MIME-Version: 1.0
References: <20191111195325.GE32847@kduck.mit.edu>
In-Reply-To: <20191111195325.GE32847@kduck.mit.edu>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 13 Nov 2019 06:29:44 -0500
Message-ID: <CAHbuEH5mCW9aUJva=+umYeTLbOvHQUTSexxVjhn3zNDOv5Sb7A@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-tls-oldversions-deprecate.all@ietf.org, 
 "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000938306059738b016"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LmKrksPNxzlfSprcM8BX8X1xfus>
Subject: Re: [TLS] preliminary AD review of
 draft-ietf-tls-oldversions-deprecate-05
Precedence: list

--000000000000938306059738b016
Content-Type: text/plain; charset="UTF-8"

Hi Ben,

Just replying to the parts of the tread that were not responded to already
as Stephen will likely be looking at the headers/updates per his message.
Thanks for your careful review.

On Mon, Nov 11, 2019 at 2:54 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi all,
>
> This is a "preliminary" review only because there's some strangeness
> relating to the Updates: (and Obsoletes:) headers, and any changes there
> would make me need to go and recheck the relationship of this document to
> the ones listed.  So, I haven't done any of that yet, in an attempt to only
> have to do it once.
>
> Specifically, there's skew between the list of documents updated in the top
> header and the list in Section 1.1.  Evern more annoyingly, the (tools)
> HTML version seems to be missing some numbers from the document header,
> that are present in the TXT version.  (Henrik is going to take a look, per
>
> https://mailarchive.ietf.org/arch/msg/tools-discuss/Maeh0f_WfOy5sfnGQpwGPs_sYcU
> .)
>

Thanks.

>
> Additionally, Section 1.1 lists some RFCs that "have been obsoleted", but
> there is no "Obsoletes:" header at the top of the document.
>
> I think nits is right about references (square-bracketed "[RFC6347]") in
> the Abstract; we should change those to normal textual (parenthesed
> "(RFC 6347)") before IETF LC.
>
> Some other notes from a quick pass over the main text (though I'll probably
> read it again once the above are addressed) follow.
>
> Section 1
>
> It feels a little backwards for a "primary technical reason" to
> deprecate a protocol version being that "at least one widely-used
> library has plans to drop [it]".
>

I see what you are saying.  The major library dropping it has to do with
the number of versions available and supporting them all is cumbersome and
could lead to configuration errors on the part of the user.  Would you just
like "primary" removed or would you prefer more of a change to the text?


>
> I do appreciate that we give discussion about what we intend
> "deprecation" to mean and for whom -- thank you for that!
>
> Section 2
>
>       TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant
>       change to TLS that aims to address threats that have arisen over
>       the years.  Among the changes are a new handshake protocol, a new
>       key derivation process that uses the HMAC-based Extract-and-Expand
>       Key Derivation Function (HKDF), and the removal of cipher suites
>       that use static RSA or DH key exchanges, the CBC mode of
>       operation, or SHA-1.  The list of extensions that can be used with
>       TLS 1.3 has been reduced considerably.
>
> While it's true that the initial list of extensions usable with TLS 1.3
> is smaller than the list of extensions usable at TLS 1.2 taken at the
> same time, it's also true that the requirements for allocating a new
> extension codepoint have been reduced dramatically.  So I think I'd say
> that this reflects not a desire to reduce the attack surface (as
> "measured" by number of extensions) but rather a paradigm shift in how
> the protocol works, which leaves some existing functionality
> incompatible with the new model.  I don't really get a clear sense of
> what this current last sentence is trying to say (i.e., whether it's one
> of those two descriptions I offered above).
>

Would you prefer "a significant change", be "a paradigm shift"? If not,
could you propose text?



> Section 3
>
>    Similarly, the authentication of the handshake depends on signatures
>    made using SHA-1 hash or a not stronger concatenation of MD-5 and
>    SHA-1 hashes, allowing the attacker to impersonate a server when it
>    is able to break the severely weakened SHA-1 hash.
>
> My recollection of the WG discussions (which I will go review) is that
> we don't really have consensus on the "not stronger" portion of this.
> Is that a key component of the document here?  (N.B. this is *not* an
> invitation to rehash that discussion again!  The chairs or I can provide
> a summary of points not resolved by previous discussion and points
> believed to be adequately agreed upon, which would be a trigger for any
> additional discussion that might be needed.)
>

Since you are already looking at the consensus of this with the chairs, we
can wait for your guidance.

Best regards,
Kathleen

>
> Thanks for putting this document together (I know that getting all the long
> list of references/updates/etc. right is really tedious and frustrating),
> and sorry to have been sitting on it for so long.
>
> -Ben
>


-- 

Best regards,
Kathleen

--000000000000938306059738b016
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Hi Ben,<div><br></div><div>Just replying =
to the parts of the tread that were not responded to already as Stephen wil=
l likely be looking at the headers/updates per his message.=C2=A0 Thanks fo=
r your careful review.</div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Mon, Nov 11, 2019 at 2:54 PM Benjamin Kadu=
k &lt;<a href=3D"mailto:kaduk@mit.edu">kaduk@mit.edu</a>&gt; wrote:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
<br>
This is a &quot;preliminary&quot; review only because there&#39;s some stra=
ngeness<br>
relating to the Updates: (and Obsoletes:) headers, and any changes there<br=
>
would make me need to go and recheck the relationship of this document to<b=
r>
the ones listed.=C2=A0 So, I haven&#39;t done any of that yet, in an attemp=
t to only<br>
have to do it once.<br>
<br>
Specifically, there&#39;s skew between the list of documents updated in the=
 top<br>
header and the list in Section 1.1.=C2=A0 Evern more annoyingly, the (tools=
)<br>
HTML version seems to be missing some numbers from the document header,<br>
that are present in the TXT version.=C2=A0 (Henrik is going to take a look,=
 per<br>
<a href=3D"https://mailarchive.ietf.org/arch/msg/tools-discuss/Maeh0f_WfOy5=
sfnGQpwGPs_sYcU" rel=3D"noreferrer" target=3D"_blank">https://mailarchive.i=
etf.org/arch/msg/tools-discuss/Maeh0f_WfOy5sfnGQpwGPs_sYcU</a> .)<br></bloc=
kquote><div><br></div><div>Thanks.=C2=A0</div><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex">
<br>
Additionally, Section 1.1 lists some RFCs that &quot;have been obsoleted&qu=
ot;, but<br>
there is no &quot;Obsoletes:&quot; header at the top of the document.<br>
<br>
I think nits is right about references (square-bracketed &quot;[RFC6347]&qu=
ot;) in<br>
the Abstract; we should change those to normal textual (parenthesed<br>
&quot;(RFC 6347)&quot;) before IETF LC.<br>
<br>
Some other notes from a quick pass over the main text (though I&#39;ll prob=
ably<br>
read it again once the above are addressed) follow.<br>
<br>
Section 1<br>
<br>
It feels a little backwards for a &quot;primary technical reason&quot; to<b=
r>
deprecate a protocol version being that &quot;at least one widely-used<br>
library has plans to drop [it]&quot;.<br></blockquote><div><br></div><div>I=
 see what you are saying.=C2=A0 The major library dropping it has to do wit=
h the number of versions available and supporting them all is cumbersome an=
d could lead to configuration errors on the part of the user.=C2=A0 Would y=
ou just like &quot;primary&quot; removed or would you prefer more of a chan=
ge to the text?</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex">
<br>
I do appreciate that we give discussion about what we intend<br>
&quot;deprecation&quot; to mean and for whom -- thank you for that!<br>
<br>
Section 2<br>
<br>
=C2=A0 =C2=A0 =C2=A0 TLS 1.3, specified in TLSv1.3 [RFC8446], represents a =
significant<br>
=C2=A0 =C2=A0 =C2=A0 change to TLS that aims to address threats that have a=
risen over<br>
=C2=A0 =C2=A0 =C2=A0 the years.=C2=A0 Among the changes are a new handshake=
 protocol, a new<br>
=C2=A0 =C2=A0 =C2=A0 key derivation process that uses the HMAC-based Extrac=
t-and-Expand<br>
=C2=A0 =C2=A0 =C2=A0 Key Derivation Function (HKDF), and the removal of cip=
her suites<br>
=C2=A0 =C2=A0 =C2=A0 that use static RSA or DH key exchanges, the CBC mode =
of<br>
=C2=A0 =C2=A0 =C2=A0 operation, or SHA-1.=C2=A0 The list of extensions that=
 can be used with<br>
=C2=A0 =C2=A0 =C2=A0 TLS 1.3 has been reduced considerably.<br>
<br>
While it&#39;s true that the initial list of extensions usable with TLS 1.3=
<br>
is smaller than the list of extensions usable at TLS 1.2 taken at the<br>
same time, it&#39;s also true that the requirements for allocating a new<br=
>
extension codepoint have been reduced dramatically.=C2=A0 So I think I&#39;=
d say<br>
that this reflects not a desire to reduce the attack surface (as<br>
&quot;measured&quot; by number of extensions) but rather a paradigm shift i=
n how<br>
the protocol works, which leaves some existing functionality<br>
incompatible with the new model.=C2=A0 I don&#39;t really get a clear sense=
 of<br>
what this current last sentence is trying to say (i.e., whether it&#39;s on=
e<br>
of those two descriptions I offered above).<br></blockquote><div><br></div>=
<div>Would you prefer &quot;a significant change&quot;, be &quot;a paradigm=
 shift&quot;? If not, could you propose text?</div><div><br></div><div><br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Section 3<br>
<br>
=C2=A0 =C2=A0Similarly, the authentication of the handshake depends on sign=
atures<br>
=C2=A0 =C2=A0made using SHA-1 hash or a not stronger concatenation of MD-5 =
and<br>
=C2=A0 =C2=A0SHA-1 hashes, allowing the attacker to impersonate a server wh=
en it<br>
=C2=A0 =C2=A0is able to break the severely weakened SHA-1 hash.<br>
<br>
My recollection of the WG discussions (which I will go review) is that<br>
we don&#39;t really have consensus on the &quot;not stronger&quot; portion =
of this.<br>
Is that a key component of the document here?=C2=A0 (N.B. this is *not* an<=
br>
invitation to rehash that discussion again!=C2=A0 The chairs or I can provi=
de<br>
a summary of points not resolved by previous discussion and points<br>
believed to be adequately agreed upon, which would be a trigger for any<br>
additional discussion that might be needed.)<br></blockquote><div><br></div=
><div>Since you are already looking at the consensus of this with the chair=
s, we can wait for your guidance.</div><div><br></div><div>Best regards,</d=
iv><div>Kathleen=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x">
<br>
Thanks for putting this document together (I know that getting all the long=
<br>
list of references/updates/etc. right is really tedious and frustrating),<b=
r>
and sorry to have been sitting on it for so long.<br>
<br>
-Ben<br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><div dir=3D"ltr"><br><div>Best regards,</div><di=
v>Kathleen</div></div></div></div>

--000000000000938306059738b016--