IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)

"Kampanakis, Panos" <kpanos@amazon.com> Wed, 16 February 2022 05:46 UTC

Return-Path: <prvs=039816789=kpanos@amazon.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F8F3A0C84 for <tls@ietfa.amsl.com>; Tue, 15 Feb 2022 21:46:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.174
X-Spam-Level:
X-Spam-Status: No, score=-10.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fT1L1fcJo8Z for <tls@ietfa.amsl.com>; Tue, 15 Feb 2022 21:46:17 -0800 (PST)
Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE2823A0C62 for <tls@ietf.org>; Tue, 15 Feb 2022 21:46:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1644990377; x=1676526377; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=rxtaQuwgqJ6TDCc1jl1ec7CBYTY/mJgx4NoDgVxdusM=; b=YDLnd25X+2gMQmIYFNyEj8YOr92ZUwNE0dnuQesPgmzBAwtObe356+gu 8FR5qstTxM1yuGc1obfFTOJZnA7NL8wvIq+3PkoBO/YEJ+lQaCyzoPMhJ tkAhNDwUXUI+gbqSb8BE+wOJJWZMqOjKDQBHuRjmcDSJwwO/WOLqKJOiE w=;
X-IronPort-AV: E=Sophos;i="5.88,373,1635206400"; d="scan'208";a="63386076"
Thread-Topic: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-pdx-2b-98c1c57e.us-west-2.amazon.com) ([10.25.36.214]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP; 16 Feb 2022 05:46:01 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2b-98c1c57e.us-west-2.amazon.com (Postfix) with ESMTPS id 06357A0668; Wed, 16 Feb 2022 05:46:01 +0000 (UTC)
Received: from EX13D01ANC002.ant.amazon.com (10.43.157.162) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.28; Wed, 16 Feb 2022 05:45:54 +0000
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by EX13D01ANC002.ant.amazon.com (10.43.157.162) with Microsoft SMTP Server (TLS) id 15.0.1497.28; Wed, 16 Feb 2022 05:45:47 +0000
Received: from EX13D01ANC003.ant.amazon.com ([10.43.157.68]) by EX13D01ANC003.ant.amazon.com ([10.43.157.68]) with mapi id 15.00.1497.028; Wed, 16 Feb 2022 05:45:47 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Index: AdghU4+EMFFuriJ+SLKnIIleOIJolAAItyGAAC6M1iA=
Date: Wed, 16 Feb 2022 05:45:47 +0000
Message-ID: <4a28a1fbfb3445cab4906d6266b3831e@EX13D01ANC003.ant.amazon.com>
References: <83f923185c3741ccb668826f5b11b0c3@EX13D01ANC003.ant.amazon.com> <YgoH5/zQS67JgexL@LK-Perkele-VII2.locald>
In-Reply-To: <YgoH5/zQS67JgexL@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.157.155]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I7R8bD0uu4LkSeyYGwE1vOEMaac>
Subject: Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 05:46:22 -0000

Good comments, thank you Ilari. 

To answer your comments  

> 1) There are a few "shall" in the text. Should those be "SHALL"?

The two "shall" refer to draft-ietf-tls-tlsflags. Based on experience from previous drafts, we do not want to repeat normative language from another draft, so we kept them lowercase. We can still consider making them normative though. 


> 2) Section 3.2: "To prevent a failed TLS connection, a client could chose to not send its intermediates regardless of the flag from the server, if it has a reason to believe the issuing CAs do not exist in the server ICA list."
> ... Shouldn't the client send its intermediates if it thinks the server does not have them. 

You are right. Nit. We will fix it. I created issue https://github.com/csosto-pk/tls-suppress-intermediates/issues/5 for it. 


> 3) Why there are two flags? I do not see a case where both would be sent in the same message.

In the original draft there was only one. But we want for both the client and server (CertReq) to be able to signal to their peer to suppress CAs. draft-ietf-tls-tlsflags defines that the peer needs to acknowledge the flag, thus we needed one per direction. 


> 4) In WebPKI, there are some cornercases (constrained ICAs) where the client might be missing a certificate or certificates in the chain.
> Currently the WebPKI root program rules allow not disclosing "technically constrained" certificates (but there are plans to change this).

Good point. That has come up in discussions with my co-authors. As Martin was pointing out, a lot hinges on the semantics of the tls_flags bit.  We probably can say that it means "I have all the intermediates I am willing to accept".  That's a little too absolute for the web PKI as it stands. We don't have stats on how often we'd fail as a result; we would have to check but unconstrained intermediates probably isn't exceptional. The flag should probably say "I have all the *unconstrained* intermediates that I'm willing to accept" or maybe "I have all the intermediates from that I'm willing to accept, unless it's the WebPKI and then I only have unconstrained intermediates"' 

But if MSRP 2.8 adds constrained intermediates, then "I have all the intermediates I am willing to accept" may just suffice. 

I created issue https://github.com/csosto-pk/tls-suppress-intermediates/issues/6  for this.


> 5) In the client auth scenario, the server might have exhaustive list of all issuing ICAs it accepts, so including any ICAs is never necressary. However, this might be handled even currently by not giving the client a chain. However, doing this in other direction can be quite dangerous without prior agreement.

I am not sure I am following that argument. If the client does not have a chain what happens if the server does not have all intermediates?

By quite dangerous do you mean that if they have not pre-agreed on the ICA list there could be an auth failure and recovery will not be easy because the server can't track the clients it is expecting ICAs from? Am I getting you right? 




-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Ilari Liusvaara
Sent: Monday, February 14, 2022 2:43 AM
To: tls@ietf.org
Subject: RE: [EXTERNAL] [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



On Mon, Feb 14, 2022 at 03:33:05AM +0000, Kampanakis, Panos wrote:
> Hi TLS WG,
>
> This draft draft-kampanakis-tls-scas-latest is attempting to resurrect 
> Martin’s original draft-thomson-tls-sic. It proposes using two new TLS
> 1.3 flags (draft-ietf-tls-tlsflags ) to signal to the TLS server or 
> client to not send its Intermediate CA (ICA) certificates.
>
> Feedback and discussion are welcome.
>
> -----Original Message-----
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: Sunday, February 13, 2022 2:34 PM
> To: Bas Westerbaan <bas@cloudflare.com>; Bytheway, Cameron 
> <bythewc@amazon.com>; Martin Thomson <mt@lowentropy.net>; Kampanakis, 
> Panos <kpanos@amazon.com>
> Subject: [EXTERNAL] New Version Notification for 
> draft-kampanakis-tls-scas-latest-00.txt
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> A new version of I-D, draft-kampanakis-tls-scas-latest-00.txt
> has been successfully submitted by Panos Kampanakis and posted to the IETF repository.
>
> Name:           draft-kampanakis-tls-scas-latest
> Revision:       00
> Title:          Suppressing CA Certificates in TLS 1.3
> Document date:  2022-02-13
> Group:          Individual Submission
> Pages:          10
> URL:            https://www.ietf.org/archive/id/draft-kampanakis-tls-scas-latest-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-kampanakis-tls-scas-latest/
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-kampanakis-tls-scas-latest
>

Some quick comments:

1) There are a few "shall" in the text. Should those be "SHALL"?

2) Section 3.2:

"To prevent a failed TLS connection, a client could chose to not send its intermediates regardless of the flag from the server, if it has a reason to believe the issuing CAs do not exist in the server ICA list."

... Shouldn't the client send its intermediates if it thinks the server does not have them.

3) Why there are two flags? I do not see a case where both would be sent in the same message.

4) In WebPKI, there are some cornercases (constrained ICAs) where the client might be missing a certificate or certificates in the chain.
Currently the WebPKI root program rules allow not disclosing "technically constrained" certificates (but there are plans to change this).

5) In the client auth scenario, the server might have exhaustive list of all issuing ICAs it accepts, so including any ICAs is never necressary. However, this might be handled even currently by not giving the client a chain. However, doing this in other direction can be quite dangerous without prior agreement.



-Ilari

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email