Re: [TLS] Comments on draft-wood-tls-external-psk-importer-01

John Mattsson <john.mattsson@ericsson.com> Mon, 01 April 2019 21:30 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5DD1120033 for <tls@ietfa.amsl.com>; Mon, 1 Apr 2019 14:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZSIgTOGhON8 for <tls@ietfa.amsl.com>; Mon, 1 Apr 2019 14:29:57 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80051.outbound.protection.outlook.com [40.107.8.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89E1D12000E for <TLS@ietf.org>; Mon, 1 Apr 2019 14:29:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=asQbpsVbkNdQ+jjtRQ6EjBPzx/HR5QSI6ALVJ9MEreg=; b=eDO08fLoKKc3spBIRPVQQA4cgIxHyB6sncVwDx18A4/9ViK8BJ7EftImBRUQv5MVKS1faNFTSf4Xu2VwKSo9Yzr8bLWSShlbBF8sCS2JUgINIFq8HhhvPJxIUQoIx+r5etrsuOH0zX0S5w1u9Pf+0/ePUGkgF5GTwAKvuVgeAw8=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3180.eurprd07.prod.outlook.com (10.170.245.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.9; Mon, 1 Apr 2019 21:29:53 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc%5]) with mapi id 15.20.1771.007; Mon, 1 Apr 2019 21:29:53 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: IETF TLS <TLS@ietf.org>
Thread-Topic: [TLS] Comments on draft-wood-tls-external-psk-importer-01
Thread-Index: AQHU6L09RDZKHT8Ksk2niB+rgTbbFKYnxrEAgAAtcAA=
Date: Mon, 01 Apr 2019 21:29:53 +0000
Message-ID: <3F4ABC0C-9510-4A38-B917-04A481CC58D4@ericsson.com>
References: <89127FF7-CE3F-4DF1-98A5-B1006C5FF56B@ericsson.com> <F6ED76B5-17C1-4FBE-B6E4-B292DEA05436@vigilsec.com>
In-Reply-To: <F6ED76B5-17C1-4FBE-B6E4-B292DEA05436@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 77945ef1-bb28-4f42-b509-08d6b6e92e04
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB3180;
x-ms-traffictypediagnostic: HE1PR07MB3180:
x-microsoft-antispam-prvs: <HE1PR07MB318002869C2F2D466212F74B89550@HE1PR07MB3180.eurprd07.prod.outlook.com>
x-forefront-prvs: 0994F5E0C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(396003)(376002)(136003)(366004)(189003)(199004)(51444003)(8676002)(6436002)(81166006)(81156014)(7736002)(8936002)(229853002)(6486002)(5660300002)(106356001)(71190400001)(71200400001)(25786009)(33656002)(6916009)(58126008)(68736007)(316002)(14454004)(83716004)(99286004)(105586002)(66066001)(36756003)(478600001)(6246003)(53936002)(6512007)(54896002)(6306002)(11346002)(446003)(186003)(53546011)(476003)(26005)(102836004)(2616005)(486006)(86362001)(14444005)(44832011)(6506007)(256004)(97736004)(4326008)(82746002)(6116002)(790700001)(3846002)(2906002)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3180; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ba7OcKDIAV5v389VTtyIN8rzgO/Gzd89X4y6sPSj18f6j77M5iHy205HIHRrb04XhEFDtQHN7YwOOZIAapXIY9eHNS9CEUD+fwOe3LH51NwYT2bS6HIJ16xCspaOsiRev454Fk7uQysyYgGN1tqpEYvkJhYP/5mXfuaHq5lS+DiOAZwQmSnyhWwuMqObgeyLXfXytYOKCQCCdJ7G+M0zjVU6jCRmVK6+lDLYT0b3fGcKnaCZBFiItEgUNG1QjPs9wuCUP+1U+msWj/ly3rMMA9ng9TGrrxOlzbfeDM+Otn3gegLBEcJVev1I1j5rIugJZcZCNGZhnDr24BgQ3foqiDHWZGLgwAw5AXR+dJJUXpixCX7YKnJXan3EACOE2oZYLS9mZx0Urmq829JuWwyToklju+Wu76E++Bn+3yhmT/w=
Content-Type: multipart/alternative; boundary="_000_3F4ABC0C95104A38B91704A481CC58D4ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 77945ef1-bb28-4f42-b509-08d6b6e92e04
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2019 21:29:53.3908 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3180
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OO1TtVYJFwhg1QtELi-1FVuMix4>
Subject: Re: [TLS] Comments on draft-wood-tls-external-psk-importer-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 21:30:01 -0000

Hi Russ,

I was not talking about certificates at all. My comment was about using both external_identity and one of its derived ImportedIdentity in OfferedPsks

draft-wood-tls-external-psk-importer-01:

     struct {
          opaque external_identity<1...2^16-1>;
          opaque label<0..2^8-1>;
          HashAlgorithm hash;
      } ImportedIdentity;


RFC 8446:

      struct {
          PskIdentity identities<7..2^16-1>;
          PskBinderEntry binders<33..2^16-1>;
      } OfferedPsks;

      struct {
          opaque identity<1..2^16-1>;
          uint32 obfuscated_ticket_age;
      } PskIdentity;

John

From: Russ Housley <housley@vigilsec.com>
Date: Monday, 1 April 2019 at 22:47
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Comments on draft-wood-tls-external-psk-importer-01

John:

The draft should make clear if the External PSK and external identity can be used together with the imported identities.

I think that draft-ietf-tls-tls13-cert-with-extern-psk would be needed with TLS 1,3 for the certificate-based authentication to be used with an external PSK.

Russ