[TLS] Summary of discussion regarding spontaneuous authentication

Martin Thomson <martin.thomson@gmail.com> Wed, 22 October 2014 10:04 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2094E1A8F42 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 03:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wl3_-BO4yN9B for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 03:04:35 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE3571A038E for <tls@ietf.org>; Wed, 22 Oct 2014 03:04:34 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id q1so2590144lam.36 for <tls@ietf.org>; Wed, 22 Oct 2014 03:04:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=gXra75ws/auwwjlgIxQnCUwGeeAl6w78pXV7y5+6AMo=; b=fRuzjSSrLoOeuMwClkc0TJ1UQAzVrUosREDVsPMv70v9M+UVApQm1H0xeORdmq2t1G rtBowskKt5eNh8G7kh9cVqQPj1uygHBWlUB4Y45vNSROqJCttOaxgM3DR3xoh0scz5fi 3BrHFzHTJjGgWWVAayS6GJHp39H0lCOqe+lPrcrjkZwe+YUHfkrGv6Evy/UAFDxG2WL5 +gZ0i/Wekxyll+VRoA54onE/8PZE2s9pqb1CkDhPPwjYokebHMZRy5ItcTQaKr4bhUK0 XmmbTAfBpRW+7b5LnM1my7IJDlwWWBemcwtY+chtKKTDdFpxeR7/1yxfO1k4OqTjNBvy KjoA==
MIME-Version: 1.0
X-Received: by 10.113.5.7 with SMTP id ci7mr41413384lbd.9.1413972273062; Wed, 22 Oct 2014 03:04:33 -0700 (PDT)
Received: by 10.25.215.217 with HTTP; Wed, 22 Oct 2014 03:04:33 -0700 (PDT)
Date: Wed, 22 Oct 2014 03:04:33 -0700
Message-ID: <CABkgnnUAhEV=wLZyTew=ne7VgSq50XYR3Fo5EfjNXc8=_hbpyg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/8ErjasEXfWIpKtQoGLogc51kLjU
Subject: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 10:04:37 -0000

The update proposal that ekr sent around was discussed.

The primary concern was that the properties of the connection were
considered to change with respect to authentication.  Any data
received before the authentication, or messages that appear partially
before and partially after would have ambiguous properties.

Concerns were raised that having the authentication attest to data
that was sent prior to the authentication would expose us to a variety
of attacks that relied on confusion about the state of the connection.
There was also a concern that this would be difficult to analyse.

It was pointed out that update was still interesting, but only from a
rekeying perspective, because that had far lesser risks and no real
API implications.

If we decided to continue with Update, then we would have a place to
add a future extension that re-enabled this feature.

I noted that the use case that renegotiation provides was not going to
be supported with the proposed Update message, since there was no
analogue for the HelloRequest message.

All of this led to the decision not to pursue spontaneous authentication.