[TLS] Directly signing randoms
Eric Rescorla <ekr@rtfm.com> Mon, 19 October 2015 16:09 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD87E1A8768 for <tls@ietfa.amsl.com>; Mon, 19 Oct 2015 09:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sutdbbu7dq1O for <tls@ietfa.amsl.com>; Mon, 19 Oct 2015 09:09:35 -0700 (PDT)
Received: from mail-yk0-f172.google.com (mail-yk0-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 209E91A877C for <tls@ietf.org>; Mon, 19 Oct 2015 09:09:35 -0700 (PDT)
Received: by ykfy204 with SMTP id y204so147327511ykf.1 for <tls@ietf.org>; Mon, 19 Oct 2015 09:09:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=YqhS4FrU2dfvIvAWVEKoSyUu++j5n9lHjY8A7QVHxRY=; b=mmcnlKZwRzirtvsW6Ms/h/cAzkex/uZCu6XsBvlvJT2iBWb+cw4KqNJLAb3CK9GGH2 18pMWjT1BJOWl+G3UH46wSqK5vIqspaHRENeWv59YAkw6ZtSL1UXOL5maXjkObQFS3vC dzDdkFDRyUffKkfLMntuI79IzvXa7xo5ssS7/SMmH76i4M7/EATmybdtIhXUbJNOmSFy Q1Mb3cm4bWfhzLLof32jmYVGwZKJFpVxjViTD6itIgpDK5G2IoviJveByrKmK47JdPli gtHwxPs0jhGiaMRM6cLA1W6vfNY0iBmkBjbhj2cdqce/iZK7qNRZueyJ+9GL7jLnuXNf bfGg==
X-Gm-Message-State: ALoCoQmRObyY+m89rHn9FLyURYjy3hSkaZUz/Z1r2l6P+dd+OeFPFwlqgCWw18WoOjS26yGf+j9i
X-Received: by 10.129.89.138 with SMTP id n132mr3567119ywb.61.1445270974349; Mon, 19 Oct 2015 09:09:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.114.85 with HTTP; Mon, 19 Oct 2015 09:08:55 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 19 Oct 2015 09:08:55 -0700
Message-ID: <CABcZeBOFma78=bjqxCXMLPMqLes0oFAbPTgeJODwukPnPLD0nQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1149198807f56a0522775f78"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/764YDOxf--8ULB5Ia3zh8Mnmfl0>
Subject: [TLS] Directly signing randoms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 16:09:42 -0000
Folks, https://github.com/tlswg/tls13-spec/issues/224 At the interim we discussed whether it was worth having digital signatures explicitly include the client and server random values rather than just the transcript to enable privilege separation, as proposed by Nikos. We had a little trouble getting clarity on the desired use case, but the two we understood were: 1. Having a separate module which is signing for authentication and wants to explicitly provide a random value to ensure that it's not signing arbitrary data. 2. Having a separate module which is verifying the peer's authentication and wants to explicitly provide a challenge to be signed by the peer. The general feeling was that you could achieve both cases by simply the unprivileged portion of the system provide the module with the handshake transcript and allow it to verify that the random was present in the correct location (or at all in case #2) and so that no change was needed. As I said, there was some confusion on the exact scenario, so if I've misunderstood please clarify. Otherwise, I think we have consensus to close this as WONTFIX. -Ekr
- [TLS] Directly signing randoms Eric Rescorla