IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 04 May 2018 09:01 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE24127871 for <tls@ietfa.amsl.com>; Fri, 4 May 2018 02:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUlC1guc5zJ6 for <tls@ietfa.amsl.com>; Fri, 4 May 2018 02:00:59 -0700 (PDT)
Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60793126CD6 for <tls@ietf.org>; Fri, 4 May 2018 02:00:59 -0700 (PDT)
Received: by mail-wm0-f44.google.com with SMTP id j4so2892479wme.1 for <tls@ietf.org>; Fri, 04 May 2018 02:00:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=scajO9oVWaD/o88dntRijUEjgw0uRHKK1NRu8cL95Cc=; b=i2uFE7GyrslbLlyfPIWvwKMe5CflHkXvnPOn58KXk+AZYhtkXszrNINZ4gQ0Dpm+Pi qJnjZapktF5siwaSxjCwJ3XRlqp9CCv3G+tbT/tIEZvlmziEX8qC5ah6dPP4oqqqILs+ a8Yy3ra2nvMI2ziVq37r2UgyUfRsM4PlrEbhMLc/5HQkWd4m+FtGoIXLZFMBjSnq/u7O yHldWQPxiu+Y8RmBOPvE3ah54R4sI3p6SMZgPqWiNFs6Z2LAvWWmt8ZTtNpXSsU6SkX+ GK4LxZFvMwa3GttsgdkpOXqWbW+dPqsgVHB0lYBriHdWzg3YrX8rf6RzPzCbgia8RztG quZw==
X-Gm-Message-State: ALQs6tDAqvq4+DzvyrCDmmoUFxbX/SWhM3pslAXH2iljc74VZq/lIiJq 8TQZAzAIqnbgkmsSdITXl6CBIQ6q7nM=
X-Google-Smtp-Source: AB8JxZo9ndW5MdfDMGejGkxoMWbPzaf4SveFRROHG5Ei88809JmzmyA3rjhqy2pEyIcmuub9O/ZP7g==
X-Received: by 10.28.50.135 with SMTP id y129mr9883164wmy.22.1525424457497; Fri, 04 May 2018 02:00:57 -0700 (PDT)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id 42-v6sm27417500wrx.24.2018.05.04.02.00.56 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 04 May 2018 02:00:56 -0700 (PDT)
Message-ID: <1525424456.3094.14.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Sean Turner <sean@sn3rd.com>, TLS WG <tls@ietf.org>
Date: Fri, 04 May 2018 11:00:56 +0200
In-Reply-To: <4E347898-C787-468C-8514-30564D059378@sn3rd.com>
References: <4E347898-C787-468C-8514-30564D059378@sn3rd.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.6 (3.26.6-1.fc27)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/45j9tjxgkJs3YtFDQJ4PRd0TPxQ>
Subject: Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 09:01:01 -0000

On Thu, 2018-04-19 at 16:32 -0400, Sean Turner wrote:
> All,
> 
> This is the working group last call for the "Exported Authenticators
> in TLS" draft available at https://datatracker.ietf.org/doc/draft-iet
> f-tls-exported-authenticator/.  Please review the document and send
> your comments to the list by 2359 UTC on 4 April 2018.

I have not checked the mechanism, but I have few questions based on the
description in the introduction.
   "Post-handshake authentication is defined in TLS 1.3, but it has the
   disadvantage of requiring additional state to be stored in the TLS
   state machine and it composes poorly with multiplexed connection
   protocols like HTTP/2.  It is also only available for client
   authentication.  This mechanism is intended to be used as part of a
   replacement for post-handshake authentication in applications."

* Was this proposed to be included in TLS 1.3 as post-handshake
authentication mechanism instead?

* What are the actual problems that post-handshake authentication has
with HTTP/2?

regards,
Nikos

v2.23.0 | Report a Bug | By Email