IETF Logo Mail Archive

Re: [TLS] review comments on draft-rescorla-tls-subcerts-01

Subodh Iyengar <subodh@fb.com> Wed, 29 March 2017 15:29 UTC

Return-Path: <prvs=5261e8187b=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4811296D3 for <tls@ietfa.amsl.com>; Wed, 29 Mar 2017 08:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=ArPMF6vF; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=iJpIwfPO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwWcfRIPh1nW for <tls@ietfa.amsl.com>; Wed, 29 Mar 2017 08:29:47 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78C9812969C for <tls@ietf.org>; Wed, 29 Mar 2017 08:29:47 -0700 (PDT)
Received: from pps.filterd (m0001255.ppops.net [127.0.0.1]) by mx0b-00082601.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v2TFLqSq017421; Wed, 29 Mar 2017 08:29:44 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=rBZHBLXM5ixVeJ3Fj/kRr/DxTzqqRexcZf8jPHXv5sw=; b=ArPMF6vFLDVDESx/BHCYZ6gfr50qBruSK+LIC3B4B2B1POxdcUE2MYjxZFK1UMpWE8C3 rA52V65gxAkocAv7aOcULVsEG8UGmAQnd7Or2AWfloqmBpwy7JLfetU77qytsg7Fxc2x M6/RJbtdp8gVogkLNnuihFO4P2YoiXNwBZ0=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0b-00082601.pphosted.com with ESMTP id 29gd4u8esk-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 29 Mar 2017 08:29:43 -0700
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.23) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 29 Mar 2017 11:29:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rBZHBLXM5ixVeJ3Fj/kRr/DxTzqqRexcZf8jPHXv5sw=; b=iJpIwfPOYn9VA9AyZnRz+vn8fUAO6+va02M5Ki/N/jQv+dUXB+je4JkkA+fU/lgAXwm3bYDABgx8ZAMVhoNHZNo86ahPpxzewiPJseUPNNr7uIu3ueFWFLzrVpxJ76q6Z90OoxZJtdk3pLxFolqT0N5+JmMqb/yWu1kjNmgN1mc=
Received: from MWHPR15MB1455.namprd15.prod.outlook.com (10.173.234.145) by MWHPR15MB1453.namprd15.prod.outlook.com (10.173.234.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.14; Wed, 29 Mar 2017 15:29:41 +0000
Received: from MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) by MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) with mapi id 15.01.0991.021; Wed, 29 Mar 2017 15:29:41 +0000
From: Subodh Iyengar <subodh@fb.com>
To: "Kaduk, Ben" <bkaduk@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: review comments on draft-rescorla-tls-subcerts-01
Thread-Index: AQHSqDH7PyVKA0g+FE+PQRPt34CgAaGrLbaF
Date: Wed, 29 Mar 2017 15:29:40 +0000
Message-ID: <MWHPR15MB1455C0846672F4D26073EFA7B6350@MWHPR15MB1455.namprd15.prod.outlook.com>
References: <11F20304-A244-4362-9042-E6CC3EDD304A@akamai.com>
In-Reply-To: <11F20304-A244-4362-9042-E6CC3EDD304A@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=fb.com;
x-originating-ip: [25.173.47.4]
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1453; 7:maqKroW5/SAT6ztCMLMFN4W8VcQdv7IblqyZEgeFnHAvEpWcUtAbW8yfOdlSmzL/8IAiimOzDhyvrJUqy/NK4EUK7ieq/UgS0La9OPb3QgFQ9oTdUL+UIR2cBX5Eom9Z5bSUiZmEzWo3DrusUZ/d7CSevMlc8ir5sF9ZXev98ad7wHylx01h0zZdfGjQhQo3i1Va3A4aiN4IT8ONpTX/LIL9F6OssBf/0EMxQxywsJHISfD4JIoEQUcDsdTrX9XZuhlg2hOdqe0UlOydV6EHV7tQrTTzs+o+Ml+R5fDGAfmZ+WCb00geAl7XLJY6g5BGDTV6seMZjrCnTKQ7738cqg==; 20:punjyxvi4FV8/XMfdrR6UycE56XHdNSQpZIif2Z7+hzAd0Tt8aZqPt0yBpJDYwUaGmipQGahAgWpf05dWLbiqZZ4mmyeel6duzzQZ70g8V73m+9n/qv3oW2DBrKDX87ISues8+RyCKkpwUk+907sb2fjX7Z0hzcK7UM92qkmSzE=
x-ms-office365-filtering-correlation-id: 89fa1782-1503-4bff-e32b-08d476b86b35
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:MWHPR15MB1453;
x-microsoft-antispam-prvs: <MWHPR15MB14535D29B27F29D302C94F01B6350@MWHPR15MB1453.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006041)(93001041)(6041248)(20161123555025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406075)(20161123558025)(20161123560025)(6072148); SRVR:MWHPR15MB1453; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1453;
x-forefront-prvs: 0261CCEEDF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39840400002)(39400400002)(39850400002)(39410400002)(51914003)(377454003)(66066001)(122556002)(2906002)(7736002)(230783001)(3280700002)(3660700001)(25786009)(6246003)(229853002)(575784001)(86362001)(38730400002)(2501003)(53546009)(99286003)(6606003)(77096006)(19627405001)(2900100001)(53936002)(5660300001)(74316002)(54896002)(55016002)(6306002)(6436002)(6506006)(606005)(236005)(7696004)(189998001)(3846002)(6116002)(9686003)(2950100002)(7906003)(8676002)(76176999)(102836003)(54356999)(33656002)(50986999)(8936002)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1453; H:MWHPR15MB1455.namprd15.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1455C0846672F4D26073EFA7B6350MWHPR15MB1455namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2017 15:29:40.7633 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1453
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-29_11:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GFqTAc-5Mm2evwmxiQ7uIDz3DbY>
Subject: Re: [TLS] review comments on draft-rescorla-tls-subcerts-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 15:29:59 -0000

Thanks for the comments Ben.


> We mentioned adding a NUL byte separator in the signature on the DelegatedCredential

Yup this is something we noticed during the hackathon interop that would definitely be helpful in an implementation and we should change it to have that. What we realized when we implemented it was that we ended up representing a delegated credential in code as a type of cert with a similar interface for verification and it would be useful to reuse the same verification code for TLS 1.3.


> Do we want to leave the valid SignatureSchemes as all that are defined, or mention the Recommended column in the registry, or narrow things even further?  In other words, should we give some guidance for how to select a scheme to use?

It's restricted to the ones that are supported by the client in TLS 1.3. I don't see TLS recommending signature algorithms to use beyond section 4.2.3 that "rsa_pkcs1_sha1, dsa_sha1, and ecdsa_sha1 SHOULD NOT be offered.". What kind of a recommendation would you like to see. Would love a pull request at https://github.com/ekr/tls-subcerts/pulls to get a general idea of what you would like to see.


Subodh

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Kaduk, Ben <bkaduk@akamai.com>
Sent: Tuesday, March 28, 2017 7:12:58 PM
To: tls@ietf.org
Subject: [TLS] review comments on draft-rescorla-tls-subcerts-01

Getting these in email before my printout with red markings gets buried in a pile.

We mentioned adding a NUL byte separator in the signature on the DelegatedCredential (as well as some other potential tweaks to normalize the context strings elsewhere and here).

Do we want to leave the valid SignatureSchemes as all that are defined, or mention the Recommended column in the registry, or narrow things even further?  In other words, should we give some guidance for how to select a scheme to use?

-Ben

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=c2n5STs7L3HaVUDLCexXj_71qQVn5w-ZUJ76hgi1PWs&s=o7UX4TmoWt7yZ-eFOM2nOkq8UJETS_S_szs-YPNjUmo&e=

v2.23.0 | Report a Bug | By Email