Re: [TLS] Martin Duke's Discuss on draft-ietf-tls-external-psk-importer-06: (with DISCUSS)

Benjamin Kaduk <kaduk@mit.edu> Fri, 08 January 2021 00:39 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB34C3A0F2F; Thu, 7 Jan 2021 16:39:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zctmc1oej580; Thu, 7 Jan 2021 16:39:37 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECF393A0F22; Thu, 7 Jan 2021 16:39:36 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1080dT0L022815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 7 Jan 2021 19:39:33 -0500
Date: Thu, 7 Jan 2021 16:39:28 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: The IESG <iesg@ietf.org>, joe@salowey.net, draft-ietf-tls-external-psk-importer@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Message-ID: <20210108003928.GR93151@kduck.mit.edu>
References: <160980363454.20851.10184061700085456941@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <160980363454.20851.10184061700085456941@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9cUnoOPyHxFdEFYLJODlZFbU9dg>
Subject: Re: [TLS] Martin Duke's Discuss on draft-ietf-tls-external-psk-importer-06: (with DISCUSS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 00:39:40 -0000

On Mon, Jan 04, 2021 at 03:40:34PM -0800, Martin Duke via Datatracker wrote:
> Martin Duke has entered the following ballot position for
> draft-ietf-tls-external-psk-importer-06: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-external-psk-importer/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> This is probably just my own ignorance, but I see two potential problems in Sec
> 4.1.
> 
> - 'The identity of "ipskx" as sent on the wire is ImportedIdentity, i.e., the
> serialized content of ImportedIdentity is used as the  content of
> PskIdentity.identity in the PSK extension.' IIUC ImportedIdentity has a maximum
> length of 2^17 + 2. But the Identity field in the PSK option has a maximum
> length of 2^16-1. I presume this never actually happens, but the spec should
> handle the boundary condition, perhaps by limiting the first two fields of
> Imported Identity to sum to 2^16-5 bytes or something.

I'll leave this one for the authors.

> - It says 'Endpoints SHOULD generate a compatible "ipskx" for each target
> ciphersuite they offer.' but then the example shows two ciphers that equire
> only one derived key. Do you mean "hash algorithm" instead of "ciphersuite"?
> TLS_AES_128_GCM_SHA256 and TLS_CHACHA20_POLY1305_SHA256 are different
> ciphersuites according to RFC 8446.

TLS 1.3 ciphersuites are associated with a Hash, and 8446 assumes that HKDF
with that Hash is the KDF for use of that ciphersuite.  This document
somewhat extends that to allow a more generic KDF, rather than just HKDF,
but "compatible with a ciphersuite" means "compatible with the KDF
associated with the ciphersuite", and since the Hash and HKDF are the same
for the two ciphers, the same ipskx works for both (and an efficient
implementation would be expected to only compute it once).

Thanks,

Ben