Re: [TLS] New draft: draft-solinas-tls-additional-prf-input-00.txt

Michael D'Errico <mike-list@pobox.com> Mon, 26 October 2009 15:21 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C1F63A697E for <tls@core3.amsl.com>; Mon, 26 Oct 2009 08:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VdcKNSHgRnH for <tls@core3.amsl.com>; Mon, 26 Oct 2009 08:21:28 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id A969B3A6858 for <tls@ietf.org>; Mon, 26 Oct 2009 08:21:28 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 6A283685D6 for <tls@ietf.org>; Mon, 26 Oct 2009 11:21:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=YwrZIE1SLdez UsnkBkTJnimgTs4=; b=efiEFMClRY5sZHObhaE1x89WWhq91mnL4M6HGWTMS5yM r7vwxgsgZzVXpao+hULpXFKTEb5SKLFPycmBVsIdny1pWQX2GPVEPgA7OD2i7xDY SZ5ZNWauZBTzC2VKhIaqjv1iIkgqfVx8qIthGb88P89DFKVttYInFN46mQMAkHg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=uRc0eI TNNXMA04OlFneheNCeuWoDxmfFbq7GtUZdXzCkA6KyBrWEnjrCL1oeTnD2K3wt7P y6hkYCJ2eEn70VgDZ/xsJcxc5SJQHfI5qwBvi7eOe/H7PRW3ugKJiEgLiuLOnCoD GIXNTR5lExOlMZPUJVvrncmD2NdZe5IENUH5I=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 68777685D5 for <tls@ietf.org>; Mon, 26 Oct 2009 11:21:41 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 846BB685D4 for <tls@ietf.org>; Mon, 26 Oct 2009 11:21:40 -0400 (EDT)
Message-ID: <4AE5BEC8.40209@pobox.com>
Date: Mon, 26 Oct 2009 08:22:48 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <p0624087dc6efe84bcc54@[10.20.30.163]> <87bpkkd4tv.fsf@mocca.josefsson.org> <808FD6E27AD4884E94820BC333B2DB774E7F2F0022@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774E7F2F0022@NOK-EUMSG-01.mgdnok.nokia.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 4337360A-C243-11DE-91D9-1B12EE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: Re: [TLS] New draft: draft-solinas-tls-additional-prf-input-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2009 15:21:30 -0000

I understand your concern, but the fact is that there is already an
unofficial extension mechanism available.  Simply create a private
cipher suite (first byte 0xFF) and then define your own formats for
ServerKeyExchange and ClientKeyExchange handshake messages to go
along with it.  This won't work if the client needs to send info
to the server first, though.

Mike


Pasi.Eronen@nokia.com wrote:
> I agree with Simon here that in the minimum, the extension should have
> a "type" field to ensure that if the recipient parses the information,
> it's using the same format as the sender. (Some other protocols use
> the Enterprise Number registry for "vendor specific" payloads, instead
> of creating a new FCFS registry.)
> 
> However, I'd like to re-iterate my earlier concern about the original
> draft-rescorla-tls-opaque-prf-input draft: this defines a basically
> general-purpose extension mechanism to TLS.
> 
> We already have a well-defined extension mechanism for TLS (TLS
> extensions), which would allow people to do exactly the sorts of
> things envisioned in Section 1.1. Its only "drawback" is that it
> requires going through the IETF process to obtain the IANA allocation,
> and thus publicly documenting what you're doing.
> 
> The main "feature" of this draft seems to be allowing "interesting"
> extensions without going through the IETF process, or even publicly
> documenting what you're doing.  I can certainly see that folks at NSA
> might be interesting in doing exactly such things, and they could have
> (in their opinion) good reasons.  And some other IETF protocols do
> indeed allow pretty much unlimited vendor extensibility (by e.g.
> allowing "Vendor Specific" payloads anywhere).
> 
> But if the WG decides that adding such extensibility to TLS is a good
> idea, I would predict that many folks will use this mechanism to
> define new TLS extension so that they can avoid the somewhat
> time-consuming process of consensus-building and standardization.
> 
> Many of the existing TLS extension could have been done by specifying
> suitably "structured" PRF inputs: client/server_authz, user_mapping,
> trusted_ca_keys, server_name, status_request, etc. (In these cases,
> it doesn't really matter if the input gets fed to PRF; the interesting
> part is adding a free-form payload to ClientHello/ServerHello without
> requiring an extension number from IANA.)
> 
> I know sevaral people have occasionally been frustrated that it's very
> difficult to extend TLS (since the requirements for IANA allocation
> are quite strict). Personally, I view this as a feature, and I think
> it has contributed to general interoperability of TLS/SSL -- it's
> generally viewed as a protocol that "just works" (compared to some
> other protocols which have large numbers of optional extensions, and
> it's very difficult to get implementations from different vendors
> to interoperate).
>  
> Best regards,
> Pasi 
> (not wearing any hats)
> 
>> -----Original Message-----
>> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
>> ext Simon Josefsson
>> Sent: 06 October, 2009 16:34
>> To: Paul Hoffman
>> Cc: tls@ietf.org
>> Subject: Re: [TLS] New draft: draft-solinas-tls-additional-prf-input-
>> 00.txt
>>
>> Paul Hoffman <paul.hoffman@vpnc.org>; writes:
>>
>>>> http://www.ietf.org/internet-drafts/draft-solinas-tls-additional-prf-
>> input-00.txt
>>> Greetings again. We would like to hear input on this draft from the
>>> TLS community. The basic idea is an extension that would allow the
>> two
>>> parties to give additional information that is directly mixed into
>> the
>>> master secret through the PRF.
>> The document seems fine to me.
>>
>> As far as I can tell, any implementation (including mine) of
>> draft-rescorla-tls-opaque-prf-input-00.txt would be compatible with
>> draft-solinas-tls-additional-prf-input-00.txt, and that is good.
>>
>> The two last examples in section 1.1 doesn't appear fully baked to me.
>> Quoting:
>>
>>   TLS servers may arrange for their clients to provide authentication
>>   data early in the protocol (such as an HMAC value computed over a
>>   fresh random value using a shared secret as the key) in order to
>>   authenticate the client as a member of a private network or as an
>>   additional means of mitigating the impact of a denial-of-service
>>   attack.
>>
>>   Implementors may want to provide a mechanism for relaying identity
>> and
>>   version information similar to the "Vendor ID Payload" used in ISAKMP
>>   [RFC2408].
>>
>> If these use-cases are intended to be realistic use-cases of the
>> extension (which doesn't seem clear to me), I believe the document
>> needs
>> more work: it should suggest a structure of the PRF data so that
>> servers
>> will understand what type of data the client sent.  Compare for example
>> how RFC 5077 suggests a format.  The document could even go further and
>> mandate a particular format, which would make the use-cases more likely
>> to interoperate, such as:
>>
>>      enum {
>>          entropy(0), (65535)
>>      } AdditionalPRFInputType;
>>
>>      struct {
>>          AdditionalPRFInputType type;
>>          opaque value<0..2^16-1>;
>>      } AdditionalPRFInput;
>>
>>      AdditionalPRFInput prfinputs<2..2^16-2>;
>>
>> The AdditionalPRFInputType could be a FCFS registry.  The intention
>> with
>> the "entropy" field is that it should contain random data with no
>> intended meaning, which appears to be the typical use-case.  Other
>> types
>> can be allocated to signal the two use-cases in the example if/when
>> needed.
>>
>> Alternatively, and considering the complexities in my proposed change,
>> I
>> would suggest that you remove other use cases than the one to provide
>> additional entropy to the MS key computation and say that there is only
>> one intended use-case for this extension.  If other use-cases of the
>> extension are important, they can be described in separate documents.
>>
>> Thanks,
>> /Simon
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>