Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
Martin Rex <mrex@sap.com> Thu, 28 July 2011 19:50 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390B011E80F1 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 12:50:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.926
X-Spam-Level:
X-Spam-Status: No, score=-9.926 tagged_above=-999 required=5 tests=[AWL=0.323, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hsL9IwSpDEH for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 12:50:42 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id B894611E80F0 for <tls@ietf.org>; Thu, 28 Jul 2011 12:50:41 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p6SJoeFp006100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Jul 2011 21:50:40 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201107281950.p6SJodco027327@fs4113.wdf.sap.corp>
To: paul@xelerance.com
Date: Thu, 28 Jul 2011 21:50:39 +0200
In-Reply-To: <alpine.LFD.1.10.1107281346130.2289@newtla.xelerance.com> from "Paul Wouters" at Jul 28, 11 02:01:38 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Review of draft-wouters-tls-oob-pubkey-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 19:50:43 -0000
Paul Wouters wrote: > > On Thu, 28 Jul 2011, Martin Rex wrote: > > > > The trusted_ca_keys TLS extension itself is a simple/lightweight extension > > in that it does _not_ modify the syntax or semantics of any other > > TLS handshake messages (besides the TLS extensions container in > > ClientHello and ServerHello). > > trusted_ca_keys changes sending the CA bundle with EE-cert PKIX blob > with only the EE-cert PKIX blob. I am proposing to send only the > subjectPublicKeyInfo PKIx blob. It's not different a change of semantics. > > > I see not having to modify syntax and semantics of existing TLS handshake > > messages in order to implement a TLS extension as a big plus. > > See the start of this email and the comparison with trusted_ca_keys. I do not know what you're looking at, by _my_ copies of rfc6066 and predecessors 4366,3546 are crystal clear, there is *NO* change of syntax and semantics of any other TLS handshake messages, like e.g. the server's Certificate handshake message, so I fail to understand what you mean. There are no such things as CA bundles or PKIX blobs either, btw. The trusted_ca_keys TLS extensions does support more data types to identify acceptable CAs than the certificate_authorities list in the original CertificateRequest handshake message, however, but "cert" is not supported by either. You might be confusing "CA cert" with "distinguished name of CA". > > > The TLS WG had previously adopted a work item (currently dormant, > > primarily because of fights over hash algorithm agility that haven't > > been settled) to do caching in a generic fashion, so caching > > of data from TLS handshake messages, and in particular _existing_ > > TLS handshake messages should IMO not be duplicated in any newly > > proposed TLS extension. > > cached PKIX objects is quite different from not using PKIX. The design of the TLS caching extension is not strictly limited to PKIX-related data. But since PKIX-related data is the largest static data in current TLS handshakes, these data elements are the ones described in the currently dormant WG document. > > Currently in saag there was also the interesting point of PKIX needing > to send duplicate certs in the CA bundle for SHA1/SHA2/SHA3 because you > don't know what hashing algo the TLS client can support. That affects only folks who want to perform academic exercises. For TLS, the use of SHA-1 is pretty pervasive and going to continue just like that for at least the next 5 years. Having to maintain multiple alternative server certificate would currently be a waste of admin and helpdesk resources, if the server software supports it at all. I'm not actually aware of TLS clients or servers that implement and use the TLS extension trusted_ca_keys and personally, and I do not consider that extension generally useful. TLS clients that come with 50+ independent trust anchors preloded will hardly want to use that extension. > > The non-PKIX > authentication of the TLS server public key could just publish different > DANE records with the different hashes of the public key, and the TLS > client can pick the one it supports. Please don't suggest that it is > perfectly reasonable to keep mandating ever larger PKIX containers that > are just scrap around the public key. Or you could just wrap that server's public key in an X.509v1 self-signed cert and use it with pretty much any existing TLS client and TLS server software in the installed base. :) > > >> "something better" only works with your other assumption of "sending > >> and signing cruft in PKIX is fine". I strongly disagree with that. > > > > You seem to be thinking purely about a niche area > > > > 1) that does not have TLS at all today > > 2) where you want to implement TLS newly from scratch and having > > to implement _all_ of ASN.1-ladden PKIX as a huge burden > > 3) and where you do not care the slighest about interop with the > > installed base of TLS. > > Not at all. I am also thinking of a browser supporting non-pkix alongside > pkix authentication. If we were still in year 1995 and the installed base of TLS software was still insignificant, I might believe that TLS with bare public keys might have uses. SSH worked with bare keys back then and succeeded. But we're in 2011 now. I believe support for X.509 (and other authentication schemes) were added to SSH. But personally, I just fail to see a use case for adding raw key support to TLS that I could not simply solve with self-signed X.509v1 certs and existing TLS software in the installed base, even 10+ year old TLS software. Implementing support for self-signed X.509v1 (and JUST THAT) from scratch is probably _a_magnitude_ easier and faster than writing a specification for doing TLS with raw keys, working it through standardization and getting others to implement it. I can perfectly understand that you do not want to implement entire PKIX (rfc5280) from scratch, because that would really be an exhausting multi-year battle. > > > it might be worthwile thinking about implementing > > the subset "X.509v1 self-signed cert" as an alternative to inventing > > a new bare key format, because that is still fairly trivial to > > implement and fully interoperable with the existing installed base > > We've been carrying PKIX containers for too long already. Suggestions we > continue to do so for another twenty years are simply not good enough > in my opinion. I know not everyone agrees with me, and I'm not asking people > to switch. I'm just asking for the opportunity for everyone to make their > own decision on using PKIX or not. Admittedly, PKIX is bad, really really bad. But managing raw keys is _not_ better than a self-signed X.509v1 subset of PKIX, and I'm not aware of a suitable replacement for PKIX so far. And standardizing more ways to skin a cat may cause more harm than good and should be done lightheartedly. (recently mentioned on the IETF list:) http://www.xkcd.com/927/ > > We are not forcing TLS servers to change anything like a requirement > to support TLS version 1.42. We suggest giving TLS implementations the > *option* to implement a non-PKIX extension. cached-objects is not good > enough for this case. I don't mind adding TLS extensions that can be safely ignored and don't affect syntax&semantics of other TLS handshake messages and further evolution of the protocl. But I'm slighty worried about changing syntax or semantics of existing TLS handshake messages, because such changes scale very badly (every future change must address and fully specify the situation for all existing variants and their combinations). -Martin
- [TLS] Review of draft-wouters-tls-oob-pubkey-00.t… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Eric Rescorla
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Nikos Mavrogiannopoulos
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Nikos Mavrogiannopoulos
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Paul Wouters
- Re: [TLS] Review of draft-wouters-tls-oob-pubkey-… Martin Rex