Re: [TLS] Martin Duke's Discuss on draft-ietf-tls-external-psk-importer-06: (with DISCUSS)

Martin Duke <martin.h.duke@gmail.com> Tue, 19 January 2021 18:34 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 443C13A16B0; Tue, 19 Jan 2021 10:34:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hB8WRC3awPPy; Tue, 19 Jan 2021 10:34:01 -0800 (PST)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77903A16AB; Tue, 19 Jan 2021 10:34:01 -0800 (PST)
Received: by mail-io1-xd36.google.com with SMTP id u17so41684811iow.1; Tue, 19 Jan 2021 10:34:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z82vHc4Sl71vTU0C5TulTj6dwaMoIpV/HDZMtCBuEGA=; b=R3X/+/Vq+GE2LjTEYqxlLfnQZpaLZAaPdAd+Zxj0eO5suFbgHjiCFnl26Gqbz4HJOR Xgxn+d+q49dz6lLMdWYtC7v9FaurEeMNy2uArDxDZLXPicvkwzAKRXxY903Us8ZtYXzZ MZ7qElBorOmwX5t/9+PEX0VQ+R3xZj6gmWSRhakLtQvzhSVlUdeciAtIWqMsPTkHxJt5 wU50ZQKnPomsOB7TQPTtjuKopIvTI2nGj2qtcE8m0P9bmbvUxQVrbsnn/BS6rAhG4GYi T+tm2Anhk/ymHpXpKwq/dlEnmfQQSz3TutNpXFHu988+6AmQIrr7O6qG28A701LKb/HU vXPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z82vHc4Sl71vTU0C5TulTj6dwaMoIpV/HDZMtCBuEGA=; b=YGFQdUNDMDSqFLdZG+pncColrcK0vnU3Z9ATZGe5+CoisjqXhMuJn2M3dwh0pPNu7J A4ncEOo/pIPRcJFHmr42yePbXdoFiGk/a8iWohQnkJNF69GIfepl7NlCz/5RXr711Xi5 GF7Yf2PENGF4ySqtRrzySlOQfJ8vRp59PkyFNEq6YqfrkqavP45X3UMJEdfcpIddSEFB Odnus+O9iDS6i9wY2g4hSw4fdYe4Qhf4HFgWJI9oDB5eXn9Hdop2B3QIs1PJoWH8aAhH 9mnk0UDZeeTWMy1C8JmuVRXb3yMd/YKzxhLIWd69RIXL0NzcNiaKyDplgrjDyFP4ooan Bjbg==
X-Gm-Message-State: AOAM531kgULJ+nzi4tm/Q5E4getJidWwhlrCOfmm4phQiizZVyOw/AqA kAkHGJBt3mE6Aq+VE4eOm+OnhvDBlKEMfJvU3A0=
X-Google-Smtp-Source: ABdhPJxFluUrnb+lr9oAoAz+PFu313qlGLFpsUYGDNpucxmU3PWyX0PI8+sIK4XZoLoHPz9QRzFdRUDoYzgsVvZ8RPg=
X-Received: by 2002:a05:6e02:cd2:: with SMTP id c18mr4617373ilj.249.1611081241063; Tue, 19 Jan 2021 10:34:01 -0800 (PST)
MIME-Version: 1.0
References: <160980363454.20851.10184061700085456941@ietfa.amsl.com> <20210108003928.GR93151@kduck.mit.edu>
In-Reply-To: <20210108003928.GR93151@kduck.mit.edu>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 19 Jan 2021 10:33:50 -0800
Message-ID: <CAM4esxQG+vEhuHZ8ATyQM98sWmsDdKoO4NsDoiehJZ2fiQ3_0w@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, joe@salowey.net, draft-ietf-tls-external-psk-importer@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013f52805b94515da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4__Oj96YrYj_HrDgwJ49jiva8h0>
Subject: Re: [TLS] Martin Duke's Discuss on draft-ietf-tls-external-psk-importer-06: (with DISCUSS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 18:34:04 -0000

Hi Ben,

IIUC this means that while one must generate the ipskx for each
ciphersuite, but these might turn out to be the same. I found the language
to be somewhat unclear here, but I will remove the DISCUSS on this subject
and leave it to the authors if they want to make it a bit clearer.

On Thu, Jan 7, 2021 at 4:39 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Mon, Jan 04, 2021 at 03:40:34PM -0800, Martin Duke via Datatracker
> wrote:
> > Martin Duke has entered the following ballot position for
> > draft-ietf-tls-external-psk-importer-06: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-tls-external-psk-importer/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > This is probably just my own ignorance, but I see two potential problems
> in Sec
> > 4.1.
> >
> > - 'The identity of "ipskx" as sent on the wire is ImportedIdentity,
> i.e., the
> > serialized content of ImportedIdentity is used as the  content of
> > PskIdentity.identity in the PSK extension.' IIUC ImportedIdentity has a
> maximum
> > length of 2^17 + 2. But the Identity field in the PSK option has a
> maximum
> > length of 2^16-1. I presume this never actually happens, but the spec
> should
> > handle the boundary condition, perhaps by limiting the first two fields
> of
> > Imported Identity to sum to 2^16-5 bytes or something.
>
> I'll leave this one for the authors.
>
> > - It says 'Endpoints SHOULD generate a compatible "ipskx" for each target
> > ciphersuite they offer.' but then the example shows two ciphers that
> equire
> > only one derived key. Do you mean "hash algorithm" instead of
> "ciphersuite"?
> > TLS_AES_128_GCM_SHA256 and TLS_CHACHA20_POLY1305_SHA256 are different
> > ciphersuites according to RFC 8446.
>
> TLS 1.3 ciphersuites are associated with a Hash, and 8446 assumes that HKDF
> with that Hash is the KDF for use of that ciphersuite.  This document
> somewhat extends that to allow a more generic KDF, rather than just HKDF,
> but "compatible with a ciphersuite" means "compatible with the KDF
> associated with the ciphersuite", and since the Hash and HKDF are the same
> for the two ciphers, the same ipskx works for both (and an efficient
> implementation would be expected to only compute it once).
>
> Thanks,
>
> Ben
>