Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 03 September 2016 23:19 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C0C12B132 for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 16:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGALuiyZ0YcT for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 16:19:08 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0093.outbound.protection.outlook.com [104.47.38.93]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A6312B130 for <tls@ietf.org>; Sat, 3 Sep 2016 16:19:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0wKomwj+FimfnGwlecnVzYGGvXgylmYVIQF0uzKc1fI=; b=ZjmXQFwoAnnOoKlEQCbUj++kyqtg3RzsuU1tEPAuujggq+D2QLIwHbt2N/0b4iXwPLM1FHhWp+Wd62Isg4fJ31xnpf5zcOp1X7f7IkGqYikB1VpVP/dTXLvT07AtI4+qy4i0PFwblz2dKqD+84GWt0RrFT5Hfc/dPAty3a1l6mk=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.13; Sat, 3 Sep 2016 23:19:06 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0599.016; Sat, 3 Sep 2016 23:19:06 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
Thread-Index: AQHSBh0LEBjt9n91j0iGFeZF2nqlIaBoS1kggAAYQYCAAAL+MA==
Date: Sat, 3 Sep 2016 23:19:06 +0000
Message-ID: <CY1PR0301MB0842D87A823E5F853DFE78448CE40@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CABcZeBOfbb+p-BvqRhDJgVQLj_nSk-_Wud6sUnfWgA-QLYMhGg@mail.gmail.com> <CY1PR0301MB0842BB37B3E8BA8DA5A5FE328CE40@CY1PR0301MB0842.namprd03.prod.outlook.com> <CABcZeBNay3wFOixTTnhQXW6VfSCWaev+BW_dw9eGHbtM=7PuwQ@mail.gmail.com>
In-Reply-To: <CABcZeBNay3wFOixTTnhQXW6VfSCWaev+BW_dw9eGHbtM=7PuwQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:5::1d2]
x-ms-office365-filtering-correlation-id: 8a2682e6-ada1-4169-5bcd-08d3d450b389
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 6:YIr9o1hAiEAjqglBZVGKoO+vJDB/U8Jc7W+rWCwSXAT42vzXWYUuTgHRAwqL3BzQBktt+Zk+FVzCLQcRxKTwN3gsqe0JBmCV5dcavC2sDSkTt0GYkHbb/VfnE1h0MUXy3pFSlJLS2S9rpwIx6Ty2VwKc+8h8mF6+JZoSN4FqIKdBSP7W5LD5e3Gsnpi1qaL2oF3lM5qLSImt72ICelNUBwXc1bRSKq+iLIxVK+cJZ7bifW4JBQvB2nzNdVwQ14e12hjAZszBvEIwH3gxis3/3MepGkFmnflDLcWkzkkpEN8o1oeaLz58fow+PhYarS1ujbfSQGRBUwgvd4oYl72xMg==; 5:sTXPtYkPVBs1s4FTD4Tb34mYXssyYuZlfUUrWVcvy32O8HHNMUjX+kfUCzh5QxMuxn7gutKvNvZBR8NwCnZLiYEn3QYRJQrTtvo4f5Fd//FAzksqxcfyN5gTQ6XrWg3o5oLyz3Bu/0xhZiLobd89KA==; 24:8WsnEZBZ45Q1i8zBNDv6m1qdEyTsqOBIG6oSQzQlxtaD4fqxFoj/nlotoAIY1xKZSb+haxEmXILKEfZo+BXaTh/yL0WzNoXgGkAFoDyivQM=; 7:Gc9N251K250KXKwEuJyw1WBvPIARayhQtd9M2YcGdN3SPyQV5JstTSaJwI+0NTkg5bKXVzcW7YKB63IhJxOOQSX6M8vWtiu+UjiVJJwyMAeDuncl5NazRM5IVYMikcgAflNz3CY9Olsg/Q8gSOI7s56x9ROWAKsXO8ciAAbMbJSFzquCwSG8kMv4+Byggh5vk+JeEznXq+oP4iZxqN4y2u3snkMtPDBU/tHt+nYbrzmlhi+diZiAfy4FLg8TxiE5
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0844;
x-microsoft-antispam-prvs: <CY1PR0301MB08448D96B27FDF1E689327768CE40@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 00540983E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(377454003)(24454002)(19609705001)(86362001)(33656002)(16236675004)(87936001)(86612001)(19580395003)(76576001)(8936002)(106356001)(9686002)(6116002)(790700001)(102836003)(68736007)(81156014)(81166006)(8676002)(11100500001)(10290500002)(10400500002)(5005710100001)(8990500004)(3660700001)(586003)(3280700002)(2906002)(4326007)(97736004)(110136002)(5002640100001)(189998001)(7846002)(7736002)(7696003)(74316002)(7906003)(105586002)(99286002)(106116001)(76176999)(122556002)(50986999)(54356999)(19625215002)(101416001)(92566002)(77096005)(5660300001)(2950100001)(2900100001)(10090500001)(15975445007)(19300405004)(19617315012)(19580405001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842D87A823E5F853DFE78448CE40CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2016 23:19:06.3056 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Lb5Fvx-Z-fPC3gZHRi3xRTvN-q0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2016 23:19:11 -0000

Yes, I think so.

Cheers,

Andrei

From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Saturday, September 3, 2016 4:07 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: tls@ietf.org
Subject: Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3

Thanks for flagging this. Looks like it can just go right before Certificate in the client's second flight...

-Ekr


On Sat, Sep 3, 2016 at 2:44 PM, Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote:
Hi Eric,

MS TLS stack uses the user_mapping extension (to map TLS clients to Windows domain users). We do not implement client/server_authz.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Eric Rescorla
Sent: Saturday, September 3, 2016 12:54 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3

https://github.com/tlswg/tls13-spec/pull/624

We currently have code points assigned for

 user_mapping [RFC4681]
 client_authz [RFC5878]
 server_authz [RFC5878]

These aren't well-specified for use in TLS 1.3 and my sense is that they
are barely used. Any objections to just banning them? If not, I'll merge this
PR end of next week.

-Ekr