Re: [TLS] Proposals for draft-ietf-tls-subcerts-02
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 24 July 2018 20:24 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32076130EC7 for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 13:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkDFTRuaMq-0 for <tls@ietfa.amsl.com>; Tue, 24 Jul 2018 13:24:31 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EC52130DE4 for <tls@ietf.org>; Tue, 24 Jul 2018 13:24:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id E5F9254CDD; Tue, 24 Jul 2018 23:24:26 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Lt7byc9yGMfv; Tue, 24 Jul 2018 23:24:26 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3290F286; Tue, 24 Jul 2018 23:24:24 +0300 (EEST)
Date: Tue, 24 Jul 2018 23:24:23 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Patton,Christopher J" <cjpatton@ufl.edu>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20180724202423.GA28235@LK-Perkele-VII>
References: <MWHPR22MB046162AC2C43A3A56FB1A8C4C6550@MWHPR22MB0461.namprd22.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <MWHPR22MB046162AC2C43A3A56FB1A8C4C6550@MWHPR22MB0461.namprd22.prod.outlook.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CZYAWFsfuKYZyu4ZH31eX_6b_jY>
Subject: Re: [TLS] Proposals for draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 20:24:34 -0000
On Tue, Jul 24, 2018 at 07:24:09PM +0000, Patton,Christopher J wrote: > Hi all, > > > I've taken the liberty of addressing the changes to the delegated credentials extension that were requested at IETF: > > https://github.com/tlswg/tls-subcerts/pull/13 > > > The changes that would be adopted in draft-02 are as follows: > > * Drop support for TLS 1.2. > * Allow the critical bit of the X.509 extension to be set. > * Add the protocol version and credential signature algorithm > to the Credential structure. > * Make the KeyUsage of the delegation certificate stricter. > * Specify undefined behavior in a few cases. > > It was suggested that we add optional "must-use-DC" semantics to the > certificate. The solution we came up with was to add a "strict" flag > to the extension that is set if (and only if) the extension is marked > critical. The idea is that if the "strict" flag is set and the server > doesn't offer a DC, then client must abort the handshake, In my opinion, > the complexity this adds to the protocol outweighs the potential benefits. > > Comments on the PR are welcome. This has the signifcant critical flag issue. It should at minimum be explicitly called out, as I do not know any precendent for this kind of behavior (check that some extension is critical yes, but not changing meaning of extension depending on critical flag). I watched the presentation and the resulting Q&A again. Short summary of relevant stuff: - The motivation in the slides is to reduce exposure of private keys to memory disclosure vulernabilities, without reducing performance. - The orignal proposal was to add a TLS Feature extension value. No discussion. - The drawback of "strict mode" would be causing issues with servers that can not effectively switch between certificates. - There is question about fallback. Paraphrased answer: LURK. TLS Feature extensions have some really unwnated properties here. They are never critical on client side, and they have OR-inheritance. You definitely do not want OR-inheritance here. Well, after this, the best usecase I can come up with strict flag is still dealing with LURK endpoints that can not do proof-of-possession or format checking[1]. [1] TLS 1.2 and 1.3 servers should only ask for signatures and only over the following kinds of data: - <64 bytes> 03 00 17 41 04 <64 bytes> - <64 bytes> 03 00 18 61 04 <96 bytes> - <64 bytes> 03 00 19 85 04 <132 bytes> (rare, P-521) - <64 bytes> 03 00 1A 41 04 <64 bytes> (rare, brainpool) - <64 bytes> 03 00 1B 61 04 <96 bytes> (rare, brainpool) - <64 bytes> 03 00 1C 81 04 <128 bytes> (rare, brainpool) - <64 bytes> 03 00 1D 20 <32 bytes> - <64 bytes> 03 00 1E 38 <56 bytes> (rare, X448) - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <32 bytes> - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <48 bytes> None of these covers delegated credential signatures, which would cause any attempt to ask for DC signature to fail if the format is checked.. -Ilari
- [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Ilari Liusvaara
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Nick Sullivan