[TLS] Informal minutes from Orlando
Paul Hoffman <paul.hoffman@vpnc.org> Sun, 14 April 2013 15:24 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B122821F90CE for <tls@ietfa.amsl.com>; Sun, 14 Apr 2013 08:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyCnvUEEIfcM for <tls@ietfa.amsl.com>; Sun, 14 Apr 2013 08:24:27 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id CFCAA21F869C for <tls@ietf.org>; Sun, 14 Apr 2013 08:24:27 -0700 (PDT)
Received: from [10.20.30.90] (50-1-98-173.dsl.dynamic.sonic.net [50.1.98.173]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id r3EFOP5h077860 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <tls@ietf.org>; Sun, 14 Apr 2013 08:24:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <516A76EE.1030501@gnutls.org>
Date: Sun, 14 Apr 2013 08:24:27 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <713CF92A-A2CA-45D1-8057-350DBB2CBB85@vpnc.org>
References: <516A76EE.1030501@gnutls.org>
To: "tls@ietf.org" <tls@ietf.org>
X-Mailer: Apple Mail (2.1503)
Subject: [TLS] Informal minutes from Orlando
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2013 15:24:28 -0000
On Apr 14, 2013, at 2:29 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote: > I don't know if the issues in CBC ciphersuites topic was discussed in > the previous WG meeting (couldn't find the minutes) I volunteered to take minutes at the meeting, and sent them to the chairs immediately after. They did not post them, so they are not part of the official IETF proceedings. Below is what I sent them. --Paul Hoffman TLS WG Minutes from Paul Hoffman Stuff from slides is not reproduced here; see https://datatracker.ietf.org/meeting/86/materials.html#tls draft-ietf-tls-cached-info, Hannes Tschofenig One open issue Instead of sending the fingerprint, server just sends empty Certificate payload More elegant from an implementation standpoint Adam Langley: Do we hash them all, always? Doesn't want to paint ourselves in the corner Not optimizing how much you would send. Ekr: Server hello lists all of what will be omitted Joe: Could add types for omitting intermediate certificates only Next version will be out next week Next prototocol negotiation HTTPbis WG wants this so that someone can tell which version of HTTP is being used draft-friedl-tls-applayerprotoneg, Andrei Popov Hiding things from snooping should be generic for all data draft-agl-tls-nextprotoneg, Adam Langley NPN is used for negotiating SPDY today IANA will certainly change extension number that was picked (Looking at previous slides' chart): Client sends its message "here" Wish to avoid sending anything in the cleartext Does not receive the same guarantees that TLS provides Uncomfortable grey area between "confidentail" and "secure" ALPN reflects everything else we do in the normal TLS handshake But that makes it less robust If the TLS WG goes with this, NPN will be dropped Also wanting put other stuff in the protected-but-not-secure road Burning a round trip in renegotiation is not viable Martin Stiemerling: Why would someone blocking not base on the server's list? Adam: server doesn't have to actually list anything Client can pick whatever it wants, even what isn't Ekr, wearing chair hat: The specification must allow negotiation Yoav Nir: We like creating frameworks for solving problems Why should we have any negotiation of HTTP Mark Nottingham: The request from HTTPbis WG was to have this be open-ended Roberto Peon: Negotiation is needed during protocol development Ekr: The negotiation needs to advertise and the other side can select Adam: Had a different design Adam: Want a common advertisment so that middleboxes cannot use the advertisement to block Mark: The list doesn't need to be complete Hannes: Privacy concerns drive the protocol design Adam: not really a privacy concern because the the security is complete; think robustness instead Gabriel Montenegro: Twitter today doesn't negotiate: it goes straight to SPDY Doesn't like the encryption without the final handshake Adam: Because False Start is being used, you have nearly the same security guarantees Martin: The problem is that we have different servers wanting to different things Advertisements help us to determine that Mark: What is the contentious point? Ekr: We have two designs with very different properties NPN violates the TLS state machine Wants to have significant parts of the handshake covered Maybe we can do this today Cullen Jennings: Concerned how many firewalls block what they do not understands Thus would rather expose instead of hide Not a real privacy loss Andrei: Slippery slope of partial protection from passive attack False start is predicated on a strong cipher, so not really comparable You don't want to restrict the ciphers; Adam: wants to restrict it to strong ciphers to make people upgrade Ted Hardie: in Tor bridge ALPN lets you do an early stop, in NPN it terminates later Adam: Was just using Tor as an example Ekr: For Tor, now it is just a cross-protocol attack Joe Salowey: Concerned about the middle-ground Wants to protect the handshake in a more robust way Brian Dickson: What is the list of protocols? Adam: ASCII strings Brian: client may be shoehorning itself Adam: We don't care for SPDY, but that doesn't help my case Mark: Doesn't want this to drag out HTTP1 and 2 are semantically equivalent Tokens have roughly the semantics of a TCP port For Tor, it could be hidden much lower in HTTP Personal bias was towards NPN, but is now neutral Maybe wants the server to choose Dan Harkins: Doesn't like either because it's not the job of TLS Ekr: Server picks is the way things are done in TLS Martin: How do the guarantees on NPN affect MITM attacks? Adam: Good/bad thing about NPN is that works with proxies We are already sending data with False Start so it is not different Ekr: The client must verify the server certificate before emitting the NPN client message This moves the host name check up Roberto Peon: Data from doing different protocols over 80: bad; other port, almost as bad; 443: no problem at all If we make it easy for people to see it, we'll have to design this again later, doesn't want to that Ekr: Doesn't agree that hiding the selected protocol is better Intermediary will break client hello based on TLS 1.1 Andrei: Devising a protection scheme for one piece of data is not good; be more systematic Will lead to double encryption Adam: Agrees, and thus put it in Encrypted Extension block Andrei: Maybe use Marsh Ray's proposal Cullen: APLN will get through firewalls better Straw poll: ALPN hummed slightly louder Russ Housley: Donkey between hay Counting: 25 ALPN 12 NPN Ekr: We still want to work on hiding more Sean: that will be TLS 1.3 TLS authorization using DTCP certificate draft-dthakore-tls-authz, D. Thakore Additional authentication type that is mostly for audio-visual content Update to IPR will have licensing terms Chairs will figure out why it has not been published Adam: RFC 5878 has a lot of problems that prevented it working for CT Errata have been submitted Currently individual submission, will figure out with Sean Will have a later glance in the WG TLS over LLCP draft-urien-tls-llcp, Pascal Urien All about NFC (near field communication) Wants to put TLS between SNEP and LLCP There is an implementation available Wants advice from WG on how to make profile Ekr: break this into two drafts: LLCP and TLS issues Hannes: LWIG has implementation guidance Lots of other LWIG drafts and COAP drafts deal with this
- [TLS] TLS CBC ciphersuites fix Nikos Mavrogiannopoulos
- [TLS] Informal minutes from Orlando Paul Hoffman
- Re: [TLS] Informal minutes from Orlando Russ Housley
- Re: [TLS] Informal minutes from Orlando Paul Hoffman