IETF Logo Mail Archive

Re: [TLS] Review of PR #209

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 15 September 2015 22:03 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5811B2B9A for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 15:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tr0b9HeMhAd7 for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 15:03:24 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0142.outbound.protection.outlook.com [207.46.100.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A949D1B2B97 for <tls@ietf.org>; Tue, 15 Sep 2015 15:03:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=cKb5kDwdKjvM0vXLwPbFf44xn16t1uElpFG1JBmNlBo=; b=eGZvBG9p+KlDq4zQuQaptFU+4KKgcJfj82d5KL6VGe9Xjb/eg16Ai35dcIBy3gvRIV8x8zxdK7NkupuVb7dNp89EXylWpo2ocUebEmNZzv7Zldv78LaAVGdoYFoYgQ8lurQHdCZf3IVfrYyIN3RpMP9+fAHAY7irXoyLeT+nB9I=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1393.namprd03.prod.outlook.com (10.163.81.14) with Microsoft SMTP Server (TLS) id 15.1.268.17; Tue, 15 Sep 2015 22:03:21 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0268.017; Tue, 15 Sep 2015 22:03:21 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Review of PR #209
Thread-Index: AQHQxuqZE5b0AgbP4UGzDBeqZzcHy54+TSMggAAif4CAAAGN4A==
Date: Tue, 15 Sep 2015 22:03:20 +0000
Message-ID: <BLUPR03MB139663BBF24BF86EBDAF10C58C5C0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CABkgnnWtUjH1b3xm_peffNxNpxXE9rudJLJpn1ExNpE7B29AhA@mail.gmail.com> <BLUPR03MB13962416E8D8AD71CFFE13C08C5C0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABkgnnX5VrvWwEiPq2DvEWexPSjLjpjy_1JDSmj31bytZTFP6A@mail.gmail.com>
In-Reply-To: <CABkgnnX5VrvWwEiPq2DvEWexPSjLjpjy_1JDSmj31bytZTFP6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1393; 5:qt07vXYCj588/kZxo1X5e0fdoldceJmEbkgVo/XvJwjRLXChuh/Mb555KnQ3mthX4YWWLtgaSegLuBovLPBdOMZAvYTkwo5jQDLUztMRegWydI/IHcxOAXKIWbiDX449d9BYRvc/AF6OKRXKU015eg==; 24:U0c3gqbLEMNCGJSJWkIXMWmmN9Q5mANa7dw2N3l03q+mOlfZp7w7BL4kLcGthdVvJwA2jIBYHpCSAMRTbjw6sk6CiKmgEkgLPlGpDoM9GIY=; 20:oxrcw7AtNf/3F6u7Xm6ve0EW5NcokLu1R+w3lSv1xVojXRFXK0brU9qMyTdfQPtXtL8ILfUOZUjpKarSmovwsA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1393;
x-microsoft-antispam-prvs: <BLUPR03MB13933431B6FD6B03361DCB498C5C0@BLUPR03MB1393.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425019)(601004)(2401001)(8121501046)(520075)(520078)(5005006)(3002001)(61426019)(61427019); SRVR:BLUPR03MB1393; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1393;
x-forefront-prvs: 070092A9D3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(51444003)(189002)(199003)(24454002)(110136002)(106356001)(106116001)(76176999)(105586002)(5003600100002)(50986999)(86362001)(99286002)(64706001)(87936001)(54356999)(101416001)(5002640100001)(33656002)(5001830100001)(5001960100002)(19580395003)(74316001)(2900100001)(46102003)(5001920100001)(5001860100001)(189998001)(5004730100002)(92566002)(86612001)(19580405001)(2950100001)(68736005)(102836002)(15975445007)(122556002)(77156002)(10090500001)(10290500002)(10400500002)(62966003)(5005710100001)(40100003)(81156007)(76576001)(5007970100001)(77096005)(8990500004)(11100500001)(97736004)(4001540100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1393; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2015 22:03:20.8063 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1393
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6z0JgNfntP6PKBIY3Du-SHlhCkI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Review of PR #209
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 22:03:29 -0000

> How many Certificate+CertificateVerify messages would a client be permitted to send.  1? N?

I don't see a good reason to restrict to 1, although in many cases it would probably suffice.

> If the answer to the above is N, does the client's
> Certificate+CertificateVerify somehow identify the CertificateRequest?
> That is, how does the server identify whether this is unilateral or in response to its own request?

The model I'm thinking of is where the server receives a request from the client, determines that the request requires authentication, then queries session state to see whether a suitable client credential is available.
If such client credential is not available, the server sends CertificateRequest. In this model, it does not matter whether the client volunteered a credential or responded to the server's request.

> How does a client determine if the NewSessionTicket that it receives includes its authentication? That is, how can a client know whether a resumed session will need a certificate or not?  (I'm not sure about this one, but the first thought that occurs is that the server could include an indicator in the NewSessionTicket message.)

I'd say the client should send the latest ticket it has, assume that it has all session context including client identity, and the server will request creds if this is not the case.

> Does the session need to be rekeyed as a result of this new information?  (I think not, though see above regarding analysis.)

Agree on both points: the need for rekey is not obvious; until proved otherwise, I'm assuming no rekey.

> Do we allow for application data between Certificate and CertificateVerify? (I think not.)

No application data between Certificate and CertificateVerify.

> What value do you see in having a spontaneous NewSessionTicket messages?  Is this just a case of not wanting to bind it more formally to something that the client sends?  

The reason I want to allow NewSessionTicket messages in mid-stream is to allow the server to include newly obtained client creds in the session state. If the server wants to do this, it can send NewSessionTicket after processing the client's CertificateVerify.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Tuesday, September 15, 2015 2:38 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Review of PR #209

This sounds like a good idea.  I certainly like how it eliminates a number of variations (particularly the one that #209 added).  It enables unilateral client authentication, which is a big plus.

My biggest concern would be the one you note and how this interacts with the session transcript.  It seems OK to me, but I'd like Hugo or Karthik to spend a few cycles thinking about that one before I'm confident there isn't an actual problem.

How many Certificate+CertificateVerify messages would a client be permitted to send.  1? N?  (I think 1)

If the answer to the above is N, does the client's
Certificate+CertificateVerify somehow identify the CertificateRequest?
 That is, how does the server identify whether this is unilateral or in response to its own request?

How does a client determine if the NewSessionTicket that it receives includes its authentication? That is, how can a client know whether a resumed session will need a certificate or not?  (I'm not sure about this one, but the first thought that occurs is that the server could include an indicator in the NewSessionTicket message.)

Does the session need to be rekeyed as a result of this new information?  (I think not, though see above regarding analysis.)

Do we allow for application data between Certificate and CertificateVerify? (I think not.)

Question: What value do you see in having a spontaneous NewSessionTicket messages?  Is this just a case of not wanting to bind it more formally to something that the client sends?  I worry that we'll have cases where the session tickets encompass new states if we permit that.


On 15 September 2015 at 13:17, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> Perhaps we can simplify the protocol by pulling client auth out of the handshake as follows:
>
> 1. CertificateRequest, client Certificate, CertificateVerify and NewSessionTicket messages use a new content type distinct from "handshake".
> 2. The client can send Certificate and CertificateVerify at any time application data is permitted, regardless of whether the server had previously sent CertificateRequest.
> 3. The server can send CertificateRequest and NewSessionTicket at any time application data is permitted. Alternatively, the server can encapsulate CertificateRequest in an application protocol message.
>
> Encapsulating CertificateRequest in an application protocol message allows the client to determine which specific application request resulted in the need for client auth. The application protocol would of course need to allow this.
>
> As far as I can tell, the above scheme seems to work in both 0-RTT and 1-RTT modes.
>
> We can decide exactly what CertificateVerify would be signing: whether it's the handshake hash or some form of RFC5705 Exported Keying Material (EKM).
>
> Thoughts?
>
> Cheers,
>
> Andrei
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
> Sent: Saturday, July 25, 2015 8:00 AM
> To: tls@ietf.org
> Subject: [TLS] Review of PR #209
>
> Andrei proposes two changes in 
> https://github.com/tlswg/tls13-spec/pull/209
>
> The first expands the ways in which a server can identify certificates.  This is fine.  I do wonder whether we can remove CertificateType entirely for TLS 1.3 though (that can be done separately).
>
> The second is worrisome.  I don't like that a handshake message now has two different potential locations that it might appear in.  That seems like a hazard.  I think that we need a new content type for a new message that can be used after the handshake completes.  Then there are two options:
>  a) remove CertificateRequest from the handshake entirely and allow 
> the handshake to complete before authenticating (this has a number of 
> hazards that make it probably worse than the duplication it addresses)
>  b) use CertificateRequest within the handshake, and the new content 
> type outside of it
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email