IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Issue

Robert Cragie <robert.cragie@gridmerge.com> Wed, 11 July 2012 17:01 UTC

Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC90A11E80EF; Wed, 11 Jul 2012 10:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZf7CtXPEWkl; Wed, 11 Jul 2012 10:01:26 -0700 (PDT)
Received: from mail78.extendcp.co.uk (mail78.extendcp.co.uk [79.170.40.78]) by ietfa.amsl.com (Postfix) with ESMTP id 6433211E80C0; Wed, 11 Jul 2012 10:01:25 -0700 (PDT)
Received: from client-82-26-85-222.pete-bam-1.adsl.virginmedia.com ([82.26.85.222] helo=[192.168.0.2]) by mail78.extendcp.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) id 1Sp0IU-0004lP-Ad; Wed, 11 Jul 2012 18:01:54 +0100
Message-ID: <4FFDB24F.8060600@gridmerge.com>
Date: Wed, 11 Jul 2012 18:05:19 +0100
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: tls@ietf.org, core <core@ietf.org>
References: <1CA8C4CB-1FD8-4498-9988-41B6334F58FD@gmx.net>
In-Reply-To: <1CA8C4CB-1FD8-4498-9988-41B6334F58FD@gmx.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070204090907070709000705"
X-Authenticated-As: robert.cragie@gridmerge.com
Subject: Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 17:01:27 -0000

Hi Hannes,

I think it would be easier to understand if the actual extensions were 
specified in the message diagrams. This seems to reveal a problem in the 
third use case (hybrid scenario), as it is not possible for the client 
to use a different certificate type to that selected by the server 
according to the 
http://tools.ietf.org/html/draft-ietf-tls-oob-pubkey-03/RFC 6091.

Robert

I) Server uses Raw Public Keys (client authentication happens at some 
other layer) (the DANE use case)

client_hello,
cert-type=(RawPublicKey, X.509) -> // (1)

                           <-  server_hello,
                               cert-type=RawPublicKey, // (2)
                               certificate, // (3)
                               server_key_exchange,
                               server_hello_done // (4)

client_key_exchange,
change_cipher_spec,
finished                  ->

                           <- change_cipher_spec,
                              finished

Application Data        <------->     Application Data


(1) Client supports both, preferring RawPublicKey. Alternatively, 
cert-type=(RawPublicKey), i.e. client supports onlyRawPublicKey
(2) Server supports and chooses RawPublicKey
(3) With raw public key (SPKI) inside
(4) Server knows OOB that it doesn't need Client certificate so doesn't 
send certificate_request (security policy for the system)

II) Client and Server use Raw Public Keys (the smart object use case - 
CORE working group)

client_hello,
cert-type=(RawPublicKey) -> // (1)

                           <-  server_hello,
cert-type=RawPublicKey, // (2)
                               certificate, // (3)
                               server_key_exchange,
                               certificate_request, // (4)
                               server_hello_done

certificate, // (5)
client_key_exchange,
certificate_verify, // (6)
change_cipher_spec,
finished                  ->

                           <- change_cipher_spec,
                              finished

Application Data        <------->     Application Data

(1) Client supports only RawPublicKey
(2) Server supports only RawPublicKey
(3) With raw public key (SPKI) inside
(4) Server knows OOB that it needs Client certificate so sends 
certificate_request (security policy for the system)
(5) With raw public key (SPKI)inside
(6) Implies signing ability of raw public key

III) Hybrid Scenario (the OAuth Holder-of-the-Key Use case)

client_hello,
cert-type=(RawPublicKey, X.509) -> // (1)

                           <-  server_hello,
                               cert-type=X.509 // (2)
                               certificate,  // (3)
                               server_key_exchange,
                               certificate_request, // (4)
                               server_hello_done

certificate, // (5)
client_key_exchange,
certificate_verify, // (6)
change_cipher_spec,
finished                  ->

                           <- change_cipher_spec,
                              finished

Application Data        <------->     Application Data

(1) Client supports both, preferring RawPublicKey
(2) Server supports and chooses X.509
(3) With X.509 cert.
(4) Server knows OOB that it needs Client certificate so sends 
certificate_request(security policy for the system). **** Note it could 
be possible to request a RawPublicKey at this point. It is not clear 
that CertificateRequest supports requesting of a SPKI ****
(5) With raw public key(SPKI)inside *** This doesn't seem possible as 
X.509 has been chosen ****
(6) Implies signing ability of raw public key


On 11/07/2012 11:56 AM, Hannes Tschofenig wrote:
> Hi all,
>
> draft-ietf-tls-oob-pubkey specifies a new TLS certificate type for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) for use with out-of-band public key validation.
>
> Here is the latest draft:
> http://tools.ietf.org/html/draft-ietf-tls-oob-pubkey-03
>
> I would be great to get your feedback on an open issue that concerns the semantic of the exchange. I believe there are three use cases we would like to support with this work. Below, I provide high level message exchanges to explain those:
>
> I) Server uses Raw Public Keys (client authentication happens at some other layer)
> (the DANE use case)
>
> client_hello,
> raw-public-key-indicator="Server, when you send me your raw public key? I support this out-of-band key validation using DANE." ->
>
>                            <-  server_hello,
>                                raw-public-key="OK. The certificate structure below contains my raw public key.",
>                                certificate, // with raw public key inside
>                                server_key_exchange,
>                                server_hello_done
>
> client_key_exchange,
> change_cipher_spec,
> finished                  ->
>
>                            <- change_cipher_spec,
>                               finished
>
> Application Data        <------->     Application Data
>
>
> II) Client and Server use Raw Public Keys
> (the smart object use case - CORE working group)
>
> client_hello,
> raw-public-key="Server, please send me your raw public key and I will then send you mine. Are you OK processing my raw public key for client authentication?" ->
>
>                            <-  server_hello,
>                                raw-public-key="Below you find my raw public key and please send me your raw public key for client
> 							   authentication",
>                                certificate, // raw public key
>                                server_key_exchange,
>                                certificate_request,
>                                server_hello_done
>
> certificate, // with client's raw public key
> client_key_exchange,
> certificate_verify,
> change_cipher_spec,
> finished                  ->
>
>                            <- change_cipher_spec,
>                               finished
>
> Application Data        <------->     Application Data
>
>
> II) Hybrid Scenario
> (the OAuth Holder-of-the-Key Use case)
>
> client_hello,
> raw-public-key="I would like to use my raw public key for client authentication with OAuth. I also process X.509 for server-side authentication." ->
>
>                            <-  server_hello,
>                                raw-public-key="Please send me your raw public key. I use X.509 for server-side authentication",
>                                certificate,  // with X.509 cert.
>                                server_key_exchange,
>                                certificate_request,
>                                server_hello_done
>
> certificate, // with client's raw public key
> client_key_exchange,
> certificate_verify,
> change_cipher_spec,
> finished                  ->
>
>                            <- change_cipher_spec,
>                               finished
>
> Application Data        <------->     Application Data
> --------
>
> QUESTION: Are these all the message exchanges we need? Are there some problems with the exchanges?
>
> Ciao
> Hannes
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email