Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
Andrei Popov <Andrei.Popov@microsoft.com> Sat, 03 September 2016 23:19 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C0C12B132 for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 16:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGALuiyZ0YcT for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 16:19:08 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0093.outbound.protection.outlook.com [104.47.38.93]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A6312B130 for <tls@ietf.org>; Sat, 3 Sep 2016 16:19:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0wKomwj+FimfnGwlecnVzYGGvXgylmYVIQF0uzKc1fI=; b=ZjmXQFwoAnnOoKlEQCbUj++kyqtg3RzsuU1tEPAuujggq+D2QLIwHbt2N/0b4iXwPLM1FHhWp+Wd62Isg4fJ31xnpf5zcOp1X7f7IkGqYikB1VpVP/dTXLvT07AtI4+qy4i0PFwblz2dKqD+84GWt0RrFT5Hfc/dPAty3a1l6mk=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.13; Sat, 3 Sep 2016 23:19:06 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0599.016; Sat, 3 Sep 2016 23:19:06 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
Thread-Index: AQHSBh0LEBjt9n91j0iGFeZF2nqlIaBoS1kggAAYQYCAAAL+MA==
Date: Sat, 03 Sep 2016 23:19:06 +0000
Message-ID: <CY1PR0301MB0842D87A823E5F853DFE78448CE40@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CABcZeBOfbb+p-BvqRhDJgVQLj_nSk-_Wud6sUnfWgA-QLYMhGg@mail.gmail.com> <CY1PR0301MB0842BB37B3E8BA8DA5A5FE328CE40@CY1PR0301MB0842.namprd03.prod.outlook.com> <CABcZeBNay3wFOixTTnhQXW6VfSCWaev+BW_dw9eGHbtM=7PuwQ@mail.gmail.com>
In-Reply-To: <CABcZeBNay3wFOixTTnhQXW6VfSCWaev+BW_dw9eGHbtM=7PuwQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:5::1d2]
x-ms-office365-filtering-correlation-id: 8a2682e6-ada1-4169-5bcd-08d3d450b389
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 6:YIr9o1hAiEAjqglBZVGKoO+vJDB/U8Jc7W+rWCwSXAT42vzXWYUuTgHRAwqL3BzQBktt+Zk+FVzCLQcRxKTwN3gsqe0JBmCV5dcavC2sDSkTt0GYkHbb/VfnE1h0MUXy3pFSlJLS2S9rpwIx6Ty2VwKc+8h8mF6+JZoSN4FqIKdBSP7W5LD5e3Gsnpi1qaL2oF3lM5qLSImt72ICelNUBwXc1bRSKq+iLIxVK+cJZ7bifW4JBQvB2nzNdVwQ14e12hjAZszBvEIwH3gxis3/3MepGkFmnflDLcWkzkkpEN8o1oeaLz58fow+PhYarS1ujbfSQGRBUwgvd4oYl72xMg==; 5:sTXPtYkPVBs1s4FTD4Tb34mYXssyYuZlfUUrWVcvy32O8HHNMUjX+kfUCzh5QxMuxn7gutKvNvZBR8NwCnZLiYEn3QYRJQrTtvo4f5Fd//FAzksqxcfyN5gTQ6XrWg3o5oLyz3Bu/0xhZiLobd89KA==; 24:8WsnEZBZ45Q1i8zBNDv6m1qdEyTsqOBIG6oSQzQlxtaD4fqxFoj/nlotoAIY1xKZSb+haxEmXILKEfZo+BXaTh/yL0WzNoXgGkAFoDyivQM=; 7:Gc9N251K250KXKwEuJyw1WBvPIARayhQtd9M2YcGdN3SPyQV5JstTSaJwI+0NTkg5bKXVzcW7YKB63IhJxOOQSX6M8vWtiu+UjiVJJwyMAeDuncl5NazRM5IVYMikcgAflNz3CY9Olsg/Q8gSOI7s56x9ROWAKsXO8ciAAbMbJSFzquCwSG8kMv4+Byggh5vk+JeEznXq+oP4iZxqN4y2u3snkMtPDBU/tHt+nYbrzmlhi+diZiAfy4FLg8TxiE5
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0844;
x-microsoft-antispam-prvs: <CY1PR0301MB08448D96B27FDF1E689327768CE40@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 00540983E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(377454003)(24454002)(19609705001)(86362001)(33656002)(16236675004)(87936001)(86612001)(19580395003)(76576001)(8936002)(106356001)(9686002)(6116002)(790700001)(102836003)(68736007)(81156014)(81166006)(8676002)(11100500001)(10290500002)(10400500002)(5005710100001)(8990500004)(3660700001)(586003)(3280700002)(2906002)(4326007)(97736004)(110136002)(5002640100001)(189998001)(7846002)(7736002)(7696003)(74316002)(7906003)(105586002)(99286002)(106116001)(76176999)(122556002)(50986999)(54356999)(19625215002)(101416001)(92566002)(77096005)(5660300001)(2950100001)(2900100001)(10090500001)(15975445007)(19300405004)(19617315012)(19580405001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842D87A823E5F853DFE78448CE40CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2016 23:19:06.3056 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Lb5Fvx-Z-fPC3gZHRi3xRTvN-q0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2016 23:19:11 -0000
Yes, I think so. Cheers, Andrei From: Eric Rescorla [mailto:ekr@rtfm.com] Sent: Saturday, September 3, 2016 4:07 PM To: Andrei Popov <Andrei.Popov@microsoft.com> Cc: tls@ietf.org Subject: Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3 Thanks for flagging this. Looks like it can just go right before Certificate in the client's second flight... -Ekr On Sat, Sep 3, 2016 at 2:44 PM, Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote: Hi Eric, MS TLS stack uses the user_mapping extension (to map TLS clients to Windows domain users). We do not implement client/server_authz. Cheers, Andrei From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Eric Rescorla Sent: Saturday, September 3, 2016 12:54 PM To: tls@ietf.org<mailto:tls@ietf.org> Subject: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3 https://github.com/tlswg/tls13-spec/pull/624 We currently have code points assigned for user_mapping [RFC4681] client_authz [RFC5878] server_authz [RFC5878] These aren't well-specified for use in TLS 1.3 and my sense is that they are barely used. Any objections to just banning them? If not, I'll merge this PR end of next week. -Ekr
- [TLS] PR #624: Remove Supplemental Auth from TLS … Eric Rescorla
- Re: [TLS] PR #624: Remove Supplemental Auth from … Andrei Popov
- Re: [TLS] PR #624: Remove Supplemental Auth from … Eric Rescorla
- Re: [TLS] PR #624: Remove Supplemental Auth from … Andrei Popov
- Re: [TLS] PR #624: Remove Supplemental Auth from … Russ Housley
- Re: [TLS] PR #624: Remove Supplemental Auth from … Sean Turner
- Re: [TLS] PR #624: Remove Supplemental Auth from … Yuhong Bao