IETF Logo Mail Archive

Re: [TLS] WGLC for "A Flags Extension for TLS 1.3"

Martin Thomson <mt@lowentropy.net> Thu, 23 April 2020 00:08 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01283A0E82 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 17:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=ZnG7865Q; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=JcDkwsRT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oosq5YlS8k-c for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 17:08:04 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF243A0E7B for <tls@ietf.org>; Wed, 22 Apr 2020 17:08:04 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id AFFA1610; Wed, 22 Apr 2020 20:08:03 -0400 (EDT)
Received: from imap7 ([10.202.2.57]) by compute2.internal (MEProxy); Wed, 22 Apr 2020 20:08:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm2; bh=14 UuWznUAvJJ8/MPNCIzOMjIoM8a4X9w2DMmXMaDyL4=; b=ZnG7865QCP3V9w50dR q+YLjFOEN5/6pUg7FVm29w6qBgedXUBIDvdfMTZzyMf0DAchAZxgzi1mSjDJfPWj Y00qzYo7DlkyosRpvzPWuEJVoH4kHmWEqz3U+sPp/bwXi1j4VWTg+iUF6YsZhKlL 4AzV7pIVQ3Hb+AI6z+oTrZ4S+7pN1AFvQ/1gbbZt8b/LML50McP3KQUQEPr7t5J6 j0RZGJrXmQjq9jTx7q1i2lkNO4dGTCbufzU7Rip8CVzPxYmhFxMRquG79k8LKODc c2mzcXiPFSjRsFH9ieEAkHXpc2mzyykGQa7//MP86ISFa6YEGN0Tp1sJt/exENAZ FKMQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=14UuWznUAvJJ8/MPNCIzOMjIoM8a4X9w2DMmXMaDy L4=; b=JcDkwsRTOMW69C5mq34E6piWlV6jlT6gkkc+0xcGqtz8ayKvrROdXpQBi Qy1OBV2naEi+dc5fRk2JEaOq8DL8UIaQp7rRJuI+bjzrwct/O/DOr3E0tioAnR4w /EGZ3+X9BokcDAqom6HwYmY04Qx5NAEXw/HVU7+009SFnzXjSre+2VBgCYappS94 P3DHDATRgGYUBP+OELS+dgCaDoNC7BFTl29ei0p7zsLhjT4w7AvyTW8GmBhRi0zL s131slXhhTUibwD7U/+4xzrsOKT4tygprD0Ca3e4XcukYBXCsuzBC/FtEhYKY8T7 TKvOa+xldo2q5jXdP2/g9XL33agDQ==
X-ME-Sender: <xms:YtygXj12Z6_SXOsFvbZZmacHcwuMBMVGBFDHsL98wVhlsmOj8Mn9yg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrgeekgddvjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:Y9ygXuYSL0skbCJHQiFbz4o2eVq8j3X-5d2m-5bAqZtbfXQ3hFkmPA> <xmx:Y9ygXmq5DD1TPuplY0JunvUSy816_xzgc1uVWLJbboFfHiE1x6oh-Q> <xmx:Y9ygXqrNSx8LM5X4LNQX2fcMXqGWr9H5qbDRCb8_GaHTlIAGAXD1mQ> <xmx:Y9ygXoph-1GZRFKHs5zZK2xXKO2Issz3PcqHf4l7Y5jmm5xehyiXjw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E466A180091; Wed, 22 Apr 2020 20:08:02 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <fbc76c60-a250-40dc-95bc-7390937206aa@www.fastmail.com>
In-Reply-To: <B6EC2F38-504C-46C0-B5A3-F16ED27CA923@gmail.com>
References: <bf0f823a-99ab-46b0-9b2a-d397d6bf3139@www.fastmail.com> <3aab08b9-d979-4952-85f6-62e993f6fb4b@www.fastmail.com> <B6EC2F38-504C-46C0-B5A3-F16ED27CA923@gmail.com>
Date: Thu, 23 Apr 2020 10:07:40 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/973qdoi0PmJbJzNU7Y-eC_a-WaI>
Subject: Re: [TLS] WGLC for "A Flags Extension for TLS 1.3"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 00:08:07 -0000

On Wed, Apr 22, 2020, at 05:31, Yoav Nir wrote:
> > Third, more substantially, and invalidating the above, I don't think that we should make flags introduce a new style of negotiation just because it can.  I would strongly prefer that this function as close as possible to "empty ClientHello extension; empty EncryptedExtensions extension".  Aside from that, the utility of an advertisement from the server that a client cannot respond to is pretty marginal.
> 
> If this is what the group prefers, I’m fine with it, but then there’s 
> never any point in sending an empty extension, either from the client 
> of form the server. The absence of an individual flag is always implied 
> from the absence of the extension.

When you say "empty extension" here, do you mean "empty flags extension" or are you speaking more generally?

If the server can't add flags, then I agree that having the client send an empty flags extension has little value.  Same for the server sending an empty flags extension in that case.
 
> > Are we confident that sending the same extension in both places is safe?  I know that clients have to implement this and so should be able to test that this works, but it seems awkward.  And it might not be necessary.  It's also not sufficient, as we currently allow responses to ClientHello extensions to appear in Certificate (and for CertificateRequest to carry "requests" in the other direction).
> 
> I don’t think the two extensions ever carry the same flags. Each server 
> side flag should be one of three: serverHello, encrpytedExtensions, or 
> neither (if we are not expecting a response)

So the intersection of flags in different responses must be zero?  i.e. flags[ServerHello] & flags[EncryptedExtensions] == 0 (and the same for any combination that we allow, including Certificate and NewSessionTicket, I guess).
 
> As for Certificate, I don’t see why we’d need to add bit responses to 
> Certificate. They can safely be sent in either serverHello or 
> encryptedExtensions.

The obvious thing here is when the extension applies on a per-certificate basis as opposed to the entire chain.  But I don't have an example you can use; see below.

> I’m trying to come up with key exchange bits that might be useful.  
> Perhaps a new, improved alternative to HKDF?  Support for Quantum Key 
> Exchange?

This might require an understanding of the overall strategy.  If the goal is to provide an analogue of a generic "empty extension", then sure, put it in ServerHello.  But put it in Certificate and NewSessionTicket too.  But if you make this more narrowly applicable and say that you have a different flags extension for each type of exchange (ClientHello -> ServerHello, ClientHello -> EncryptedExtensions, ClientHello -> NewSessionTicket, ClientHello/CertificateRequest -> Certificate), then you might avoid answering this question for now.

Right now, it seems like the obvious use here is for EncryptedExtensions, so we could decide to defer that architectural question by saying that it is limited to EncryptedExtensions for now.  Then we can either expand the one flags extensions to allow it in NewSessionTicket when we need to, or define a new one.

v2.23.0 | Report a Bug | By Email