IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 16 February 2022 11:26 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4C23A113D for <tls@ietfa.amsl.com>; Wed, 16 Feb 2022 03:26:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07ipUS8exuH9 for <tls@ietfa.amsl.com>; Wed, 16 Feb 2022 03:26:42 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 550FE3A12B0 for <tls@ietf.org>; Wed, 16 Feb 2022 03:26:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 4AE1467FA2; Wed, 16 Feb 2022 13:26:34 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id XOnuvaiK3ssj; Wed, 16 Feb 2022 13:26:34 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 0117928B; Wed, 16 Feb 2022 13:26:31 +0200 (EET)
Date: Wed, 16 Feb 2022 13:26:31 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Kampanakis, Panos" <kpanos@amazon.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <YgzfZyXNVpbUjiqu@LK-Perkele-VII2.locald>
References: <83f923185c3741ccb668826f5b11b0c3@EX13D01ANC003.ant.amazon.com> <YgoH5/zQS67JgexL@LK-Perkele-VII2.locald> <4a28a1fbfb3445cab4906d6266b3831e@EX13D01ANC003.ant.amazon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <4a28a1fbfb3445cab4906d6266b3831e@EX13D01ANC003.ant.amazon.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EKJ38ve6kN-5BWGFDKoVs_T_Vi0>
Subject: Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 11:26:49 -0000

On Wed, Feb 16, 2022 at 05:45:47AM +0000, Kampanakis, Panos wrote:
> Good comments, thank you Ilari. 
> 
> To answer your comments  
> 
> > 1) There are a few "shall" in the text. Should those be "SHALL"?
> 
> The two "shall" refer to draft-ietf-tls-tlsflags. Based on experience
> from previous drafts, we do not want to repeat normative language
> from another draft, so we kept them lowercase. We can still consider
> making them normative though. 

I think the language in tlsflags about acknowledging extensions is
confusing. Tlsflags behavior should be similar to extensions, which do
not have acknowledgment requirement in base TLS (any acknowledgement
requirement is per extension). So I think any acknowledgement
requirement should be explicitly stated normatively.

As to why I find tlsflags language confusing: I think flags as
shorthand for empty extensions, and TLS extensions can be capability
advertisments (no reply). E.g., compress_certificate, which happens
to add a new HandshakeType.


> > 3) Why there are two flags? I do not see a case where both would
> > be sent in the same message.
> 
> In the original draft there was only one. But we want for both the
> client and server (CertReq) to be able to signal to their peer to
> suppress CAs. draft-ietf-tls-tlsflags defines that the peer needs to
> acknowledge the flag, thus we needed one per direction. 

There are no less than four existing TLS extensions (and flags work
similarly to extensions), which work in both directions with the
same codepoint, in the IANA registry:

- status_request
- signed_certificate_timestamp
- delegated_credentials
- transparency_info

And there does not seem to be a percedent for extension that works in
both directions, but with different codepoints.

 
> > 4) In WebPKI, there are some cornercases (constrained ICAs) where
> > the client might be missing a certificate or certificates in the
> > chain. Currently the WebPKI root program rules allow not disclosing
> > "technically constrained" certificates (but there are plans to
> > change this).
> 
> Good point. That has come up in discussions with my co-authors. As
> Martin was pointing out, a lot hinges on the semantics of the
> tls_flags bit.  We probably can say that it means "I have all the
> intermediates I am willing to accept".  That's a little too absolute
> for the web PKI as it stands. We don't have stats on how often we'd
> fail as a result; we would have to check but unconstrained
> intermediates probably isn't exceptional. The flag should probably
> say "I have all the *unconstrained* intermediates that I'm willing
> to accept" or maybe "I have all the intermediates from that I'm
> willing to accept, unless it's the WebPKI and then I only have
> unconstrained intermediates"' 

I would expect constrained intermediates to be quite rare. IIRC, there
is a lot of red tape in Baseline Requirements about constrained ICAs.

> But if MSRP 2.8 adds constrained intermediates, then "I have all the
> intermediates I am willing to accept" may just suffice. 

MSRP 2.8 is slated for this year, so it might very well fix this issue
for WebPKI.

Another way to address the issue would be to write some text that the
server might want to send any ICA that has not been publically
disclosed. As that is neutral to PKI and is exactly what makes
constrained ICAs problematic here.


> > 5) In the client auth scenario, the server might have exhaustive
> > list of all issuing ICAs it accepts, so including any ICAs is never
> > necressary. However, this might be handled even currently by not
> > giving the client a chain. However, doing this in other direction
> > can be quite dangerous without prior agreement.
> 
> I am not sure I am following that argument. If the client does not
> have a chain what happens if the server does not have all
> intermediates?

Sending ICA will not help: The authentication would still fail.

But actually, if using public PKI certificates for client auth (usually
not a great idea), then this can fail rather badly with legacy servers
that do not have issuing ICA lists at all.

> By quite dangerous do you mean that if they have not pre-agreed on
> the ICA list there could be an auth failure and recovery will not
> be easy because the server can't track the clients it is expecting
> ICAs from? Am I getting you right? 

The problem is legacy clients. If one of those connects to the server
and server omits the chain, that will cause handshake failure.

Unfortunately, currently there are fair amount of misconfigured servers
that behave this way.



-Ilari

v2.23.0 | Report a Bug | By Email