Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Eric Rescorla <ekr@rtfm.com> Sat, 06 March 2021 00:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6BC43A1516 for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 16:47:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTGgTONiildC for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 16:46:59 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C52123A1527 for <tls@ietf.org>; Fri, 5 Mar 2021 16:46:58 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id e7so7112379lft.2 for <tls@ietf.org>; Fri, 05 Mar 2021 16:46:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BLPtZQxsDMHjYMrLKx0ehwrc9NxwvRC0QzCjpreyxtc=; b=HBtmsmr9utrysnT2MzxAxQVdznbauNUt/UPk0Q2uC35WjsCb/w1bI+WrPNU0ED1eHL lm5Tjgq6Wa9eIITNsrRmwfPfbiaJtwW627NdktKPj25p/d4TSHHpQMezpOH8/2Dyp+H/ RxbCga7rm90584/6toPqXwSpQ2xqAbqM+jtEU46Ed9pvFFqY/kfMAPtUeZduhEI+5PH4 rBY839WUXefFGJX6/YyT8D4y2HFQ9ETxrgnkLJaSa5MV1nQY7G+9Lnv6zeeW1Rgx7bjU +pRVmDs207Bx5+jeasXEXQh8nUUQVFZ2B6QoTKWtPKdifU96BYqo9RQ4UsaEvcO93Epu 57OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BLPtZQxsDMHjYMrLKx0ehwrc9NxwvRC0QzCjpreyxtc=; b=tsVitD5STvL0XgT8cGQ6BKDKrZsEAsYTserXfIf2CuQbo8GD86gaEoPPNACaTMoBGU L4m67+AYe34CKuUwjxpNrb05eMqtlZ6EYizQHc9H7GoR6B+4XrK37oexRGwcHsWDhrTm kQcX99I2A99iv5E9kEWNaLuzEmigpVwJEmXRiORtA2e6VrhMoQthBo0hZRxTXmYv3GRC vTdWC8lyjznhsI+s8YJdvOFXOIfK9wO4KiAXho5vEfrO6FAUJmwWcl0P40sJXtW42IFM WhuOioVfHErgPubLbXrY1ujD+vArDV3YmZpVtJfjm0H8yhfdiWFqdqgoKXIVEcXU7Zzi 8FyQ==
X-Gm-Message-State: AOAM532MUdKnoSlSTT9wAdO3F2eXT2D3D8yuOpp+eyOcML7z1fz/pKMk ke8rQrjvkYCdD7WO59KAReUS7HoGcQ2Uh1FVsQ/Z3A==
X-Google-Smtp-Source: ABdhPJxSAwC9f/b+OqbzkjUMZu9pwHtK6jGcEsvb7OukoOoT+ZLoQYdIxptGgcDN6AjNX98fqyc2pP4165IEONfmWxs=
X-Received: by 2002:a05:6512:b1a:: with SMTP id w26mr6974503lfu.206.1614991611880; Fri, 05 Mar 2021 16:46:51 -0800 (PST)
MIME-Version: 1.0
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com>
In-Reply-To: <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 Mar 2021 16:46:15 -0800
Message-ID: <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057780105bcd38986"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8qDlUBOUuCaMdQalt_H7B06aArI>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2021 00:47:01 -0000
On Fri, Mar 5, 2021 at 11:38 AM Watson Ladd <watsonbladd@gmail.com> wrote: > On Fri, Mar 5, 2021, 10:43 AM John Mattsson > <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > > > > >While renegotiation will never be re-added, there is post-handshake > > >authentication (RFC 8446, section 4.6.2), and while that is currently > > >about authenticating the _client_ to the server, it should be trivial to > > >extend the protocol to support re-authenticating the server to the > > >client as well. > > > > I think the current Post-Handshake authentication is not really suitable > for long-term connections. It assures that the other party is still alive > but it does not shut out any other third parties with access to > application_traffic_secret_N. Such parties may have gotten the key with or > without collaboration with one of the nodes. > > The application traffic secret N+1 and the security of the > authentication is unaffected by compromise of key N AFAIK. I'm not > sure what property you want here that is stronger. > It seems to me that there are potentially two distinct properties here: 1. Post-Compromise Security in the case where the traffic keys were leaked 2. Re-authentication of the server. Id like to understand the second use case better. Assume that Alice connects to Bob and Bob authenticates with certificate X which is valid at the time. As long as Bob's certificate remains valid, I'm not sure that any new TLS behavior is required. I.e., Alice is free to re-validate the certificate (i.e., check for revocation) but it's not clear to me that as long as it is valid, it is necessary for Bob to re-prove possession of the key. The primary threat that the defends against is an un-detected temporary misuse of Bob's key at a prior time, which seems distinct from future compromise. So, it seems like you can just re-validate the key and then abort the connection if that fails, as Rich Salz suggests. This leaves us with the case where Bob's certificate is no longer valid but Bob has a new certificate [0]. In this case, just re-validating does not help. Does that happen so often that we need protocol machinery other than just tearing down the connection and starting over? -Ekr [0] Potentially, with a different key, though just assuming that because the key is the same you can transplant the new identity on seems dangerous, as we usually want to sign over the identities.
- [TLS] Question to TLS 1.3 and certificate revocat… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Watson Ladd
- Re: [TLS] Question to TLS 1.3 and certificate rev… Eric Rescorla
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Deb Cooley
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Olle E. Johansson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland