Re: [TLS] Genart last call review of draft-ietf-tls-exported-authenticator-09
Eric Rescorla <ekr@rtfm.com> Thu, 10 October 2019 14:36 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A29361200C1 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 07:36:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_hp_6WrAvbM for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 07:36:54 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75048120018 for <tls@ietf.org>; Thu, 10 Oct 2019 07:36:53 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id c195so4568735lfg.9 for <tls@ietf.org>; Thu, 10 Oct 2019 07:36:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BKbxl0Llj5SNsAm7793ZM2v7TvXBNai78KLepuMeQaI=; b=cm535rWRFfVG5pEXHY13X1Cxy8KirO5IpokuvnGpHTy/Dof3bn57ly4knxq0PKQqK+ tYmL5PUzLspwrP+ECedp71RFk9Dt4UFf5DkH2URe/jaRfemO+esOuCrcAkYO2e0Jcpk0 O6FelrbJgZfL/3OJ6cJ1zpytdqYDi/9IDgYdnPpzytO9DpvWOIVTxChJWdy5q5jEqRUt NCIIaMZyMScnDr6FpChh2w3rl0qhC6dhdJzjYSAkFWwS8HsHVY3O24ftl8niV6tUFEdG QkcVlVSxiSqAJo6BVHPbiuTfIRTl5hlYot6bhPFCDWm1DQhUxYq8KYkUMUaFDFhuNrcK Nreg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BKbxl0Llj5SNsAm7793ZM2v7TvXBNai78KLepuMeQaI=; b=ZyXaXNQkEBlK407AGXqv6RKNGo632FQiqp8ZMgfPHC8/yhcxYqPRq1x6Y2dMegQ6T7 YlYOE+Xg+HOyckwQgQVSK74mMFw108SOGM0Lg1dgjSbHXuZcUN1RKFE16lhmZVOui2s2 kZPHHejLEb2IjtVm5j6eF2w2SdVkb6eZv9VxvVj7y6oDIzdCSwCIEm3ohbEzHdWwNHV8 eKQr7Pc+wBYY4PoYNKbVtUTp2tnAOv4xoCz3G5PZk5r5cHTRg+3M2PZaMLIKm9zwOXqX qlQPILAiTHt7AWm261G8NVQops1dVwCJWnBBSnPdYdwTRHwMFkZimob3PM0AvC1n25Ku LYwQ==
X-Gm-Message-State: APjAAAV9uMdF4FALJCGVbBF+Z3NpF4zBkLPIklwLth27Gs/3Y8aQvjLm 92l5S/8OtgPLLdXZ+iPD1JEJhq0MRPrAVKKf/jpTZA==
X-Google-Smtp-Source: APXvYqzRaG8qyJyEcZEeeVKE7QEik+mtfFWHKUfiDRJtwg6KAxpNFPkzX2pwHNidvn73IKy1ZDXxpnkajq3tfUzjZsU=
X-Received: by 2002:a19:7404:: with SMTP id v4mr1223420lfe.129.1570718211653; Thu, 10 Oct 2019 07:36:51 -0700 (PDT)
MIME-Version: 1.0
References: <156249708979.14501.13745976049183757305@ietfa.amsl.com> <CAFDDyk8iG0R2rT7x-t7fHkFxcYBBkf8j1-mg1xbexoh8gXts6A@mail.gmail.com> <7BDE969A-7B5F-4979-B4E9-7E6C03C0A1B1@ericsson.com> <CAFDDyk_yoOu01nBPrBj_AVBugFRGUCOthYDysOuAGCrKNWG8dg@mail.gmail.com> <57E5EB36-6A59-45A7-A2F4-1E1626391742@ericsson.com> <CAFDDyk-T_+RHDwEJ+8AQFTvZKykPxwd+A5+8xiZp22bOs48S8w@mail.gmail.com> <0cf4806b-3825-4d25-8be0-13c27533b08d@www.fastmail.com> <CAFDDyk-JyDTfk3JpfvtDZpWcKXE3Nd14oegbeMDetnHkCLr-wA@mail.gmail.com>
In-Reply-To: <CAFDDyk-JyDTfk3JpfvtDZpWcKXE3Nd14oegbeMDetnHkCLr-wA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 Oct 2019 07:36:14 -0700
Message-ID: <CABcZeBPNwf6sUg-9hpAS1scfnU-KqpEXDmG430Tw0V+rGGXoVw@mail.gmail.com>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c569e05948f5561"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KxeUWqv7VKmvMtbxTv13-pPcPMM>
Subject: Re: [TLS] Genart last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 14:36:59 -0000
Well, DTLS is one of the primary consumers of exporters https://tools.ietf.org/rfcmarkup?doc=5764, so as a practical matter I think we've accepted that. I'm not aware of a practical problem with exporters and DTLS, but if there is one, we should document it and address it. -Ekr On Thu, Oct 10, 2019 at 7:08 AM Nick Sullivan <nick= 40cloudflare.com@dmarc.ietf.org> wrote: > The main concern I had about including DTLS explicitly in this document > was because exporters are not officially defined for DTLS. However, some > other documents assume they are portable so maybe this is an overly > conservative choice. > > On Wed, Oct 9, 2019 at 6:26 PM Martin Thomson <mt@lowentropy.net> wrote: > >> I think that the DTLS thing doesn't require as much rewriting as >> observed. Just say that when you say "TLS" you mean "TLS or DTLS" >> somewhere up front. >> >> As to what a transport needs to provide, I think that there is no real >> text to add regarding DTLS. You *could* say that as the application >> protocol is responsible for carrying the messages, might find that using a >> DTLS connection introduces new problems. Specially, these are big messages >> and they are likely to require fragmentation and reassembly if DTLS is >> used. Also, if the protocol depends on these messages being reliably >> delivered, it will want to provide some sort of loss recovery mechanism. >> >> On Thu, Oct 10, 2019, at 11:47, Nick Sullivan wrote: >> > Thanks again for your review! The PR is on Github >> > (https://github.com/tlswg/tls-exported-authenticator/pull/50) and will >> > be incorporated into a new version of the document that addresses both >> > your comments and those by Yaron Sheffer. >> > >> > On Thu, Sep 19, 2019 at 11:29 PM Christer Holmberg >> > <christer.holmberg@ericsson.com> wrote: >> > > Hi, >> > > >> > > >Some answers to your questions inline. I'm not sure further changes >> along the lines suggested here are needed, but I'm open to arguments that >> point in that direction. >> > > >> > > I am mostly fine with your answers. Just a couple of comments inline >> still. >> > > >> > > --- >> > > >> > > MIN_2: >> > > >> > > >>>> Can the mechanism be used also for DTLS? >> > > >>> >> > > >>> I think the answer is yes. I don't see any reason to disallow >> the use of Exported Authenticators in DTLS. >> > > >> >> > > >> Would it be useful to clarify that? >> > > > >> > > > Going through what the modified text would look like, it seems >> like a substantial amount of re-writing (even the title!) for what amounts >> to an unclear use case. >> > > > Keeping in mind that DTLS 1.3 hasn't been finalized and doesn't >> directly define exporters, I'm disinclined to define how EAs would work >> with DTLS. If someone >> > > > has a strong use case for EA in DTLS, it may be worth considering >> it. >> > > >> > > Would it then be useful with a statement saying that it might be >> possible to use exporters also with DTLS, but that such usage is outside >> the scope of the document and needs to be specified in a separate document? >> > >> > I added a line to this effect. >> > > >> > > --- >> > > >> > > MIN_3: >> > > >> > > >>>> The documents talk about additional certificates. If I only >> have one additional >> > > >>>> certificate, can I use that for multiple authenticators >> throughout the TLS >> > > >>>> session? >> > > >>> >> > > >>> Yes, there is nothing disallowing the creation of multiple >> exported authenticators with the same certificate. >> > > >> >> > > >> Would it be useful to clarify that? >> > > > >> > > > I'm not convinced this is a realistic use case. Since exported >> authenticators are based on the exporter, there is no inherent ordering. >> > > > If you re-authenticate with the same certificate, there's nothing >> asserting freshness of the second certificate. Is there something in >> > > > the text that suggests that using a certificate multiple times is >> disallowed? If there's no suggestion that this is not possible that >> > > > needs to be corrected, I don't see the benefit of calling out this >> specific use case. >> > > >> > > I don't think there is any text suggesting that it is disallowed. >> But, if you don't think it is a realistic use case I'll take your word for >> it :) >> > > >> > > --- >> > > >> > > ED_2: >> > > >> > > >>>> Section 3 says: "The authenticator request is a structured >> message that can be >> > > >>>> created..." Section 4 says: "The authenticator is a structured >> message that can >> > > >>>> be exported..." >> > > >>>> >> > > >>>> In the 2nd paragraph of Section 4 it is stated that >> "authenticator" is sent >> > > >>>> based on an "authenticator request". I wonder if that could be >> stated already >> > > >>>> in the beginning of Section 4, to further clarify the >> difference between them. >> > > >>>> E.g., >> > > >>>> >> > > >>>> "The authenticator is a structured message, triggered by an >> authenticator >> > > >>>> request, that can be exported from either party of a TLS >> connection." >> > > >>> >> > > >>> The issue is that servers can generate spontaneous exported >> authenticators without >> > > >>> an authenticator request. >> > > >> >> > > >> Where is this written? Did I miss it? >> > > > >> > > > Section 4: >> > > > An authenticator message can be constructed by either the client or >> > > > the server given an established TLS connection, a certificate, and >> a >> > > > corresponding private key. Clients MUST NOT send an authenticator >> > > > without a preceding authenticator request; for servers an >> > > > authenticator request is optional. For authenticators that do not >> > > > correspond to authenticator requests, the >> certificate_request_context >> > > > is chosen by the server. >> > > >> > > Ok. Looks good. >> > > >> > > Regards, >> > > >> > > Christer >> > > >> > > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> > >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Genart last call review of draft-ietf-tls-e… Christer Holmberg via Datatracker
- Re: [TLS] Genart last call review of draft-ietf-t… Nick Sullivan
- Re: [TLS] Genart last call review of draft-ietf-t… Nick Sullivan
- Re: [TLS] Genart last call review of draft-ietf-t… Christer Holmberg
- Re: [TLS] Genart last call review of draft-ietf-t… Nick Sullivan
- Re: [TLS] Genart last call review of draft-ietf-t… Christer Holmberg
- Re: [TLS] Genart last call review of draft-ietf-t… Nick Sullivan
- Re: [TLS] Genart last call review of draft-ietf-t… Martin Thomson
- Re: [TLS] Genart last call review of draft-ietf-t… Nick Sullivan
- Re: [TLS] Genart last call review of draft-ietf-t… Eric Rescorla
- Re: [TLS] Genart last call review of draft-ietf-t… Christer Holmberg