IETF Logo Mail Archive

Re: [TLS] Key update routine

"Ken Ivanov" <ivanov@eldos.com> Fri, 28 April 2017 20:25 UTC

Return-Path: <ivanov@eldos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E565129C1C for <tls@ietfa.amsl.com>; Fri, 28 Apr 2017 13:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.317
X-Spam-Level:
X-Spam-Status: No, score=0.317 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, MIMEOLE_DIRECT_TO_MX=0.381, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVq4J-tCLdol for <tls@ietfa.amsl.com>; Fri, 28 Apr 2017 13:25:23 -0700 (PDT)
Received: from widernetics.com (mail.eldos.com [198.50.222.230]) by ietfa.amsl.com (Postfix) with ESMTP id 9FDBA129B00 for <tls@ietf.org>; Fri, 28 Apr 2017 13:23:04 -0700 (PDT)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=86.137.1.107;
Message-ID: <2E7FA29DD1ED40E7B3AD7D8B47DD2877@WhiteBox>
From: Ken Ivanov <ivanov@eldos.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: tls@ietf.org
References: <24DAECF17FE0434CA3111200D77E1911@WhiteBox> <20170428190322.GA3901@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20170428190322.GA3901@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 28 Apr 2017 21:24:13 +0100
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-Authenticated-User: ivanov@widernetics.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6sbY51Pz3_a9d6nBJa549fYOrjY>
Subject: Re: [TLS] Key update routine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2017 20:25:25 -0000

Hi Ilari

I see your point, thank you. Maybe we shall think about replacing the MUST 
(in 'then the receiver MUST send a KeyUpdate of its own') with SHOULD then, 
not to lead the originator into confusion about the mutual nature of the key 
update, and treat the 'request_update' parameter as a suggestion rather than 
a request? Besides taking the question of enforcing that MUST off the scene, 
this would level the things up and make each direction truly independent.

Ken



-----Original Message----- 
From: Ilari Liusvaara
Sent: Friday, April 28, 2017 8:03 PM
To: Ken Ivanov
Cc: tls@ietf.org
Subject: Re: [TLS] Key update routine

On Fri, Apr 28, 2017 at 07:41:59PM +0100, Ken Ivanov wrote:
> Hi Eric and everyone,
>
> Specifically, while the spec instructs the party that receives a KeyUpdate
> with its request_update set to update_requested to respond with its own
> KeyUpdate with request_update set to update_not_requested, there are no
> provisions as to what the originator of the key update should do if it 
> never
> receives the requested KeyUpdate response from the remote party (or does 
> not
> receive it within a reasonable time scope).

The problem is that any time bound would cause keyupdate to couple the
directions, which is harmful from API standpoint.

The KeyUpdate mechanism is explicitly designed for fully asynchronous
operation. Which impiles there is no time bound.



-Ilari

v2.23.0 | Report a Bug | By Email