Re: [TLS] 3rd WGLC for draft-ietf-tls-exported-authenticators

Russ Housley <housley@vigilsec.com> Fri, 22 May 2020 15:55 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 626D43A0C14 for <tls@ietfa.amsl.com>; Fri, 22 May 2020 08:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPXOWJsyeAQs for <tls@ietfa.amsl.com>; Fri, 22 May 2020 08:55:13 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DE23A0B62 for <tls@ietf.org>; Fri, 22 May 2020 08:55:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A008E300B68 for <tls@ietf.org>; Fri, 22 May 2020 11:55:10 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JE866HCp8LOT for <tls@ietf.org>; Fri, 22 May 2020 11:55:06 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 72CBB3001A7; Fri, 22 May 2020 11:55:05 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <16B2E133-DE69-4850-A23D-554FBCADEE5A@sn3rd.com>
Date: Fri, 22 May 2020 11:55:07 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D99BCBC4-1CD2-4FEE-8447-A50EA4F8B011@vigilsec.com>
References: <16B2E133-DE69-4850-A23D-554FBCADEE5A@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/48_EkGKpAHxHxTY7m3Ms3PRn0QA>
Subject: Re: [TLS] 3rd WGLC for draft-ietf-tls-exported-authenticators
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 15:55:23 -0000


> On May 22, 2020, at 9:23 AM, Sean Turner <sean@sn3rd.com> wrote:
> 
> This is the 3rd WGLC for "Exported Authenticators in TLS" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/. The secdir review during IETF LC raised some issues and as a result there have been a couple of new versions. Please respond to the list with any comments by 2359 UTC on 8 June 2020.


I would like to see this published soon.  I have one comment.

Section 4: I find this confusing:

   extensions:  The set of extensions allowed in the CertificateRequest
      structure are those defined in the TLS ExtensionType Values IANA
      registry containing CR in the TLS 1.3 column.  The extensions
      allowed in the ClientCertificateRequest are those containing CR in
      the TLS 1.3 column, along with the server_name [RFC6066]
      extension.

I think it means:

   extensions:  The set of extensions allowed in the CertificateRequest
      structure and the ClientCertificateRequest structure are those
      defined in the TLS ExtensionType Values IANA registry [cite]
      containing CR in the TLS 1.3 column.  In addition, the set of
      extensions in the ClientCertificateRequest structure MAY
      include the server_name [RFC6066] extension.