Re: [TLS] post-handshake auth: multiple CertificateRequests, fewer replies?
David Benjamin <davidben@chromium.org> Tue, 13 December 2016 22:37 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5423A129BD2 for <tls@ietfa.amsl.com>; Tue, 13 Dec 2016 14:37:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.595
X-Spam-Level:
X-Spam-Status: No, score=-5.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZryzQdLJq0Sw for <tls@ietfa.amsl.com>; Tue, 13 Dec 2016 14:37:18 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30862129C25 for <tls@ietf.org>; Tue, 13 Dec 2016 14:37:16 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id n204so1492725qke.2 for <tls@ietf.org>; Tue, 13 Dec 2016 14:37:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dgFS8c0hT5K6rtw//wpJHsK52hnHNklu+iTdVzoBuj8=; b=RMbvNDB8QNfYPzFunnZCzyxqWXjQ6WHu5BZjtCT3Ta6GD7OCSeP2ykKp2HdnzMTUPa ObhLzHlYjhiaIhz2bl1yE836J4Rr6kVTROo/sKz9/XBxIbzRUP8mDkav6cLH2G7XTsV7 NCdMwPqLk8tg4hfbkHolX8R4qP7yv62uv/tnQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dgFS8c0hT5K6rtw//wpJHsK52hnHNklu+iTdVzoBuj8=; b=VjJlJO48ZTj2SoY9cgABo/0U3GfvHeWkBBhsDDlA2dj4hTMwnx01QDvQTzmUxdOrTI qVugucetbzLYUC+4kdrxnVT8D3iOoq8XnQ0ppuyQnfgyEHkGDaQqidvPUduYi+Iu9Lip MqKJ1gfZe88e30K0FvV4BFe5cO80E5PUfidLG+Cx7Vdk9elgeiJMnBhCFEqN404YgY6G qAimRphcMsNOMnPP9T9J6lQdK3kXZCB2xMMu/8xgRyIeXP8rnCTOFnx6s5qdtWqg8fiY qI7UWNLubT7DZTna6odEPz+5K8wZvZabbkcweBKkzunQSOiti2c6YEODeP/t7N/PVpyp eOyw==
X-Gm-Message-State: AKaTC00LvIvJeZSGRshKtp17LcyZKvX27qccWiMaAV1VyZ4bqyXcMMAEWIJkMeDJoSvXyiQr8bS95DT+tYbaUbDk
X-Received: by 10.55.17.143 with SMTP id 15mr97903585qkr.297.1481668635108; Tue, 13 Dec 2016 14:37:15 -0800 (PST)
MIME-Version: 1.0
References: <3878b60e-5ddd-f668-5ff8-5042bc7d9118@akamai.com>
In-Reply-To: <3878b60e-5ddd-f668-5ff8-5042bc7d9118@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 13 Dec 2016 22:37:04 +0000
Message-ID: <CAF8qwaA6+z7tFT99wWhr7zSwrSRXYJcULf3K8iZOXbQ2dEaWUQ@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113aca34ac2102054391dc37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Iw7NUc9OPq11k6riKftQXTBBeo0>
Subject: Re: [TLS] post-handshake auth: multiple CertificateRequests, fewer replies?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 22:37:21 -0000
Our implementation considers all post-handshake CertificateRequests to be a fatal error to avoid this. We would do the same even with this proposal; it's an unnecessary complexity (which translates to security risk). If the protocol is such that the client will always bulk-disavow a burst of unexpected CertificateRequests, the server shouldn't have sent them. This was the motivation for wanting it controlled by application profile ( https://github.com/tlswg/tls13-spec/pull/680) and also our general dislike of this feature. It's the sort of thing where semantics are very application-specific and thus belongs in the application protocol, not TLS. Alas, since HTTP/1.1 lacks a nice place to inject this, post-handshake auth is needed to match the legacy renegotiation hack. But, with an application protocol, we can make nice protocol-specific simplifying assumptions and cut out all the pointless cases full generality forces a receiver to tolerate. For instance, in (unpipelined) HTTP/1.1: 1. A client first writes its entire HTTP request, then it tries to read the HTTP response. 2. The server reads the HTTP request. If it decides it needs client auth, it buffers the entire request and sends CertificateRequest. It then tries to read the client Certificate..Finished before sending any part of the HTTP response. 3. The client reads a CertificateRequest and considers it in response to this HTTP request. 4. The client picks a client certificate and sends Certificate..Finished. It goes back to reading the HTTP response. 5. The server reads this, checks it, and, if satisfied, sends the HTTP response. 6. Any deviation from this exact flow is an unexpected post-handshake message thus a protocol error. This includes: * Server sending CertificateRequest mid-response body. * Server sending 1,000 CertificateRequests when there's no HTTP request on the pipe. [Although this'll just read as being in response to the next HTTP request.] * Client sending application data sent between the HTTP request and Certificate..Finished. * Client sending application data between Certificate and CertificateVerify. * Client sending Certificate..Finished mid POST body. The key here is "unexpected" is an application-specific idea. For most applications, everything is unexpected and thus should be the default. For applications that use this, "unexpected" is more complex. In other words, you should think of post-handshake auth not as a thing the TLS stack processes, but as an extra dimension of complexity in the TLS <-> application substrate. Just as application data record HTTP/1.1 syntax error is protocol error, so should a CertificateRequest with HTTP/1.1 post-handshake-auth "syntax error". David On Tue, Dec 13, 2016 at 4:37 PM Benjamin Kaduk <bkaduk@akamai.com> wrote: > 4.5.2 Post-Handshake Authentication notes that if a client receives > multiple CertificateRequests, it can reply to them in a different order > than they were received. By my reading of the text, the client is still > "obligated" to respond to all of them (but the server has to be able to > receive an arbitrary number of messages before it gets back the response, > so it's kind-of a weak obligation). Would we want to weaken the > restriction so that the client is only obligated to reply to at least one, > similarly to how a peer can coalesce multiple KeyUpdate requests? I > understand that the setup is somewhat different, since the > CertificateRequest comes with a context and could correspond to different > application-level needs, but it seemed worth mentioning, since as we have > discussed before generating the Finished message comes with some burden of > handshake buffering/hash forking/etc. > > -Ben > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] post-handshake auth: multiple CertificateRe… Benjamin Kaduk
- Re: [TLS] post-handshake auth: multiple Certifica… David Benjamin