Re: [TLS] Proposed text for removing renegotiation

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 17 June 2014 20:56 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF5F1A0168 for <tls@ietfa.amsl.com>; Tue, 17 Jun 2014 13:56:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QikXsDfsDgAV for <tls@ietfa.amsl.com>; Tue, 17 Jun 2014 13:56:49 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 78E221A0154 for <tls@ietf.org>; Tue, 17 Jun 2014 13:56:49 -0700 (PDT)
Received: from [10.70.10.68] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id E6FDDF984; Tue, 17 Jun 2014 16:56:43 -0400 (EDT)
Message-ID: <53A0AB7E.4050706@fifthhorseman.net>
Date: Tue, 17 Jun 2014 16:56:30 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Icedove/30.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, Watson Ladd <watsonbladd@gmail.com>
References: <CAFewVt65X1V6=A_HP_pcg=6nXNVFLxQmSsPB2rq1KvmGPRz+og@mail.gmail.com> <20140606223045.3B5AF1AD46@ld9781.wdf.sap.corp> <CACsn0cmcc6kXvOuqkZaDj7+QPdpY9qqQ58bs3s-JBGXdNJSZyw@mail.gmail.com> <CABcZeBPe45BM-uXd7DEBD_BBn=jhk8KkYB=facp+NMb2e4nBiw@mail.gmail.com> <1402299260.2427.2.camel@dhcp-2-127.brq.redhat.com> <CABkgnnX5+fXNDy1o7Pu60rp8vSx7XfKbt337e_q=+3fb8fXHJw@mail.gmail.com> <1402388399.2369.5.camel@dhcp-2-127.brq.redhat.com> <CACsn0cm5OzzjOh5nSXcu-cx+ZYFeJiJ5eGvgwjsWPUeX4ozz2g@mail.gmail.com> <1402476304.2305.8.camel@dhcp-2-127.brq.redhat.com> <CACsn0cmM4KpMgwXo0iTygsQ+En6N3J46jPY-Q3hfwzqG431M1w@mail.gmail.com> <1402648977.6191.36.camel@dhcp-2-127.brq.redhat.com> <CACsn0ck6OxPm8BwuNeAn+wpayaefkAzZtiyjkaQ1sB_4hp0C_Q@mail.gmail.com> <1402990596.2335.18.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1402990596.2335.18.camel@dhcp-2-127.brq.redhat.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="76GctuBcn9eD0q0UO5LDmT2f6SSjmiaF7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6FeNZB8MtUt5noo686zfweDIPZE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 20:56:52 -0000

On 06/17/2014 03:36 AM, Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-06-13 at 08:34 -0300, Watson Ladd wrote:
> 
>> The issue is the following: most applications do something like this
>> parse_request(conn)
>> check_if_request_authorized(conn)
>>
>> This assumes that the authentication state doesn't change in between
>> the two lines, or midway through the parse.
>> With renegotiation it can.
> 
> Indeed, but this is an easily unsolvable issue. 

Do you mean "easily solvable" here?

> That can be easily
> avoided on the implementation side (and gnutls is does not allow that).
> I have numerous times asked to clarify and better specify this part on
> the past.

Do you have a suggestion for how we could clarify and better specify
this part?  Maybe it's worth crafting that into a counterproposal that
could be weighed against the current "remove renegotiation" proposal.

I realize that we frequently claim we "don't do API" here, and the issue
of how well application developers actually deal with connection
property changes comes close to the API of any given TLS implementation.

But I suspect most application developers who use TLS don't understand
that the authentication state or cryptographic protections of the
connection may change mid-stream.  Of the minority that does understand
that this state may change, i suspect that many of them don't actually
handle the situation well (if at all).

if we want to avoid this on the implementation side, do we need more
guidance to implementers of TLS stacks?  or guidance for
application-layer users of those stacks?  or both?

	--dkg