IETF Logo Mail Archive

Re: [TLS] New Version Notification for

Martin Rex <mrex@sap.com> Fri, 18 November 2011 21:42 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E3441F0C81 for <tls@ietfa.amsl.com>; Fri, 18 Nov 2011 13:42:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.131
X-Spam-Level:
X-Spam-Status: No, score=-10.131 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpmSUGUM3JIe for <tls@ietfa.amsl.com>; Fri, 18 Nov 2011 13:42:05 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id C5D431F0C7D for <tls@ietf.org>; Fri, 18 Nov 2011 13:42:04 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id pAILg1dQ021862 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 18 Nov 2011 22:42:01 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201111182142.pAILg1Hd027980@fs4113.wdf.sap.corp>
To: paul@xelerance.com
Date: Fri, 18 Nov 2011 22:42:01 +0100
In-Reply-To: <alpine.DEB.2.00.1111181601190.19177@mail.xelerance.com> from "Paul Wouters" at Nov 18, 11 04:06:02 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] New Version Notification for
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2011 21:42:05 -0000

Paul Wouters wrote:
> 
> Badra wrote:
> > 
> > And how does draft-wouters-tls-oob-pubkey differ from draft-ietf-tls-cached-info-09?
> 
> cached-info still needs PKIX validation on the first run, and then
> supports caching the authentication. oob-pubkey allows for out of
> bound public key authentication with tls server suppressing the
> sending of its (often huge) unneeded PKIX chain.
> 
> This avoids conflicting information (eg between DANE and PKIX),
> removes the need for (re)generating bogus PKIX containers with
> self signed certs and dozens of subjctAltnames and enables CoAP
> devices with are lacking the resources for PKIX do engage in TLS.

I do not see this as an appropriate characterization.

The use of X.509v1 self-signed certs as public key containers is
pretty trivial and pretty common -- and it works with pretty much
all of the installed base of TLS.

A single X.509v1 self-signed cert means that there is *no* "PKIX Chain"
and it also precludes PKIX validation (which is *NOT* required by TLS, btw.).
For the servers purpose of sending it in the Certificate handshake
message it is a simple blob of a few hundred bytes, so that is the
most trivial part of the protocol.  Parsing the subject key info
from a X.509v1 cert is only marginally more difficult than parsing it
from any other public key format, and doable with a pretty small
code footprint.  You don't need PKIX to do that.


The general rule for TLS handshakes should be that a *real* negotiation
ought to be performed in a fashion that the handshake will succeed in
case there is a chance to make it succeed.  Having one peer make
optimistic false assumptions, fail the handshake and retry with a
different assumption is a defect and should *NOT* be standardized.

A TLS extension to the effect

  Client: "I assume I'm in possession of your key, don't send it"
  Server: "OK, I won't"

would seem pretty strange.

It should probably be something like:

  Client: "I assume your key is <hash-of-key>. If I'm right, you don't
           need to send it"
which may result in two possible answer:

  (A1) Server: "You're wrong.  I will send you my key."
  (A2) Server: "You're correct.  I will omit it from the handshake."

That is basically what the TLS caching extension intends to provide for
existing elements of TLS protocol PDUs (e.g. server cert chain in
the server's Certificate handshake message, certificate_authorities
in the CertificateRequest handshake message).

IMO it would be OK for any _new_ TLS extension to include caching
in order to save network bandwidth on average.


But what I seem to be hearing is "I want to not transfer this information
inside the TLS protocol at all, because parsing this data is so notoriously
difficult.  But you *MUST* have a means to convey (and therefore parse)
that data anyway, or it can not possibly work.  Why would you want to
turn in minuscule trivially solvable problem into a major and entirely
undefined problem?


-Martin

v2.23.0 | Report a Bug | By Email