Re: [TLS] TLS 1.3 process
Watson Ladd <watsonbladd@gmail.com> Mon, 31 March 2014 04:09 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A431A094C for <tls@ietfa.amsl.com>; Sun, 30 Mar 2014 21:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvKPtZtmg13Z for <tls@ietfa.amsl.com>; Sun, 30 Mar 2014 21:09:10 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 81B831A08F9 for <tls@ietf.org>; Sun, 30 Mar 2014 21:09:08 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id v1so7147401yhn.12 for <tls@ietf.org>; Sun, 30 Mar 2014 21:09:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PYuRTfP6hlGo9BL4NdeHMKtgQKYiVuNVpaRQ4g9IHvU=; b=A7kKzM3xm5+270iEz7QVzDeg1C30WdqLljw3QqOuWogk8Ky/APCXku8Zl6yJC79tIt 8BaAUiOfom/E4iL6a20PJmCXowsS2xqUM9SoorN26Dja4GAnzGfI6SBi+65bzfpndxFM 3P/UdrY+sTu2rzlCcZHdj2qpKkYVzNfqfzcOxPP5OTs98RMMIRCWNHIZh+cRdNU3iV1D rPFqzhZWhW10Un568PQ2eJ84BzhT59lE1iP+DyXJgNxIP3odQF5iv5VaeSLh2Fo+avdC 6GMvn69UNpe1B57MfIOl3fFeuRX7HbFXZAmoBBtsNYuIlOPHpa1IA/BP2dBh7isFh4lI 9eGQ==
MIME-Version: 1.0
X-Received: by 10.236.141.242 with SMTP id g78mr33443565yhj.50.1396238945427; Sun, 30 Mar 2014 21:09:05 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Sun, 30 Mar 2014 21:09:05 -0700 (PDT)
In-Reply-To: <4902faea2d2548bb796379ea22330437.squirrel@www.trepanning.net>
References: <9A043F3CF02CD34C8E74AC1594475C738A33738A@uxcn10-tdc06.UoA.auckland.ac.nz> <4902faea2d2548bb796379ea22330437.squirrel@www.trepanning.net>
Date: Sun, 30 Mar 2014 21:09:05 -0700
Message-ID: <CACsn0cnEGZGrb=d0Li5W0g9wYyiNdfe=803E=ffLuy90dSGQ3g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LPdgs7szBghl0v74QgJlSUPXzqw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 process
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 04:09:14 -0000
On Sun, Mar 30, 2014 at 6:16 PM, Dan Harkins <dharkins@lounge.org> wrote: > > On Sun, March 30, 2014 4:46 pm, Peter Gutmann wrote: >> Dan Harkins <dharkins@lounge.org> writes: >> >>>But everyone in the WG is concerned about getting encryption to work >>>correctly. We're also all concerned about getting authentication to work >>>correctly. And about getting authenticated encryption to work correctly. >> >> Some of us are more worried about making it fit for purpose than in >> fiddling >> with crypto details. > > Well if you do not care about encryption working correctly (it's a direct > quote from the email I was replying to) then don't even bother with it; > your purpose doesn't need encryption. And bringing up a use case that > is happy with incorrect encryption is a waste of time for this WG. But what do you mean by correct? INT-PTXT and IND-CCA2 would be my guess. But TLS of any version doesn't provide that; you have to implement the AES-GCM extension to get that. This still isn't fixed: you have to know the magic workarounds to make the existing, mandatory to implement protocol secure. Furthermore, how do you negotiate the key? Some applications rely on TLS negotiated keys being unique (channel binding for user authentication, GSAPI). This property doesn't hold for any of the basic negotiations discussed: you have to implement and use the ECDHE extension for that. So far from being a waste of time, the only applications the product of the WG is good for are those where encryption doesn't matter. I'm not even going to touch on the embarrassment of having a working group, UTA, created to clean up after us. > >> The former requires careful thought, for the latter you >> just pull a known-good mechanism off the shelf at the end of the design >> process, plug it in, and you're done. To quote Peter Fairbrother on the >> crypto list: >> >> A similar design methodology should be used for security products (and >> software products). Start with the purpose of the product, then the >> human >> and electronic interfaces, then the hardware and last of all the >> detailed >> crypto or code. Oh yes, you think about the crypto all the way through, >> but >> only in terms of what is possible and what resources it will take - >> worry >> about the detailed crypto (or code) last. > > I agree. The purpose of TLS is to secure a network service (as I said > originally, see /etc/services to see who'll use TLS). If we start listing > that > IMAP and POP and HTTP will use TLS-- "what else?"-- it's a distraction. Well, what do you mean by secure? TLS only tells you that you are talking to the possessor of a private key of some X509 certificate, and potentially shows some certificate chain leading there. For client authentication it falls flat: client certificates have ~1 organization using them, and that organization can make anything work by throwing enough billions at it. See the F-35 for details. At best TLS can be a useful tool, letting other people focus on how to turn X509 into what they really need ala DANE. However, they still need to deal with client authentication, and authorization is completely foreign to the entire bundle of technologies I've discussed here. > >>>I fail to see how documenting use cases will help us get encryption to >>> work >>>correctly >> >> It'll allow us to see whether the encryption is fit for purpose. Since >> I'm in >> a quoting mood I'll do Bob Morris this time: >> >> The behaviour of a system without a specification can never be wrong, >> only surprising. > > You should try to find quotes that relate to what you're responding to. > I never said anything about not having a specification and I never said > we need to immediately start "fiddling with crypto details". I said that > enumerating applications that use TLS is not a productive use of time > (I certainly hope you are not equating a use case document with a > specification), and I said that we are all concerned with making encryption > work correctly (in response to the arresting statement that "Watson is > concerned" about it). Everything about TLS is crypto details. What really matters is what TLS is supposed to do. This is not spelled out anywhere, let alone verified for TLS to work. It's the reason Martin Rex can argue BEAST wasn't a bug: with no spec to go against, it didn't violate anything but some sort of implicit understanding about what TLS was supposed to do. > >> TLS has certainly shown some... surprising behaviour over its lifetime. > > How would an enumerated list of the applications that use TLS, or a > use case document for that matter, have helped any of that? Well, it might have made EKR think twice before writing "This timing difference is believe to be too small to exploit" in an RFC. Formal methods could have trivially caught the renegotiation bug. If you look you will see renegotiation isn't actually defined anywhere: it's just casually mentioned that the example handshakes in the document aren't all the possibilities because you can restart them at any time. Channel bindings evolved later, and so no one looked to see if they were secure. Sincerely, Watson Ladd > > Dan. > >> Peter. >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] TLS 1.3 process Sean Turner
- Re: [TLS] TLS 1.3 process Trevor Perrin
- Re: [TLS] TLS 1.3 process Watson Ladd
- Re: [TLS] TLS 1.3 process Martin Thomson
- Re: [TLS] TLS 1.3 process Trevor Perrin
- Re: [TLS] TLS 1.3 process Salz, Rich
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.3 process t.petch
- Re: [TLS] TLS 1.3 process Stephen Farrell
- Re: [TLS] TLS 1.3 process Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.3 process Douglas Stebila
- Re: [TLS] TLS 1.3 process Salz, Rich
- Re: [TLS] TLS 1.3 process Watson Ladd
- Re: [TLS] TLS 1.3 process Dan Harkins
- Re: [TLS] TLS 1.3 process Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.3 process Adam Langley
- Re: [TLS] TLS 1.3 process Eric Rescorla
- Re: [TLS] TLS 1.3 process Watson Ladd
- Re: [TLS] TLS 1.3 process Trevor Perrin
- Re: [TLS] TLS 1.3 process Bill Frantz
- Re: [TLS] TLS 1.3 process Eric Rescorla
- Re: [TLS] TLS 1.3 process Dan Harkins
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Bill Frantz
- Re: [TLS] TLS 1.3 process Dan Harkins
- Re: [TLS] TLS 1.3 process Salz, Rich
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Bill Frantz
- Re: [TLS] TLS 1.3 process Dan Harkins
- Re: [TLS] TLS 1.3 process Watson Ladd
- Re: [TLS] TLS 1.3 process Dan Harkins
- Re: [TLS] TLS 1.3 process Peter Gutmann
- Re: [TLS] TLS 1.3 process Andy Lutomirski
- Re: [TLS] TLS 1.3 process henry.story@bblfish.net