Re: [TLS] [re-send] draft-ietf-tls-exported-authenticator IESG review
Sean Turner <sean@sn3rd.com> Fri, 22 October 2021 01:43 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EEB33A0888 for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 18:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqnMKo0BRksn for <tls@ietfa.amsl.com>; Thu, 21 Oct 2021 18:43:47 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD153A087F for <tls@ietf.org>; Thu, 21 Oct 2021 18:43:47 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id r17so2253326qtx.10 for <tls@ietf.org>; Thu, 21 Oct 2021 18:43:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iS25ARXqb6964wd50HxFue1jtI1SouQXGVrp/9cMH2w=; b=Z2UR9pb1sm1qPNtloGWq/MNosio86IbC/EZ+0CZ8ibBBMwb/N6nVT7N5+HyrZdIOLP 9Tn5sBx2FkBeuzqX6+8nLzsCWrKKbJq9atQXXjDQ9IuS4BbJuE42QaDuLN4FzCl86X1g /SaYwlRdd+l+K6NGGSsYqYhpkBkSv6PNdZ9Ck=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iS25ARXqb6964wd50HxFue1jtI1SouQXGVrp/9cMH2w=; b=iFWDvBzRdTqTqEToqYfjkVGufLgVp1bBDIohmVz8IzR6tFJVslAQftvl0IL+P4Rnvc VZajnKeFTjn4WqjvNOEZN2E/qenPvd8q7iTSfM5Ij3gAjtqQE1g0S4A5JJKW7RgP6RQM XqJ2fWVVtKWuCz5/tgE31ldXt22OJON8Fru2pqNgcB8oaoTt6E+7ZlCrcuGPiIHGNToc s+nteOaqZK2WsQluR1ayhfSg5m53tiiw2K8iRl+D7IlUJc5IYm8gjo202PVqiTawIURo FaCwFxNT9ZC51co7IYo0vCdvEY+lp+Kw9OzV6Gbq/e62CAoPYX4sQyr7/UxDUgPiSjt2 zoHA==
X-Gm-Message-State: AOAM532FEWKt4lePFBwPPg77SlpHkQCtswM3mVbWSGlPvdC5H2JBn8M5 9ba7vmM44gm3DAcvPNoe5WxHMgtxr6K1Jw==
X-Google-Smtp-Source: ABdhPJz9diOO/YzBjJGoMsc3NcAFV2gnKliRYnVsM+1YZtnKflEvvE2xlK9CdkYbC3q/IYqXh26F8Q==
X-Received: by 2002:a05:622a:1c8:: with SMTP id t8mr10181507qtw.72.1634867025339; Thu, 21 Oct 2021 18:43:45 -0700 (PDT)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id y23sm3224625qtv.58.2021.10.21.18.43.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Oct 2021 18:43:44 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <5BC8D8CC-16F4-47FA-A118-7F7C65AE4F28@sn3rd.com>
Date: Thu, 21 Oct 2021 21:43:43 -0400
Cc: TLS Chairs <tls-chairs@ietf.org>, Jonathan Hoyland <jhoyland@cloudflare.com>, Nick Sullivan <nick@cloudflare.com>, The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9F98AEE1-B1F5-4F1B-A942-876A543FD8F9@sn3rd.com>
References: <CAFDDyk-TQaoyAnc7tzD83_k1y5FO9cJ-kGimqB4rGr6kO66vhA@mail.gmail.com> <5BC8D8CC-16F4-47FA-A118-7F7C65AE4F28@sn3rd.com>
To: TLS List <tls@ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HpDpcQ-AQaWI6qy1xiSST3Ob8I8>
Subject: Re: [TLS] [re-send] draft-ietf-tls-exported-authenticator IESG review
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 01:43:52 -0000
Apologies I meant 29 October 2021 2359 UTC > On Oct 21, 2021, at 21:34, Sean Turner <sean@sn3rd.com> wrote: > > Hi! It’s a been awhile since Nick proposed how to resolve the IESG comments. To get the I-D moving again, I would like to propose the following and unless I hear otherwise by 29 November 2021 2359 UTC it is what we will do: > > - For the 1st two, we accept Nick's suggestion, i.e., no change (these were IESG comments after all). > > - For the 3rd, we work with Jonathan’s two options in [1]. Expect an email shortly. > > - For the 4th, I would like to split the difference between the new text in the I-D and adding a new comments column by augmenting PR#74 to make the added text a note that appears at the before the table. That way, the text is in our doc and in the IANA registry. I have included this as a review comment in the PR [2], but also included here for convenience: > > In s8.1 add: > > IANA is also requested to add the following note to the registry: > > The addition of the "CR" to the "TLS 1.3" column for the server_name(0) extension does not authorize the use of this extension in authenticator CertificateRequests or handshake CertificateRequests, only > ClientCertificateRequest created as part of client-generated authenticator requests. > > > Effectively, for the outstanding PRs [3] that means the following: > - PR#71 close (included as part of 74) > - PR#74: merge after checking amendment to make text a registry note > - PR#75: close (addressed via #74) > - PR#76: discuss > > Cheers, > spt > > [1] https://mailarchive.ietf.org/arch/msg/tls/FovH210wjIxb4qpArF6HiHALy-I/ > [2] https://github.com/tlswg/tls-exported-authenticator/pull/74 > [3] https://github.com/tlswg/tls-exported-authenticator/pulls > >> On Aug 23, 2021, at 19:28, Nick Sullivan <nick@cloudflare.com> wrote: >> >> Hello TLSWG and IESG reviewers, >> >> This is a compendium of responses to the various reviews of the >> document. There are a few remaining open questions to address that I >> hope we can resolve in this thread. >> >> I’ve compiled the changes to the document in response to the comments in Github: >> https://github.com/tlswg/tls-exported-authenticator/pull/74 >> >> Responses welcome! >> >> ===== >> >> Open questions for debate >> >> Should we define an optional API to generate the certificate_request_context? >> [ns] Proposed solution: no, let the application decide >> >> Should we remove the SHOULDs in Section 7, as they have little to do >> with interoperability? >> [ns] Proposed solution: leave the text as is. >> >> Are there any security issues caused by the fact that the Exported >> Authenticator is based on the Exporter Secret, which does not >> incorporate the entire transcript: >> >> Using an exporter value as the handshake context means that any client >> authentication from the initial handshake is not cryptographically >> digested into the exporter value. In light of what we ran into with >> EAP-TLS1.3, do we want to revisit whether we're still happy with that? >> We should in practice still benefit from the implicit confirmation that >> anything the server participates in after receiving the Client Finished >> means the server properly validated it and did not abort the handshake, >> but it's a bit awkward, especially since the RFC 8446 post-handshake >> authentication does digest the entire initial handshake transcript. >> Would we feel any safer if an exporter variant was available that >> digested the entire initial handshake transcript and we could use that? >> >> [ns] This is a very good question. I didn’t follow the EAP-TLS1.3 >> issue closely, but this does seem to imply an imperfect match with >> post-handshake authentication in the case of mutually authenticated >> connections. I would like to suggest that Jonathan Hoyland (cc'd), who >> did the formal analysis on the protocol, provide his input. >> >> A comment from Yaron Scheffer/Benjamin Kaduk on the IANA considerations: >> >> My understanding is that the intent of this document is to only allow >> "server_name" to appear in the ClientCertificateRequest structure that >> otherwise uses the "CR" notation in the TLS 1.3 column of the TLS >> ExtensionType Values registry, but not to allow for "server_name" in >> authenticator CertificateRequests or handshake CertificateRequests. >> Assuming that's correct, the easiest way to indicate that would be if >> there was a "Comment" column in the registry that could say "only used >> in ClientCertificateRequest certificate requests and no other >> certificate requests", but there is not such a column in the registry. >> I think it could also work to be much more clear in the IANA >> considerations of this document as to why the "CR" is being added and >> what restrictions there are on its use, even if that's not quite as >> clean of a solution. >> >> [ns] Proposed solution: >> Add text to section 8.1 to clarify why the CR is being added and what >> restrictions there are to its use, as is done in >> https://github.com/tlswg/tls-exported-authenticator/pull/74. >> Alternate solution: >> Propose a new column, as done in >> https://github.com/tlswg/tls-exported-authenticator/pull/75 >> >> ===== >> >> Comments and responses >> >> Proposals to address IESG comments below are here: >> https://github.com/tlswg/tls-exported-authenticator/pull/74 >> >> Martin Duke (No Objection): >> >> - I come away from this not being entirely sure if this document applies to >> DTLS or not. There is the one reference in the intro to DTLS, but it's not in >> the abstract, nor anywhere else. Assuming that the Sec. 1 reference is not some >> sort of artifact, the document would benefit from a liberal sprinkling of >> 's/TLS/(D)TLS' (but this would not apply to every instance) >> >> [ns] DTLS does not explicitly define a post-handshake authentication, >> so not all references made sense to update, but I updated all the >> relevant references. >> >> - If (D)TLS 1.2 is REQUIRED to implement, then does this document not update >> those RFCs? >> >> [ns] It doesn’t change existing versions of (D)TLS and it is not >> mandatory to include this functionality, so I don’t think that it >> updates them. It’s a separate and optional feature built on top of >> TLS. In any case, the text is changed to make it explicit that this is >> a minimum requirement. >> >> NITS: >> >> - Sec 1. I think you mean Sec 4.2.6 of RFC 8446, not 4.6.3. >> [ns] It’s actually neither, it’s 4.6.2. Sec. 4.2.6 defines the >> extension that the client uses to advertise support for post-handshake >> authentication. >> >> - Sec 4 and 5. "use a secure with..." ? >> [ns] Added “transport” >> >> - Sec 4. s/messages structures/message structures >> [ns] Fixed >> >> >> >> >> Erik Kline's No Objection >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> [ sections 4 & 5 ] >> >> * "SHOULD use a secure with" -> >> "SHOULD use a secure communications channel with" or >> "SHOULD use a secure transport with" or something? >> [ns] Fixed in previous change >> >> * "as its as its" -> "as its" >> [ns] Fixed >> >> [ section 5.2.3 ] >> >> * I think the first sentence of the first paragraph may not be a >> grammatically complete sentence? >> [ns] Fixed >> >> [ section 7 ] >> >> * "following sections describes APIs" -> >> "following sections describe APIs" >> [ns] Fixed >> >> >> Francesca Palombini's No Objection >> Thank you for the work on this document, and thank you to the doc shepherd for >> the in-depth background. Please find some comments below. >> >> Francesca >> >> 1. ----- >> >> TLS (or DTLS) version 1.2 [RFC5246] [RFC6347]. or later are REQUIRED >> to implement the mechanisms described in this document. >> >> FP: Does this mechanism applies to DTLS as well? The sentence above, the >> normative reference to DTLS 1.2, and the IANA section 8.2 would imply so. >> However, this is the only time DTLS is mentioned in the body of the document, >> excluding IANA considerations. I would like it to be made explicit that this >> mechanism can be used for DTLS (if that's the case) both in the abstract and in >> the introduction, add any useful considerations about using this mechanism with >> DTLS vs TLS, and possibly add a sentence in the introduction stating that DTLS >> 1.X uses what specified for TLS 1.X. Two examples of why that would be useful >> are the following sentences: >> >> using an exporter as described in Section 4 of [RFC5705] (for TLS >> 1.2) or Section 7.5 of [TLS13] (for TLS 1.3). For TLS 1.3, the >> >> "signature_algorithms" and "signature_algorithms_cert" extension, as >> described in Section 4.2.3 of [TLS13] for TLS 1.3 or the >> "signature_algorithms" extension from Sections 7.4.2 and 7.4.6 of >> [RFC5246] for TLS 1.2. >> >> which makes it clear what applies for TLS but not for DTLS. >> >> [ns] Fixed in previous change >> >> >> 2. ----- >> >> used to send the authenticator request SHOULD use a secure with >> equivalent security to TLS, such as QUIC [QUIC-TLS], as its as its >> >> FP: What are the implications of not using such a secure transport protocol? >> Why is it just RECOMMENDED and not MANDATED? nits: missing word "use a secure >> with" ; remove one of the duplicated "as its". (Note: this text appears again >> with the same typos for the authenticator in section 5) >> >> [ns] There are no known security implications of using an insecure >> transport here, just privacy implications. This point was debated on >> list (see Yaron Sheffer’s comments) and it was agreed that because >> there may be alternate deployment scenarios that involve transport >> outside the original tunnel, TLS-equivalent security is not a mandated >> requirement. Typos fixed in previous change. >> >> >> 3. ----- >> >> extensions (OCSP, SCT, etc.) >> >> FP: Please consider adding informative references. >> >> [ns] Added >> >> Zaheduzzaman Sarker's No Objection >> >> Thanks for the work on this document. I found it well written and I have minor >> comments and Nits >> >> Comment : >> * As this document asked for a IANA registration entry with DTLS-OK, hence >> this mechanism is OK to be used with DTLS. I understand the heavily >> references to TLS 1.3 as it relay on the mechanisms described there. However, >> I found it odd not find any reference to DTLS1.3 (we had it on the last >> formal IESG telechat, it is quite ready to be referenced). Is this >> intentional? is it supposed to be that this mechanism defined in this >> document on can be used with DTLS1.2? >> >> [ns] This was a common concern, the text has been updated. >> >> * Section 7.3 & 7.4: is "active connection" defined somewhere? it would be >> good if some descriptive texts are added for clarification as done for the >> other bullets in the same list. >> >> [ns] Wording adjusted. >> >> * For the API considerations I was expecting a API to generate the >> certificate_request_context. >> >> [ns] An API would likely just return a random number, which isn’t very >> useful. Not defining such an API gives the application freedom to >> choose to use this value in some other way. I don’t have strong >> opinions either way. >> >> >> Nits: >> * Post-handshake authentication is not defined in section 4.6.3 of TLS 1.3 >> [ns] Updated in prior change. >> * Section 4 & 5: likely copy paste error -- s/as its as its/as its >> [ns] Updated in prior change. >> >> Lars Eggert's No Objection >> >> All comments below are very minor change suggestions that you may choose to >> incorporate in some way (or ignore), as you see fit. There is no need to let me >> know what you did with these suggestions. >> >> Section 1, paragraph 9, nit: >> - TLS (or DTLS) version 1.2 [RFC5246] [RFC6347]. or later are REQUIRED >> - - - >> + TLS (or DTLS) version 1.2 [RFC5246][RFC6347] or later are REQUIRED >> [ns] Updated >> >> >> Éric Vyncke's No Objection >> >> Thank you for the work put into this document. >> >> Please find below some non-blocking COMMENT points (but replies would be >> appreciated), and some nits. >> >> I hope that this helps to improve the document, >> >> Regards, >> >> -éric >> >> == COMMENTS == >> >> I am trusting the WG and the responsible AD for ensuring that the specific >> section in references are the correct ones. >> >> -- Section 2 -- >> Unsure where the "terminology" part is... >> >> Also, should "Client" and "Server" be defined here ? Reading section 3, I am >> still unsure whether the "client" and "server" are the "TLS client" and "TLS >> server" ... >> >> In the same vein, a small figure with all parties involved would be welcome by >> the reader. >> >> [ns] Terminology updated to reference the terms in TLS 1.3. There are >> only two parties in this protocol, so I’m not sure a diagram will >> help. >> >> == NITS == >> >> In some places, 'TLS13' is used as an anchor rather than 'RFC8446'. >> [ns] Corrected. >> >> Sometimes, the document uses 'octet' and sometimes 'bytes'. >> [ns] Interesting. This is likely an oversight due to RFC 8446’s use of >> both terms. I’ve adjusted the text to try to be more consistent with >> that document (octets for on-the-wire, bytes for string values). >> >> -- Section 1 -- >> Spurious '.' in the last §. >> [ns] Fixed in previous change. >> >> -- Section 4 -- >> "as its as its" ? >> [ns] Fixed in previous change. >> >> >> Ben Kaduk's IESG review + Yes >> >> You can view, comment on, or merge this pull request online at: >> https://github.com/tlswg/tls-exported-authenticator/pull/73 >> Commit Summary >> Editorial suggestions from IESG review >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I've made some (mostl) editorial suggestions in a github PR: >> https://github.com/tlswg/tls-exported-authenticator/pull/73 >> >> Despite the overall YES ballot, I do have some substantive comments that >> may be worth some further consideration. >> >> Do we want to give any insight or examples into how an application might >> choose to use the certificate_request_context? >> >> [ns] I put a proposed line here. >> >> Thanks to Yaron Sheffer for the multiple secdir reviews. My >> understanding is that the intent of this document is to only allow >> "server_name" to appear in the ClientCertificateRequest structure that >> otherwise uses the "CR" notation in the TLS 1.3 column of the TLS >> ExtensionType Values registry, but not to allow for "server_name" in >> authenticator CertificateRequests or handshake CertificateRequests. >> Assuming that's correct, the easiest way to indicate that would be if >> there was a "Comment" column in the registry that could say "only used >> in ClientCertificateRequest certificate requests and no other >> certificate requests", but there is not such a column in the registry. >> I think it could also work to be much more clear in the IANA >> considerations of this document as to why the "CR" is being added and >> what restrictions there are on its use, even if that's not quite as >> clean of a solution. >> >> [ns] I agree that this is an open question. >> >> Section 1 >> >> multiple identities - Endpoints that are authoritative for multiple >> identities - but do not have a single certificate that includes >> all of the identities - can authenticate additional identities >> over a single connection. >> >> IIUC this is only new functionality for server endpoints, since client >> endpoints can use different certificates for subsequent post-handshake >> authentication events. >> >> [ns] Correct. >> >> TLS (or DTLS) version 1.2 [RFC5246] [RFC6347]. or later are REQUIRED >> to implement the mechanisms described in this document. >> >> Please clarify whether this is a minimum TLS version required for using >> EAs, or that this is a binding requirement on implementations of the >> named protocol versions. (If the latter is intended we may have some >> discussions about an Updates: tag...) >> >> [ns] I meant “minimum version of 1.2” and have changed the text to reflect this. >> >> Section 5.1 >> >> Using an exporter value as the handshake context means that any client >> authentication from the initial handshake is not cryptographically >> digested into the exporter value. In light of what we ran into with >> EAP-TLS1.3, do we want to revisit whether we're still happy with that? >> We should in practice still benefit from the implicit confirmation that >> anything the server participates in after receiving the Client Finished >> means the server properly validated it and did not abort the handshake, >> but it's a bit awkward, especially since the RFC 8446 post-handshake >> authentication does digest the entire initial handshake transcript. >> Would we feel any safer if an exporter variant was available that >> digested the entire initial handshake transcript and we could use that? >> >> [ns] Addressed in the open question section above. >> >> >> Section 5.2.1 >> >> Certificates chosen in the Certificate message MUST conform to the >> requirements of a Certificate message in the negotiated version of >> TLS. In particular, the certificate chain MUST be valid for the >> signature algorithms indicated by the peer in the >> "signature_algorithms" and "signature_algorithms_cert" extension, as >> described in Section 4.2.3 of [TLS13] for TLS 1.3 or the >> "signature_algorithms" extension from Sections 7.4.2 and 7.4.6 of >> [RFC5246] for TLS 1.2. >> >> This seems awkward. Do "the requirements of a Certificate message in >> the negotiated version of TLS" include the actual message structure? >> Because the rest of the document suggests that we always use the TLS 1.3 >> Certificate, but this line would set us up for using a TLS 1.2 >> Certificate. >> >> [ns] They do not include the actual message structure. The constraints >> are about the certificate_list. I’ve updated the text. >> >> >> START >> >> >> Also, per §1.3 of RFC 8446, "signature_algorithms_cert" also applies to >> TLS 1.2, so the last sentence seems incorrect or at least incomplete. >> >> [ns] Updated >> >> Section 5.2.1 >> >> Otherwise, the Certificate message MUST contain only extensions >> present in the TLS handshake. Unrecognized extensions in the >> authenticator request MUST be ignored. >> >> At least the first sentence seems redundant with the previous section >> (but I did not propose removing this in my editorial PR). The second >> sentence arguably follows from the RFC 8446 requirements, though I don't >> mind mentioning it again as much as I do for the first sentence. >> >> [ns] I don’t mind being explicit here considering there was some >> confusion about this previously. >> >> Section 5.2.2 >> >> The authenticator transcript is the hash of the concatenated >> Handshake Context, authenticator request (if present), and >> Certificate message: >> >> Hash(Handshake Context || authenticator request || Certificate) >> >> Where Hash is the authenticator hash defined in section 4.1. If the >> authenticator request is not present, it is omitted from this >> construction, i.e., it is zero-length. >> >> This construction is injective, because the handshake messages start >> with a message HandshakeType. Should we say so explicitly in the >> document? >> >> [ns] I’m not sure I understand what injective means in this context or >> how it helps the reader. >> >> If the party that generates the exported authenticator does so with a >> different connection than the party that is validating it, then the >> Handshake Context will not match, resulting in a CertificateVerify >> message that does not validate. This includes situations in which >> the application data is sent via TLS-terminating proxy. Given a >> failed CertificateVerify validation, it may be helpful for the >> application to confirm that both peers share the same connection >> using a value derived from the connection secrets before taking a >> user-visible action. >> >> Is it safe to reuse the Handshake Context itself as the "value derived >> from the connection secrets"? >> >> [ns] Yes, it should be safe. Updated. >> >> Section 7.4 >> >> It returns the identity, such as the certificate chain and its >> extensions, and a status to indicate whether the authenticator is >> valid or not after applying the function for validating the >> certificate chain to the chain contained in the authenticator. >> >> I strongly recommend not returning the identity in the case when >> validation fails. >> >> [ns] Fair. Updated. >> >> The API should return a failure if the certificate_request_context of >> the authenticator was used in a previously validated authenticator. >> >> Is the intent for this to be a "distinct previously validated >> authenticator" (i.e., that the API returns the same value when given the >> same inputs subsequently)? That does not seem to be the meaning >> conveyed by the current text. >> >> [ns] Yes, this is about distinct validators. Updated. >> >> Section 8.2 >> >> IANA is requested to add the following entries to the registry for >> Exporter Labels (defined in [RFC5705]): "EXPORTER-server >> authenticator handshake context", "EXPORTER-client authenticator >> finished key" and "EXPORTER-server authenticator finished key" with >> >> Don't we also need "EXPORTER-client authenticator handshake context"? >> >> [ns] Yes, added. >> >> Section 9 >> >> I think we should more explicitly incorporate the TLS 1.3 security >> considerations by reference. >> >> [ns] Yes. >> >> Section 11.1 >> >> I don't think [QUIC-TLS] or RFCs 7250 and 7540 are normative references. >> >> [ns] Updated >> >> >> Murray Kucherawy's No Objection >> >> Why are the SHOULDs in Section 4 only SHOULDs? Why might an implementer >> reasonably not do what this says? >> >> [ns] Addressed after discussion on list and in reply above. >> >> Similarly, the SHOULDs in Section 7 seem awkward, as they have little to do >> with interoperability. >> >> [ns] It’s true that this is about interoperability. I’m open to >> changing these to lower-case shoulds since they reflect implementation >> recommendations rather than interoperability. >> >> - Nick >
- [TLS] [re-send] draft-ietf-tls-exported-authentic… Nick Sullivan
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Jonathan Hoyland
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Sean Turner
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Sean Turner
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Sean Turner
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Salz, Rich
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Nick Sullivan
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Sean Turner
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Salz, Rich
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Sean Turner
- Re: [TLS] [re-send] draft-ietf-tls-exported-authe… Stefan Hagen