IETF Logo Mail Archive

Re: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02

Subodh Iyengar <subodh@fb.com> Wed, 16 January 2019 07:54 UTC

Return-Path: <prvs=6919d9c1bf=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2FC130DC0 for <tls@ietfa.amsl.com>; Tue, 15 Jan 2019 23:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.394
X-Spam-Level:
X-Spam-Status: No, score=-5.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=ArZacDpH; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=NbFRKoEt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OpG3ZLilzjP3 for <tls@ietfa.amsl.com>; Tue, 15 Jan 2019 23:54:40 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14E87128D0C for <tls@ietf.org>; Tue, 15 Jan 2019 23:54:40 -0800 (PST)
Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0G7qiW0025989; Tue, 15 Jan 2019 23:54:39 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=btAQtdFm0CsckYXbKUxOiAZoIvhZO/d2JdzW+Lqoxlw=; b=ArZacDpHyx3uZPtzoeIpMe42AM00btbJjfIMqYIwkqQ5QoLnOsJFlBblpApvL1aGKnvn IKR/Vm/DNHtd7h5UAhs+Ozu98eTytbQKT3DUnTRxxsHYxuzIyzZ0FWheNbPgmFtx3EAi 3+VAZ8oxZNUWi4e7OsQCmyytZdaFkhu9s6A=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2q205vr26f-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 15 Jan 2019 23:54:39 -0800
Received: from frc-mbx06.TheFacebook.com (2620:10d:c0a1:f82::30) by frc-hub03.TheFacebook.com (2620:10d:c021:18::173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 15 Jan 2019 23:54:39 -0800
Received: from frc-hub02.TheFacebook.com (2620:10d:c021:18::172) by frc-mbx06.TheFacebook.com (2620:10d:c0a1:f82::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 15 Jan 2019 23:54:38 -0800
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3 via Frontend Transport; Tue, 15 Jan 2019 23:54:38 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=btAQtdFm0CsckYXbKUxOiAZoIvhZO/d2JdzW+Lqoxlw=; b=NbFRKoEtSJrJ+8wAbQUabrqDpsB3XzuVyrZAgm8z/DhGm+aWJtcNF7hA2b6uNiZHNPQoX7t7P8ddcQiv4ZjAbFgu2QzljmqL6uERaczj66+mZYi7XcMuVPC37Vs8Bp6yHMvNP4JQjfK6l0FgDoCex7VssnQpX68pfR8i2KwzZ40=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1952.namprd15.prod.outlook.com (10.175.8.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.18; Wed, 16 Jan 2019 07:54:37 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::2dcf:43ad:f1a5:4eca]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::2dcf:43ad:f1a5:4eca%8]) with mapi id 15.20.1537.018; Wed, 16 Jan 2019 07:54:37 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02
Thread-Index: AQHUrTjO5Xfdo/YFZ0WGZmDoo9VjL6WxKkyZgAAVfwCAAEa3kA==
Date: Wed, 16 Jan 2019 07:54:36 +0000
Message-ID: <MWHPR15MB182109567671DFECA4539372B6820@MWHPR15MB1821.namprd15.prod.outlook.com>
References: <CAN2QdAGyvhDG=PjqUjQ4OdjKvTtN_zGxdNf3iKGdN+tHeDRAkw@mail.gmail.com> <MWHPR15MB1821A7E45DDEED81D2018F03B6820@MWHPR15MB1821.namprd15.prod.outlook.com>, <1547609984.2756240.1635793576.0E070413@webmail.messagingengine.com>
In-Reply-To: <1547609984.2756240.1635793576.0E070413@webmail.messagingengine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c090:180::1:1a70]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1952; 20:eavgvJSy68FESYQnaYZPf0k1YJoi3UOQCGVYOWZF7lVrhG7MtZFkn7SfaIcmJa4lqjoeVjqEuCdyKUYlgwoXV5OkL1cBnqKvGy3OfxgQ/xVUmUuswdXkZBAaIMqy4D3q+nWgO1YlfCxDsiLfyOC7vqU9aTCfgbztxGuOcc9GEPY=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 14f10fc4-6026-4a92-eb7c-08d67b87dc8a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1952;
x-ms-traffictypediagnostic: MWHPR15MB1952:
x-microsoft-antispam-prvs: <MWHPR15MB1952B693935A8D0709E4457EB6820@MWHPR15MB1952.namprd15.prod.outlook.com>
x-forefront-prvs: 091949432C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(136003)(346002)(376002)(366004)(189003)(199004)(110136005)(33656002)(966005)(478600001)(316002)(14454004)(186003)(6116002)(6246003)(55016002)(6506007)(5660300001)(7696005)(53546011)(25786009)(76176011)(102836004)(6306002)(46003)(54896002)(9686003)(19627405001)(236005)(53936002)(2501003)(8936002)(74316002)(8676002)(486006)(105586002)(97736004)(256004)(7736002)(606006)(86362001)(6436002)(2906002)(106356001)(99286004)(71200400001)(71190400001)(476003)(229853002)(11346002)(6606003)(81156014)(446003)(81166006)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1952; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YwMD4QIYJ5I59waX0nMuMHHXgUFJYPxnKFc9/Ibj45r1UdvdEp3YiGwP1Bm5k4NaLdBooODMROeQwyIGW3Wzb6TfLM7j26hjA2i+vsojk64dlK0wYHQCubzQcqTunrBJ84X7nBAiQg6gSG+a49z6QqplTCQT+wv/hx4OKmtic0Ik0Vzcfkre+8z97uJMOg2+Mg9rssDkCkb8NMYnf0gF2FKbeRmtInGgTOsYQQFn0NmOEi2wxuPOD0ymqkcdpUuBUEdN/QJOFgOrX4ofyVfxqzOE+fo1hWW8sDyxWjNsZHzmKJEEdWUamqTTCEMOzcRbdIhLQ8ps/4QGjAitmuvrkjAKcRprIcFjxOeW1SE6y6iBWZnGtIrzOOJqvND7U7BaT1rFV9XGdSMOEOQWllzvaDU6oeoBhYEy1lD5DmByR+o=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB182109567671DFECA4539372B6820MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 14f10fc4-6026-4a92-eb7c-08d67b87dc8a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2019 07:54:36.8405 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1952
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-16_03:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7enGzVs17_tGVUvB8Re4069r_08>
Subject: Re: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 07:54:43 -0000

I don't feel too strongly about the tls version binding and I'd be fine with removing it to favor operational simplification.


Subodh

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net>
Sent: Tuesday, January 15, 2019 7:39:44 PM
To: tls@ietf.org
Subject: Re: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02

On Wed, Jan 16, 2019, at 13:35, Subodh Iyengar wrote:
> Usually the negotiation happens during the processing of the client hello.

I don't think that the problem here is a code problem.  It's an operational one.

In many ways, the decision to use TLS 1.3 over TLS 1.2 is one that can be made in isolation.  You decide to flip the switch and flip it.  But if you are doing delegated credentials, deploying a new version depends on having a fallback in place for that version, or getting the vendor of delegated credentials to start supplying new credentials.  And that assumes that all the necessary stores are keyed correctly (though this highlights the case where that might not happen), and the code has been written.  It's not that it's impossible, but more that it complicates what was previously uncomplicated.

As you say, the decision to use a delegated credential is fairly simple.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=qOxPqAH-53XWS1ivRMVW5YPWzTYrcOjqXPcoImyDlnM&s=LwnVFi-5giNs_anA6DyKhcbiJ5NCSU5T1oZyDjx33Nw&e=

v2.23.0 | Report a Bug | By Email