Re: [TLS] Reminders

Eric Rescorla <ekr@rtfm.com> Mon, 11 July 2016 15:35 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9614612D59A for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 08:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4E7xise5sISH for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 08:35:02 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5850912D563 for <tls@ietf.org>; Mon, 11 Jul 2016 08:35:02 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id b72so95818989ywa.3 for <tls@ietf.org>; Mon, 11 Jul 2016 08:35:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Wp0pGu9T/SQmbEGtT0DPbOVlNDatlXWnJZr/iY+4vFw=; b=OzDOKQ3tebllqB5RkAVEXUcUWk+zEmaAENypYfAKT/txZAWlmCX3i2SU310sQ4IdZK /YFam7oaZqfYJBNY5Jv2mSQ4R9Od+4EdRnm65rNykXwYxgq3Qr3swNGJUjG9n3c2LvyC vsITGsSoKK37jQbMTynOOJKxI8vu2x7yovs5G34XLAfnLen68UhXj0udMUWNyVTP6psq 3KD4t+DstSvEPp45V+YdbfQrO831dEq8xCKzrWVP+3CKW2hoHsqp5uvp6Zpr+dcdyAak mnUcDDnZkq7t3KMVgUT44beNovAl/uER5dIe4hBgV+F/F3NCXE2LCMz0oZvTNmn4iF7H AuGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Wp0pGu9T/SQmbEGtT0DPbOVlNDatlXWnJZr/iY+4vFw=; b=eHPfKB+N7d/4Xj4a2ObQ66D0QRuXRB0cFdc0k9U4qp4TwwFQVJh9hctPYNjy9CjNlJ iKHiGNqdkiHfJUb9WQu57UQGSKvNxMYKVwsOH3tAq/0S5f0W9O8vvvg7tCmQmE/lwKZA fsBK+CM7HF9yYZW05Vk3cy/eWv7Gu5qAzyv2T048QbKhc8n/6ONY+57j6yksX4dGVVQe SiSsImN9sNcEIi5uqSP2G2mfp0DSWsgTHSyaObXqOyc+7c/CMWfliqMyXuiFjFeoiGAQ kl7T6KDMAGLUcypB6VcJwWQoZXQhdAebI/Us533nqCr2Ul0KG9iKdhl8ZRU4o3dcRnBO vQYg==
X-Gm-Message-State: ALyK8tIEN8Tm7KdJ74gxGojLp8g7GVqxa9sg53hQlLO5eZehP9QM2yjInZm2T1my3fJaEUIuzHeJkUoJejzY1g==
X-Received: by 10.13.199.68 with SMTP id j65mr14109751ywd.289.1468251301637; Mon, 11 Jul 2016 08:35:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.152.13 with HTTP; Mon, 11 Jul 2016 08:34:22 -0700 (PDT)
In-Reply-To: <CACsn0c=Svk3Kzcd6x-8z25+2Vv6nFO938hNfQxrBctcbKOuE6A@mail.gmail.com>
References: <47E3268E-46F0-4308-88EA-250042EF2B80@sn3rd.com> <CACsn0c=Svk3Kzcd6x-8z25+2Vv6nFO938hNfQxrBctcbKOuE6A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 11 Jul 2016 08:34:22 -0700
Message-ID: <CABcZeBP-qfKSbq+WJg71Pz__ng+fozu1voZqddy8MsrPRy1YpA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=001a114dfc4a469e9805375de52b
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IRzT2nTSDFbfyT6OtfPym-cJaqM>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Reminders
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 15:35:04 -0000

I agree with Watson's assessment here. This seems like the wrong design
choice.

I'm not familiar with OpenSSL's cert selection, but I don't believe that
the issue
that this change is intended to address applies to NSS, for two reasons:

1. NSS does cert selection during client hello processing [0].
http://searchfox.org/mozilla-central/source/security/nss/lib/ssl/ssl3con.c#9569

2. Unless I misunderstand the design of cached-info, all the server needs
to have is the digest of the serialized chain and it could store that at
the time
that it configures the cert (or first uses it). This seems like quite a
small burden.

I believe the prior design was superior.

-Ekr









On Mon, Jul 11, 2016 at 8:07 AM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Mon, Jul 11, 2016 at 7:27 AM, Sean Turner <sean@sn3rd.com> wrote:
> > Hi,
> >
> > Just wanted to remind everybody that we’ve got two non-TLS1.3 items
> we’re looking for WG input on:
> >
> > - Before 12 July, we’d like to know your thoughts about progressing
> draft-ietf-tls-pwd (Watson and ekr responded):
> > https://mailarchive.ietf.org/arch/msg/tls/WrNa7PXTZn2ZhfmoQDA_pnUVuN4
> >
> > - Before 14 July, we’d like to know your thoughts on the proposed AUTH48
> proposed changes (nobody has commented on this):
> > https://mailarchive.ietf.org/arch/msg/tls/aBvqMG7t8qkO5rPt-xaMHipuBVk
>
> I don't like the AUTH48 changes. I understand the need for changing to
> MAY, but the proposed method of distinguishing offends my
> sensibilities. Overloading the length field is just ugly.
>
> >
> > spt
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>