+-vHOm_HwMp6AePbMPakDOA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3mUccBD_V9hSn2PmLnlbwvsmEDg>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2020 08:55:43 -0000
On Fri, Feb 14, 2020 at 11:27:36AM -0800, Nick Sullivan wrote: > Ilari, > > Thank you for identifying these errors in the document. There was no > intention to allow the client to constrict the server certificate's > algorithm with the delegated_credential extension, and no intention to > restrict the delegated credential's algorithm with the > signature_algorithms. Let me propose some minor text changes to address the > issues. > > As a reminder, the CertificateVerify.algorithm is constrained by the > signature_algorithms > extension, as stated in RFC 8446: > > If the CertificateVerify message is sent by a server, the signature > algorithm MUST be one offered in the client's "signature_algorithms" > extension unless no valid certificate chain can be produced without > unsupported algorithms (see Section 4.2.3 > <https://tools.ietf.org/html/rfc8446#section-4.2.3>). > > > > Original text from 4.1.2.: > > The expected_cert_verify_algorithm fields MUST be of a > type advertised by the client in the SignatureSchemeList and are > considered invalid otherwise. Clients that receive invalid delegated > credentials MUST terminate the connection with an "illegal_parameter" > alert. > > > proposed text: > > The expected_cert_verify_algorithm field MUST be of a > type advertised by the client in the SignatureSchemeList and is > considered invalid otherwise. Clients that receive invalid delegated > credentials MUST terminate the connection with an "illegal_parameter" > alert. The section number looks incorrect (it is about client authentication) and the original looks to be copied from the new text. Did you mean section 4.1.1 (Server authentication) and: OLD: The algorithm and expected_cert_verify_algorithm fields MUST be of a type advertised by the client in the SignatureSchemeList and are considered invalid otherwise. Clients that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. NEW: The expected_cert_verify_algorithm field MUST be of a type advertised by the client in the SignatureSchemeList and is considered invalid otherwise. Clients that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. > As for the second point, we did not add the capability for the server to > advertise a different set of signature_algorithms for client authentication > other than the one advertised via the "signature_algorithms" extension. > This was perhaps an oversight. I propose that we add that capability and > I'd be happy to propose a PR to that effect. > > The new text of 4.3.2. would look something like: > > A server which supports this specification SHALL send an > "delegated_credential" extension in the CertificateRequest message > when requesting client authentication. The body of the > extension consists of a SignatureSchemeList. If the server receives a > delegated credential without indicating support in its > CertificateRequest, then the server MUST abort with an > "unexpected_message" alert. > > ... > > The algorithm field MUST be of a > type advertised by the server in the "signature_algorithms" extension > of the CertificateRequest message and the expected_cert_verify_algorithm > field MUST be of a type advertised by the client in the SignatureSchemeList > and considered invalid otherwise. Clients that receive invalid > delegated credentials MUST terminate the connection with an > "illegal_parameter" alert. > There seems to be no section 4.3.2 (or 4.3 for that matter). Did you mean section 4.1.2 (Client authentication)? The latter proposed paragraph seems like it says "client" in two places it should say "server", did you mean: The algorithm field MUST be of a type advertised by the server in the "signature_algorithms" extension of the CertificateRequest message and the expected_cert_verify_algorithm field MUST be of a type advertised by the server in the SignatureSchemeList and considered invalid otherwise. Servers that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. -Ilari
- [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan