Re: [TLS] Comment on draft-thomson-tls-sic-00
Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 15 April 2019 09:09 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BBD912015D for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 02:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qyqd73PKd7B7 for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 02:09:34 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3B3F12008A for <tls@ietf.org>; Mon, 15 Apr 2019 02:09:33 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id g187so9013717vsc.8 for <tls@ietf.org>; Mon, 15 Apr 2019 02:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kOge/3aPywOin3hJYwQnqisnq+rV9ePrz4GoBvppBkc=; b=uupXgBs/NG/eCoqX+CAqPD0gxNKho8RHtQsT6rXy1jjHIJw6CE6zEOhMk11bp4QBnG rq8BNs/7lYaKcQSDwZIw2zs0aDDcZ7MHllzmzmCWJb2msZuWbx8e2oWYwYT1ZuAlAp3x C8P0W3BQ1OXD6hAv/4qzrLruBT6OCLJ8OXrq+4K0qHZKOqHKLWDVaFs/DIoBH8G8wbAo ETH6fA+Uw2T2m6H9vdh1ZTLRg6wmxsQ6JhNRe+hlYl1rR+njLxQDiNPbVZsezrJPeehF GRLGthAtmVre6zY2egd4Wh3cQtVzm1/zbP8a6Y2hN1si4GTzmxR/SKspzYa52rrrkm5B A1ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kOge/3aPywOin3hJYwQnqisnq+rV9ePrz4GoBvppBkc=; b=GhbG04snJ+T9m1BSpC6VcVSaxPTamGtlF1EwBzitB74O+MQCifVj4v8aUjfXox6/Mo p/0nw+1OJDnNkKVZjNS/appk8iV9tcJmoZ7FmMpK58aGtxBbA7ksEB8xi3IFQKMPsz1P a1hPaFiaYOrUmtVyyXPfsDtyGi9yq+zPnL946L70Fs7P6VFFcjwRI04UpWmtv8kdhEsm ue0mUUOWczRQ9Cx/JugGEZgXhuskFeHZ0jGYqcjTdzaNh2YU41xC7wVfeijT2wi1ShFf 33UZvBfG9PJZKqfLoiL2VugE8jwH5ic3a9FRk22r781YtTNpEzqP19Ld85SQy+3BGhsd SohQ==
X-Gm-Message-State: APjAAAX7WwV5P91CtFygqfj1mN+AorRG5kRJaEHi2z3icqCgW4XvBzR8 tzYH/Fz2FbqTQ83KuIJyvLmLVDF+rqMl4/RpjV32HFTK
X-Google-Smtp-Source: APXvYqxuInW1GRep5P6ZMuZeyCgrp+HR8mbYg/u/R3W8y8+llXELKqf3MnZF+ltkLJpqeRF/XXFdqiax6U0yGs+GKKQ=
X-Received: by 2002:a67:e3cf:: with SMTP id k15mr38251850vsm.185.1555319372683; Mon, 15 Apr 2019 02:09:32 -0700 (PDT)
MIME-Version: 1.0
References: <AC987170-3F9F-4682-B49B-872B9028692F@ericsson.com> <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com> <3C099064-52D9-49C3-9180-A01FBDEE876A@ericsson.com> <523c1d42-c4bb-4206-b9be-bcec93973424@www.fastmail.com>
In-Reply-To: <523c1d42-c4bb-4206-b9be-bcec93973424@www.fastmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 15 Apr 2019 10:09:21 +0100
Message-ID: <CACykbs3cS_9YWD5EavNpj=1N8iJwLZMXOW9Hm-gUVAjJcej+PQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8a09905868e021c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KSzMYyk8i3AjQwhkBvmF9RfNZAQ>
Subject: Re: [TLS] Comment on draft-thomson-tls-sic-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 09:09:35 -0000
Hi Martin, Could you comment on how the client and server know they agree on the certificate chain? Would it be possible for the client and server to resolve the certificate chain down two distinct paths, for example in the case of cross signed certificates? If so, is there a security risk here, as in, does it matter if the client and server disagree on the chains? Could an attacker perform some shenanigans with disjoint roots of trust, or by finding paths with differing policy constraints (if that even makes sense)? Would it help anything if the server included a digest of the certificate chain in its EncryptedExtensions? Regards, Jonathan On Thu, 11 Apr 2019 at 03:58, Martin Thomson <mt@lowentropy.net> wrote: > On Sat, Mar 30, 2019, at 06:05, John Mattsson wrote: > > And one more.... > > > > "The 0xTBD flag can only be send in a ClientHello or CertificateRequest > > message. Endpoints that receive a value of 1 in any other handshake > > message MUST generate a fatal illegal_parameter alert." > > > > This goes against draft-nir-tls-tlsflags > > > > "A server that supports this extension and also supports at least one > > of the flag-type features that use this extension and that were > > declared by the ClientHello extension SHALL send this extension with > > the intersection of the flags it supports with the flags declared by > > the client." > > > > I assume the sic sic extension should be sent in EncryptedExtensions. > > I think that this is a problem in draft-nir-tls-tlsflags. Extensions in > ClientHello are "answered" in two places: EncryptedExtensions and > Certificate. The requirement that the flag be echoed creates a problem in > that context. > > We could define separate "Handshake flags" and "Certificate flags", but > that complicates things. > > If you look at extension usage, you see that not all "flags" are echoed. > In this case, a requirement to echo would just increase the size of > Certificate for no good reason - the extension can be omitted completely. > > We should only require the presence of the flag where it carries > semantics. The requirement should be stated as > > Implementations MUST NOT set flags in extension responses if the remote > endpoint did not send the corresponding flag in extension requests. > Upon > receiving a flag that is incorrectly set, an endpoint MUST abort the > handshake > with an "unsupported_extension" [?] alert. > > Mirroring the language from RFC 8446. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Comment on draft-thomson-tls-sic-00 John Mattsson
- Re: [TLS] Comment on draft-thomson-tls-sic-00 John Mattsson
- Re: [TLS] Comment on draft-thomson-tls-sic-00 John Mattsson
- Re: [TLS] Comment on draft-thomson-tls-sic-00 Martin Thomson
- Re: [TLS] Comment on draft-thomson-tls-sic-00 Jonathan Hoyland
- Re: [TLS] Comment on draft-thomson-tls-sic-00 Martin Thomson