Re: [TLS] AD review of draft-ietf-tls-falsestart-01
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 01 April 2016 12:19 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD0212D12B; Fri, 1 Apr 2016 05:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v-1iQSncvpl0; Fri, 1 Apr 2016 05:19:35 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75F2912D129; Fri, 1 Apr 2016 05:19:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C49EFBE2D; Fri, 1 Apr 2016 13:19:33 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gC4iKTW9eOE; Fri, 1 Apr 2016 13:19:31 +0100 (IST)
Received: from [10.87.49.100] (unknown [86.46.30.32]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EAB77BE29; Fri, 1 Apr 2016 13:19:30 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1459513171; bh=4NTyUJma0X81ea8A37uKofdBVgJRGiGwEgIqZsiXUkQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=WD/UOxa42Xb3o/bPLROxyycNJfnogxJBBF+8uELcqOzQ27H/QuSj3L0Xu10zgZyn7 VdPRLat4zPnBKRukg/nm//UYZLrRbF6X3HlpVj7H4AIbkSdeP8jKSUibm+MwWnyjZ/ QNYU5D78pVP85XMuOfFUZbqc93LvfnkqSVXozGMM=
To: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
References: <56F2B2E7.1060809@cs.tcd.ie> <CADMpkcLg4c2Q1Rq8n+HKzOM2Q7-S+VRmWy+W9kDOX5dZ9Z67Hg@mail.gmail.com> <56F3B9CC.8050305@cs.tcd.ie> <F1A09055-2D99-4697-9018-C5778C4E198F@sn3rd.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56FE6751.7040100@cs.tcd.ie>
Date: Fri, 01 Apr 2016 13:19:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <F1A09055-2D99-4697-9018-C5778C4E198F@sn3rd.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020109010206030208040207"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BprkZbNHKfwNKLljYqt-HTLld6o>
Cc: draft-ietf-tls-falsestart@ietf.org
Subject: Re: [TLS] AD review of draft-ietf-tls-falsestart-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2016 12:19:39 -0000
Hi Sean, Thanks for moving this along, On 01/04/16 02:19, Sean Turner wrote: > On Mar 24, 2016, at 05:56, Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: >> >> >> Hiya, >> >> Thanks for the speedy response... >> >> Again #3 below is what I care about, the other stuff isn't a big >> deal. >> >> On 24/03/16 00:38, Bodo Moeller wrote: >>> "Stephen Farrell" <stephen.farrell@cs.tcd.ie>: >>> >>>> (1) Why experimental? Wouldn't this be better as info and >>>> documented as "here's a spec for a thing that's widely >>>> deployed." I fear we may get questions like "what's the >>>> experiment?", "where's this going in future?" if this aims for >>>> experimental, and info may avoid that esp if we really want >>>> people to move to TLS1.3. I also didn't see list discussion >>>> about what kind of RFC to aim for, but maybe it was discussed >>>> at a meeting or interim? (Apologies if I missed that in my scan >>>> of the list.) >>> >>> I'm myself torn between "Experimental" and "Informational" >>> (certainly not "Historic" because the spec has not been >>> superseded by a more recent one and is not obsolete for any other >>> reason [ https://tools.ietf.org/html/rfc2026#section-4.2.4], >>> unless we somehow manage to complete TLS 1.3 standardization >>> before this). Taking into account how False Start is actually >>> deployed (and taking into >> >> Right. TLS1.3 will hopefully make this historic, so we could just >> park this in the RFC editor queue and have both RFCs emerge on the >> same day with this one as Historic. With did that with DKIM (4871) >> and DomainKeys (4870, Historic) for example. Note that I'm not >> arguing for doing that, just raising the option if that's what the >> WG want and if the list hasn't discussed it. I assume though that >> the WG don't want to take this route so no need to discuss it more >> in that case. >> >>> account that we expect it to eventually be replaced by a TLS 1.3 >>> mechanism) and how our I-D is cited in research papers on TLS, >>> "Experimental" sounds right to me: the spec really is part of a >>> research and development effort [ >>> https://tools.ietf.org/html/rfc2026#section-4.2.4]. >>> "Informational" wouldn't be wrong either. >> >> I think the latter matches much better myself, as there really is >> no experiment being done here and we're not gonna develop this any >> more once TLS1.3 is done, but whatever - I'm ok with saying that >> the WG just wanted experimental. But you'll likely get asked this >> again and again. At least we can now point at this thread and say >> that it was discussed on the list though. (Which was partly why I >> asked:-) >> >> It'd be no harm though if a couple of others chimed in on this just >> to there's recorded opinion from more than just the AD and an >> author. >> >> We can change to informational at the end of LC if need be, i.e., >> there's no need to hold stuff up for that and such a change then >> doesn't add any delay. > > > This draft started out as Informational and then we switched it > Experimental. The WG has not considered whether we should publish > this should go Historic now, be held and publish as Historic later, > etc. > > How do folks feel about Historic vs Experimental vs Informational? > > If we’re going to move it to Historic, then we’ve got a couple of > options: > > 0) As described above: Get it approved by the IESG, hold it in RFC > editor’s queue, and publish it as historic at the same time TLS 1.3 > is published. > > 1) Approve it, get it published, and then make it Historic with > another draft. > > 2) Approve it, get it published, and then make it Historic with an > IESG initiated Protocol Action, which is a message that the IESG > initiates requesting the status be changed similar to an IETF but > requires no draft. > > (there’s probably some other options like an adding an IESG note/new > section that says “this goes to historic when TLS 1.3 is published, > but I think the above three options seem more realistic.) > > Option 0 is probably the least amount of work. We just hold it, but > in some sense I kind of tend to think that we’re punishing the > authors. There’s nothing they’ve really got to do, but it feels > somehow like we’re hitting them upside the head with the process > two-by-four. > > Option 1 would be a total PITA. People say that we can get a draft > published quickly if we (the royal we) really want to, but my > experience is otherwise. > > Option 2 is something that I don't think we had in our toolkit when > DKIM was being worked on. The draft gets published the authors can > move on and we (the process moths) can make sure the draft gets moved > to Historic. > > What do the WG members think about the options of moving to historic? > Personally, I’d advocate option 2 because it keeps the work load on > the chairs/AD :) I'm fine with any of the above. > > ~snipped 2~ > >>> >>>> (3) Why is there no description of the reasons for all the MUST >>>> only use whitelisted <foo> and for the choices that are >>>> whitelisted? Wouldn't omitting that tend to lead people to use >>>> this more badly? >>> >>> Well, I tried to capture the general reasoning in the spec -- but >>> not the detailed reasons for the specific choices suggested, >>> because that again would just go stale quickly. >> >> Where are those general reasons stated? I don't see ‘em. > > The whitelisted options are described in the bullets in s4 and those > point to s5.* I'm still not seeing it. I do see things listed, but I don't see any reasons why the things are listed. The closest I see we get for now is: "The TLS protocol already relies on such a security property for authentication -- with False Start, the same is needed for encryption." But there's quite a gap between that statement and the set of rules given here. > > It’s stuff like don’t use suspect symmetric ciphers. But surely that's tautological? When would we ever recommend using dodgy stuff? I think what's missing is a description of or reference to what is particularly going to go wrong if you use a ciphersuite with known attacks and do false-start. That'd give the reader a chance to do an informed evaluation for themselves as to whether or not some ciphersuite is or is not safe with false-start. (And that evaluation will be done at various points in future.) > >>> In particular, I think this is an important observation in the >>> I-D: >>> >>> "If heuristically a small list of cipher suites and a single >>> protocol version is found to be sufficient for the majority of >>> TLS handshakes in practice, it could make sense to forego False >>> Start for any handshake that does not match this expected >>> pattern, even if there is no concrete reason to assume a >>> cryptographic weakness." >> >> That may be important but it doesn't address the issue about which >> I'm asking. >> >>> >>> So the whitelists should have algorithms that are actually used >>> in practice and that don't have critical weaknesses, but why >>> exactly those particular algorithms happen to get used in >>> practice is mostly out of scope here. >> >> Why is the logic behind such security relevant choices out of >> scope? That makes no sense to me. Let's imagine a new ciphersuite >> is invented and folks start to wonder whether or not it's ok to >> whitelist that for false-start - wouldn't they expect this document >> to explain (maybe mostly via references) why some ciphersuites are >> not good enough to whitelist? I would expect that to be clear. >> >> And to be clear, I'm not asking for an essay, but more like some >> text in the intro saying "False start is not safe for a ciphersuite >> that has properties <A,B,C> such as <example> because of <problem>. >> See [refs] for full details." >> >> For added clarity it'd also be good to have something like: >> "Ciphersuites MUST have <good-properties X,Y,Z> to be safe to >> whitelist for false-start." >> >> If figuring out text for the above is very hard, then I do think >> that would indicate a real issue with this spec. If figuring that >> out is just a minor bit of tedium, then I think it's worthwhile so >> that future readers of the RFC can understand what's going on here, >> which I don't think is the case from the current text. > > I think this text is already present: > > Clients MUST NOT use the False Start protocol modification in a > handshake unless the cipher suite uses a symmetric cipher that is > considered cryptographically strong. > > In the key exchange algorithms and client certificate type security > considerations, there’s: > > The recommended whitelists are such that if cryptographic algorithms > suitable for forward secrecy would possibly be negotiated, no False > Start will take place if the current handshake fails to provide > forward secrecy. > > .. and .. > > Forward secrecy can be achieved using ephemeral Diffie-Hellman or > ephemeral Elliptic-Curve Diffie-Hellman ... > > If we summarize these in the Introduction we’re good? No, I'm on about missing text not placement of text. Again if we added something like "False start is not safe for a ciphersuite that has properties <A,B,C> such as <example> because of <problem>. See [refs] for full details" then we'd be done because a reader could use that to analyse whether or not it is ok to use a future ciphersuite (or a current one, being re-evaluated in the future) with false-start. Cheers, S. PS: If I'm just not managing to explain myself well here, we can chat about it in B-A. > > spt > >> Cheers, S. >> >> >>> >>> Bodo >>> >>>> That could be done with some explanatory text and using some of >>>> the references below maybe. Or, if we don't really want new >>>> folks to implement this (do we?) then just saying that might >>>> mean it's ok to not explain the "why." (And then you could also >>>> address #1 above then by issuing this as an historic RFC too if >>>> you wanted.) >>> >> >> _______________________________________________ TLS mailing list >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] AD review of draft-ietf-tls-falsestart-01 Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Bodo Moeller
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Martin Thomson
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Dave Garrett
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Peter Bowen
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Eric Rescorla
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell