IETF Logo Mail Archive

Re: [TLS] Please discuss: draft-housley-evidence-extns-00

Eric Rescorla <ekr@networkresonance.com> Tue, 19 December 2006 20:53 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gwly9-0007lf-Jz; Tue, 19 Dec 2006 15:53:49 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gwly8-0007lV-UL for tls@ietf.org; Tue, 19 Dec 2006 15:53:48 -0500
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gwlxo-000077-W1 for tls@ietf.org; Tue, 19 Dec 2006 15:53:48 -0500
Received: by raman.networkresonance.com (Postfix, from userid 1001) id 78E7B1E8C5D; Tue, 19 Dec 2006 12:53:28 -0800 (PST)
To: tls@ietf.org
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
References: <20061219205144.88FBC5C01E@laser.networkresonance.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Tue, 19 Dec 2006 12:53:28 -0800
In-Reply-To: <20061219205144.88FBC5C01E@laser.networkresonance.com> (Eric Rescorla's message of "Tue, 19 Dec 2006 12:48:32 -0800")
Message-ID: <86ac1jr4jb.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 1.1 (+)
X-Scan-Signature: 9a2be21919e71dc6faef12b370c4ecf5
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Eric Rescorla <ekr@networkresonance.com> writes:
> SPEAKING AS CHAIR:
> Mark Brown and Russ Housley have requested that the TLS WG
> adopt draft-housley-evidence-extns-01 as a WG item. This
> work was presented at San Diego to a generally positive
> response but it needs to be discussed on the list. Please
> use this thread to start that discussion.


SPEAKING AS MYSELF
I'm quite negative on this proposal. Review attached.

Note: the following review was based on the -00 version of the
document but a quick skim suggests that the -01 has the same
weaknesses.



BACKGROUND
TLS provides for public key authentication of both client and server
but this only provides for proof of the existence of the handshake
(and this only in limited circumstances). It doesn't provide for
any proof of the contents of the data messages. This draft
extends TLS to provide signatures over the data.


ARCHITECTURAL COMMENTS
I'm not particularly enamored of this general approach. The 
signatures in question are fundamentally an application-level
construct: they're requested by the applications and
ultimately consumed by them. The only real reason to do
this at the TLS layer is the sense that it's easier to deploy.
I'm not actually convinced that that's so, since this approach
still requires modifying the applications to request security
the signature/evidence services.

In addition, putting this functionality at the TLS layer embodies
some not-so-attractive tradeoffs, in particular, that the
binding of application-layer messages to the actual evidence
provided isn't particularly tight, since the signatures cover extents
of the traffic rather than messages. This introduces a number of
race conditions which are only partially solved by the
interlocking alerts used here. Among these are:

 - The sender of the start1 alert has only minimal 
   information/control over when the peer will start signing traffic.
 - It's quite likely that one side will have to process messages
   without knowing whether the peer will actually sign his 
   section of the traffic. This is obviously a problem if you
   are producing side effects. You can mitigate this problem
   only by doing two evidence collections in lockstep.
 - Applications need a bunch of new logic to detect the evidence
   request but hold their response to application-layer boundaries.
   This cannot be implemented at the TLS layer.
 - If you want to condition your application-layer responses 
   to whether the peer provided a signature you need some way
   to provide application-layer "please resend with signature".
   This is a common case but can only be dealt with very
   clumsily here.
   
This seems like a fairly large architectural change to TLS to
make it do something it was never designed to do and which
can be done better in the application.


DETAILED COMMENTS
S 1.
It looks like the evidence creation has to involve signatures by
both parties. Why not have it be one-way.

S 1.2.
   Generating evidence is not compatible with Diffie-Hellman Ephemeral
   (DHE) key exchanges.  DHE does not permit the same keying material to
   be generated for validation of the evidence after the TLS session is
   over.  Persistent evidence requires the use of a digital signature so
   that it can be validated well after the TLS session is over.

Why not just store the traffic keys?


Figure 1 would be better with some markers about the traffic
segments that are signed.

S 2.
I'm uncomfortable with the idea if "evidence suites" and later
of new certificates and certificate negotiation. This seems
like you're layering an entirely new protocol over TLS.

S 3.
This consumes 4 new alerts. The space isn't that big.
Since you're already defining a new protocol type, these
messages might as well be part of that protocol.

S A.
Defining cipher suites with key lengths attached to them
isn't hte TLS way.


-Ekr








_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email