IETF Logo Mail Archive

Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10

Eric Rescorla <ekr@rtfm.com> Sat, 23 March 2019 11:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072C8130EB1 for <tls@ietfa.amsl.com>; Sat, 23 Mar 2019 04:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vj3szZ9VQ_nL for <tls@ietfa.amsl.com>; Sat, 23 Mar 2019 04:31:32 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E65A130EA8 for <tls@ietf.org>; Sat, 23 Mar 2019 04:31:31 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id z26so4036530lja.13 for <tls@ietf.org>; Sat, 23 Mar 2019 04:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sGUFcF6K1l+9v23A/KNiLY3KSxPDKhgTbfLdi0VUYCY=; b=WIFR3gPGo/7U/x+a7O3iV1B31hj3oLSV8sGkCxxrocW/9GFPjoggGKeSVot99qZ3Ay zelO3Ai8o3DpvxdlXa9CteR15cBPr9TeJjGKP4Si8vCMIRCsDxB5jih1abp9TKCCZemS HGkYQhrZMqOPcbYeACVkBq7x+7i1hAH/OjVOb52FMGZ8cOEXip/wfJqHhpFsx3PtXvKI SOQfCH+ygi61K2OqWeX374/bno2UF8xES8AA3cuizxanpX8AyZ9N0ebZazA8garX0uCj OT9ks8gytHn7f9fy29S/bsSui0jfB+65yqNitgLPsvAqy9pJDmoDzluTcjCeJCGoFM0O rtrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sGUFcF6K1l+9v23A/KNiLY3KSxPDKhgTbfLdi0VUYCY=; b=bpMf5ddQZnjg+spl8IIjBWjzV8Nt2bi5gx4SccXMMHduennDu1SC8deaYuVVyHPDD6 SzB75/xz7cyV2G8nk8ck2dWeXAskehWHE3kAsqj1nducrUHgRo1X+cbo2jViyVLlZ/k9 t2YcHBT+Itd7L/5/pNfcgDyMUNvT35VaLhnGShfiWIACSITSr0sIZjycyqcKvYUPg3op DJOIXfMdAUgB0ZlMZdqur+OIaLrkYvMNWD/C2dPmxKDcSYTu1lFHTr6Nun3tAALXIU58 KaQ8QWU+tsCwbVkep0RLgjwFpd9cosXyjPgZTVAeKr79HDwlHDgmz1RXEepa0Jzvt/tP bzPg==
X-Gm-Message-State: APjAAAXJAN465Pm/MqCoSvNm3C5ccaCTYKHIC3Dc+n982XgviPDjcrWD +95eZed3Ta6SPgYoIzKkSZ0GXVBaydKhMe85rt5POg==
X-Google-Smtp-Source: APXvYqwlj+R+v10JkUdVCBgEvI+Z0zGa59F9hGzwgGPBeX6DlTFO+EaHxxMTlTIZCrJNr+NppDNxIpfC+zvshb0InK8=
X-Received: by 2002:a2e:8e8e:: with SMTP id z14mr7667935ljk.86.1553340689449; Sat, 23 Mar 2019 04:31:29 -0700 (PDT)
MIME-Version: 1.0
References: <0AE05CBFB1A6A0468C8581DAE58A31309E321135@SINEML521-MBX.china.huawei.com> <CABcZeBMfY38Ps4fVk+Y6xuJB9=WjCJVNgyL+aOKp6TVy=s8ZKw@mail.gmail.com> <0AE05CBFB1A6A0468C8581DAE58A31309E323661@SINEML521-MBX.china.huawei.com> <CABcZeBNq4cjOia_mLViqw=fMKY3HMHJ0vdvwEkRVftGiFo=xug@mail.gmail.com> <0AE05CBFB1A6A0468C8581DAE58A31309E329867@SINEML521-MBS.china.huawei.com>
In-Reply-To: <0AE05CBFB1A6A0468C8581DAE58A31309E329867@SINEML521-MBS.china.huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 23 Mar 2019 04:30:50 -0700
Message-ID: <CABcZeBP4+cF7tx2ZHj3Ax7jCf+XvR2f-xdZnOdUDQr5k_9HXjg@mail.gmail.com>
To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000299300584c150db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K0nt39ZpiYLxL6TxnjYZoA_Lri0>
Subject: Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2019 11:31:36 -0000

On Sat, Mar 23, 2019 at 3:08 AM Wang Haiguang <
wang.haiguang.shieldlab@huawei.com> wrote:

> Hi, Eric
>
> Thanks very much for the clarification.
>
> Regarding the raw public key, could you please elaborate a little bit more
> on the actual definition on the raw public key?
>

I don't understand this question.

-Ekr


> Regards.
>
> Haiguang
>
> ------------------------------
> *From:* Eric Rescorla [ekr@rtfm.com]
> *Sent:* Saturday, 23 March, 2019 1:13:03 AM
> *To:* Wang Haiguang
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
>
>
>
> On Fri, Mar 22, 2019 at 8:28 AM Wang Haiguang <
> wang.haiguang.shieldlab@huawei.com> wrote:
>
>> Hi, Eric
>>
>> Thanks very much for your comments.
>>
>> Please see my reply inline. Our draft is still under development, we will
>> improve
>>
>> it continuously based on the comments from experts in this area.
>>
>> ------------------------------
>> *From:* Eric Rescorla [ekr@rtfm.com]
>> *Sent:* Thursday, 21 March, 2019 9:46:07 PM
>> *To:* Wang Haiguang
>> *Cc:* tls@ietf.org
>> *Subject:* Re: [TLS] draft-wang-tls-raw-public-key-with-ibc-10
>>
>> I have taken an initial look at this draft [0]. Comments follow.
>>
>> First the motivation for this technique appears rather
>> weak. Primarily, you argue that a PKI is complicated to implement and
>> this is simpler. However, there are a number of factors to consider.
>>
>> [HG] The statement "PKI is more complicated than raw public key" is from
>>
>> RFC 7250 (1st paragraph in the introduction section), and the raw public
>>
>> key has been supported in TLS 1.3.  We share a similar point of view with
>>
>> the authors of RFC 7250.
>>
>
> Yes, but IBC is not raw public key. It is effectively a
> differently-construted PKI.
>
>
>
> Moreover, the advantage of using IBC is beyond succint key management.
>>
>> As analysed in [1] using of certificates has serious impact on the
>> performance
>>
>> of resource contrained devices (see section 7) including RAM usage ,
>> bandwith cost, etc.
>>
>
> Yes, but its not clear that IBC will be any better.
>
>
>
> Quote from [2] "MIKEY-SAKKE sped up the setup of HTTPS sessions by 7 times
>> over standard TLS,
>>
>> meaning websites loaded over 200ms faster".
>>
> What algorithms is this comparing? If it's (say) BB versus RSA, that's not
> really apples to apples.
>
> [1] H. Shafagh. Leveraging Public-key-based Authentication for the
>> Internet of Things.
>>
>> Master thesis,
>> https://people.inf.ethz.ch/mshafagh/master_thesis_Hossein_Shafagh_PKC_in_the_IoT.pdf
>> ",
>>
>> [2] CESG. Using MIKEY-SAKKE Building secure multimedia services
>>
>>
>>
>> First, I believe the design you have selected is too simple to work
>> outside of toy scenarios. Specifically, it doesn't seem to account for
>> any form of revocation. How do you handle the case where someone's
>> keys are compromised? There are a number of ways to handle this inside
>> the context of an IBC system (time-based PKG parameters, have the
>> identities have a timestamp built into them, etc.),
>> but you don't specify these, and they add complexity.
>>
>> [HG] Regarding the revocation, we did not mention it in the draft, but we
>> have
>>
>> considered it in the design. In practice, an
>>
>> expiring time can be included in the identity for the IBC system.
>>
>
> In fact, in RFC 6507 page 7-8, authors have mentioned that expiration time
>> may be included
>>
>> in the identity. That’s the reason we have not discussed the revocation
>> issue in our draft.  If experts in this
>>
>> group think we should address this issue, we can provide more information
>> and details in the next draft.
>>
>> Besides, in ITU-T SG-17, we have specified a framework (x.ibc-iot) for
>> using IBC over telecom
>>
>
> This draft needs to provide a complete description.
>
>
>
>
>> In a similar vein, another thing that adds complexity is having a
>> certificate
>> hierarchy rather than a single CA. If you are willing to have a
>> single-level
>> hierarchy then life is much simpler. With an IBC system, one typically
>> either
>> foregoes this or uses HIBC. Are these systems HIBC capable?
>>
>> [HG] At the moment, our target is to support a single-level IBC system.
>> In the future,
>>
>> if there are needs from industry, we can add in the support of HIBC.
>>
> But again, this is an additional source of complexity. If you only want a
> one-level CA system, you can have something much simpler than PKIX.
> See, for instance:
> https://datatracker.ietf.org/doc/draft-tschofenig-tls-cwt/
>
>
>>
>> In addition, the innherent escrow capability that you describe in Section
>> 7
>> is a way in which IBC systems are materially worse than PKI systems in a
>> way we don't know how to ameliorate (as opposed to CT).
>>
>> [HG] For telecom operator networks, symmetric keys are used for
>> authentication, the
>>
>> home operators always know the root key of a user device have in their
>> SIM card.
>>
>> Therefore, the key escrow is not issue in telecom networks.  Thus,
>> whether key escrow
>>
>> being a severe issue depends on the application scenario.
>>
>
> I don't think this is a demonstration that this is not severe. It's merely
> a demonstration that the current situation is bad.
>
>
> For these reasons, I don't think this WG should adopt this work, though
>> the process allows you to have a code point without adoption.
>>
>> Thank you for your comments. It is better we do not make a decision at
>>
>> this moment. In fact, IBC sees an increasing acceptance in the industry:
>>
>> 3GPP has adopted the RFC 6507, RFC 6508 and RFC 6509 for mission critical
>>
>> communications, and UK government has already started to use it.
>>
>> Considering this, we would like to suggest that the group do consider our
>> draft.
>>
>
> You're of course free to request this, but you have not persuaded me.
>
>
>>
>> TECHNICAL COMMENTS
>> I don't understand why you are sending the PKG parameters over the wire.
>> Either the parameters are already known to the relying party, in which
>> case they are unnecessary or they are not in which case they cannot
>> be trusted. It seems like a hash of them would be sufficient. And of
>> course this doesn't mesh well with multiple generations of PKG parameters
>> (see above) unless you have signed parameters, but now you have a mini
>> PKI.
>>
>> [HG] We agree with your comments, and for the single PKG case, we can
>>
>> use hash values.  For multiple PKGs, it is  reasonable to assume PKGs to
>> trust
>>
>> each other, just like "root" CAs to trust each other.
>>
>
> I don't understand what this means. First, in a PKI-based system trust
> anchors don't
> need to trust each other. It's true that in some cases a trust anchor will
> sign another
> trust anchor, but that's a delegation of trust. Are you assuming something
> like that
> here? If so, how would it work?
>
>>
>> You need to specify the format of "ServerID". Is it a domain name?
>> Something else?
>>
>> [HG] ServerID is simply the identity of the server, and the format of
>> the identity
>>
>> is application-specific.
>>
> That is not going to promote interoperability.
>
> -Ekr
>
>
>
>> -Ekr
>>
>>
>> [0] Note that it's much harder to review documents in PDF. Please send
>> text in future.
>>
>>
>> On Thu, Mar 21, 2019 at 12:33 AM Wang Haiguang <
>> wang.haiguang.shieldlab@huawei.com> wrote:
>>
>>> Hello, everyone.
>>>
>>> Attached is an updated version to our personal draft on
>>> draft-wang-tls-raw-public-key-with-ibc-10.
>>>
>>> The target of the draft is to  use identity as raw public key  over TLS.
>>> Idenitty-based signature (IBS) algorithms are used for peer/server
>>> authentication.
>>>
>>> The draft has been updated from time to time and this is the 10th
>>> version.
>>>
>>> The main change in this version is we have extended the draft to support
>>> three other IBS algorithms, i.e. the ISO-IBS1, ISO-IBS2 and
>>> ISO-Chinese-IBS.
>>> Data structures for these three algorithms are has been defined.
>>>
>>> This version has not been submitted to the IETF data trackers yet. We
>>> will submit it once it is reopen.
>>>
>>> It is appreciate if expert in this mailing list can provide comments and
>>> help us to improve the draft.
>>>
>>> Best regards.
>>>
>>> Haiguang
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>

v2.23.0 | Report a Bug | By Email