Re: [TLS] Secdir last call review of draft-ietf-tls-exported-authenticator-09

Nick Sullivan <nick@cloudflare.com> Thu, 21 November 2019 07:20 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BAAC120048 for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 23:20:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8coAqQEC63gt for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 23:20:06 -0800 (PST)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B5471202A0 for <tls@ietf.org>; Wed, 20 Nov 2019 23:20:05 -0800 (PST)
Received: by mail-vs1-xe34.google.com with SMTP id x21so1587682vsp.6 for <tls@ietf.org>; Wed, 20 Nov 2019 23:20:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mExfAvRqmeylZLqd1K6FFmMT0/zp7uI3q0rWx7kTj28=; b=OWGEY1me1hdlw5lfzOMoi/ruKx7HPO0VrisMyk9mpw1GIek3kiKro98pTDhcf9oo+S qDVhHUbVh4K8X/YS0aBXEG/ljddSlCZYcHpJ3AFhiyCbGqfN/A2B3KuvHlMWm/2M/L78 /232VMUPJsXgLeBn6wjPHYPBjEA86UFZKHbOA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mExfAvRqmeylZLqd1K6FFmMT0/zp7uI3q0rWx7kTj28=; b=XVqahcukAPoxGbrS0TGP59eh6yGsC2P3CFNknN7TMIkv+YifdXw9+VBUY7tvHC5dGC /BxFnYEfSK6Cvm7Zko2Q++cEvQpTC2eB28rAjl2HgHo1GffRa/hK9CmGBN1wAoe6hWA1 pcjrqbgWBNsiz/7l5hSmcB7vnUaw27V42tizg9nAhS8OpJswzVcOAn6KS/FCwGN9sJwp heYloLFWx4TF4PKibIEoAT+8uZKxc7ajQdYCRj/S6w3o8Zhp0wr3UqLmZdtQ5olN8cQl 1w1WleTGxOrHkskaOrQvePPk6XLFFSwLnaQ7IbyW1cZDRWQJ8oz5mTn8KkdBFALwcxvt bLNw==
X-Gm-Message-State: APjAAAU0scPDi/eEVCD/loC9kbGyG2Dp/fEZEHRDoWMfTlaJxdS6HQzo X4Q+4uacm6wvAv57lp9PGE3sof3WtLcBTooxzknRMw==
X-Google-Smtp-Source: APXvYqwvuLBjNp62r+Ae1g1faagliHxv8WENkFzJEiHjvAaZ7rnNPdP5p9CyXdUZo28plKPWF3jwzUgNbeA7gdY3P8A=
X-Received: by 2002:a67:5d02:: with SMTP id r2mr4842822vsb.212.1574320804348; Wed, 20 Nov 2019 23:20:04 -0800 (PST)
MIME-Version: 1.0
References: <156330717256.15259.2193942101748847069@ietfa.amsl.com> <CAFDDyk_xvfDFK1_G3aqr9b5J6a-62=tjpdraXHGDpeiHdk10tA@mail.gmail.com> <CAFDDyk8sOw-G72KoJ76dS_etmO3zsJ58HuAkhAysFQPG2U-R0Q@mail.gmail.com> <D8E32D23-AE51-48BD-9B01-64F73DED0BFD@gmail.com> <CAFDDyk-s0jMnZy_mEAct15kwQG5cEZpyonDJxf+d9gQ6YBisGA@mail.gmail.com> <20191118225035.GS20609@akamai.com> <CAFDDyk86++0rn0KcrWixVGVc4wQ9G5vv+17Hx7ftvZuoAVs_9Q@mail.gmail.com> <430940ff-60f0-4ddd-9d71-9fe8b8ca9cae@www.fastmail.com> <ff1bff1b-049d-4e78-9533-4085c741fac8@www.fastmail.com> <20191121024019.GW20609@akamai.com> <892200AE-3D0A-4AF1-AD40-E3C46BE57F88@akamai.com>
In-Reply-To: <892200AE-3D0A-4AF1-AD40-E3C46BE57F88@akamai.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 21 Nov 2019 15:19:47 +0800
Message-ID: <CAFDDyk8BSb9kYdL1uf+3N=s_LmHuQRYcZoPv6mCQ6T=0Cs-M7w@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e89d40597d62056"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FxR2etQJSCRuptoKn8G26gHUiXs>
Subject: Re: [TLS] Secdir last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 07:20:08 -0000

On Thu, Nov 21, 2019 at 10:43 AM Salz, Rich <rsalz@akamai.com>; wrote:

> Likewise, I am okay with the "could be amended" text but in fact I
> slightly prefer a new message type, for safety reasons.
>

How should we determine whether future extensions are permissible in the
context of this new message? For example, draft-sullivan-tls-opaque-00
<https://tools.ietf.org/html/draft-sullivan-tls-opaque-00> defines a new
extension that is valid in CH and ClientCertificateRequest, but is not
valid in CR. Does it make sense to require future extensions that can be
used in ClientCertificateRequest to include a new tag, "CCR", in the IANA
TLS ExtensionType Value table
<https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1>
?

In any case, we can address that when/if we get to it. Here's the new
proposed text:
https://github.com/tlswg/tls-exported-authenticator/pull/55/files