Re: [TLS] WGLC: draft-ietf-tls-tls13-19
Eric Rescorla <ekr@rtfm.com> Tue, 11 April 2017 17:33 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05E10129584 for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 10:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rr4-UIfmd9rS for <tls@ietfa.amsl.com>; Tue, 11 Apr 2017 10:32:59 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56217128D69 for <tls@ietf.org>; Tue, 11 Apr 2017 10:32:59 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id l189so1896203ywb.0 for <tls@ietf.org>; Tue, 11 Apr 2017 10:32:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rYcpP+yp1bXWaBfjV/heJu4qo0zynPTlK8qEzdFFJv8=; b=lsc8cH/UFaiwquoL9NsUTnrERQp4o9lI76UjeTyD77tc+pktQNVIbLw5tWOMICfAnE Jp6J1zXJbFFT8mq8THlBDQvCqxn/jwCxoNxvqg+yIzwXfuC4nVpbksS3+qHQQNFTPYDV 6sk2rJ7hOme3x2Nt/J2XUgIjCgLofOgUwiB4/ZXRVVrKQCMl54zYMrt13fMAn4OgGz4Q q3hmtUObzoC4gYriVqRHG9uUNiApVwOv0Umg73ykAyq/Ul4+t+Sl2vViJhjGueZcmXSh DEdDdhYDrgQduPS8FSoKpbO8fwi6EO78ICvLUOhBA22pO1jnrP3t1hGzQnx8aUbt8MM1 9TSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rYcpP+yp1bXWaBfjV/heJu4qo0zynPTlK8qEzdFFJv8=; b=ZA9HTQC3ebHn65w2TLM+YjZNOxG6VnqEOozm13r2U78TKo7eN/8tpiPpEZK4SiEa3E aOXUA/JDZdAtAxEjLEwFow4A5oe3QIT67r41Xe2sRIlqGMDu0c04aBpXhoKkmVk8jqRX GRFDL/YIlzMaDhHsflnDfDINkGac6h7pI2XN/Q7bEAXErUZ7SKh7Cm321tTHg2bEIBG2 0Cm3Y2F5XCTPkVTtpFJ645FIDSZsDQnkNq+u+qB7Z5griE/LAL9wIiTRqfOHCboR3k3V Kav2VwrhUxPxisCxZv631s+WBmlUF7zbUyZWWpHjMEE7lowhKgiM/h02gtfp1kMKiPUw sYYA==
X-Gm-Message-State: AN3rC/5PmwzhX2ScTFOOyGZhtWnkKCRnuruw08PSqIQLH2PSAsGIdIDXkXYbmVXAVGBPOAesq2eDDMaOk3iTuA==
X-Received: by 10.13.203.73 with SMTP id n70mr8177562ywd.71.1491931978492; Tue, 11 Apr 2017 10:32:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Tue, 11 Apr 2017 10:32:17 -0700 (PDT)
In-Reply-To: <228B1CCF-088B-4F4C-B2FD-A20036B9224A@akamai.com>
References: <025D3ABD-199F-421A-9265-6F960135A3B7@sn3rd.com> <228B1CCF-088B-4F4C-B2FD-A20036B9224A@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Apr 2017 10:32:17 -0700
Message-ID: <CABcZeBPrLWoZkj176boM9mnqNL9GAPFNyyRxBazM-arNo1F=DA@mail.gmail.com>
To: "Kaduk, Ben" <bkaduk@akamai.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114fd3d69b8fa5054ce77bbe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QMa0JtDL_uoXv9ITi7EQXx4GR8A>
Subject: Re: [TLS] WGLC: draft-ietf-tls-tls13-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2017 17:33:03 -0000
> It was already mentioned that the “major differences from TLS 1.2”
> section should not be a changelog, but I agree with that.
Yes, this is on my plate.
> Should Figure 4 (“message flow for a zero round trip handshake”)
> include a “+ early_data” for the server’s flight? (The legend for
> Figure 4 also lacks the explanation for the ‘+’ symbol.)
I see you fixed this.
> The language on page 30 is perhaps unclear:
>
> Because TLS 1.3 forbids renegotiation, if a server receives a
> ClientHello at any other time, it MUST terminate the connection.
>
> Is that any TLS server, or just one that has negotiated and is using
> TLS 1.3?
The latter. Adjusted.
> In the description of legacy_compression_methods on page 31, we make
> restrictions on “every TLS 1.3 ClientHello”, but do not say how such
> things are identified. (Hmm, maybe we also do so elsewhere in the
> document, too, now that I search for where) we explicitly define what
> a client “considered to be attempting to negotiate using this
> specification (i.e., a TLS 1.3 ClientHEello) on page 87, as
> supported_versions including 1.3. Which, is maybe not the most
> future-proof thing.
I think I feel OK about this.
> The description of version negotiation (to populate
> ServerHello.version) on page 32 seems to leave undefined what the
> server should do when receiving a ClientHello that does not contain a
> supported_versions extension. (Also, I don’t think
> “ClientHello.supported_versions extension” is a well-defined syntax.)
I think this clear in the section on Supported Versions.
> When covering the server_random version downgrade sentinels, we do not
> mention what is to be done when downgrading to TLS 1.0, which I
> thought was still a permitted version by this spec.
Interesting point. I'm trying to remember why we did things this way.
I am tempted to just say "1.1 or 1.0". Thoughts?
> It’s a little odd that we list in enum ExtensionType on page 35 a
> strict subset of the extensions enumerated in the table on the
> following pages.
This got fixed in PR#936.
> Do we want to add some commentary about the extant SHA1 collisions
> when we say that {rsa_pkcs1,dsa,ecdsa}_sha1 are only SHOULD NOT?
Nah.
> I’ll note that we define 256 private use ECDHE group code points but
> only four such FFDHE group code points. Probably fine, but a bit
> surprising.
Too late now!!
> Should we forbid duplicate entries in
> PreSharedKeyExtension.identities?
I don't think that's necessary.
> Conversely, we might want to explicitly say that duplicate
> OIDFilter.certificate_extension_oid fields should be expected in
> OIDFilterExtensions, to enable the case where multiple values must be
> present. Or is that supposed to work by concatenating(?) the multiple
> values’ DER encodings in the certificate_extension_values field?
Yeah, I read this text as saying that those all go in the same
DER, not that there can be multiple copies
> I’ll call out for Russ’s attention at the end of Section 4.4.3 where
> we say that “implementations MUST NOT combine external PSKs with
> certificate-based authentication.” Is there any reason not to qualify
> that as some sort of “don’t’ do it until it’s defined”?
I'm actually going to move and modify this section per your issue #935.
> Should Alert.level be Alert.legacy_level?
i think we went over this and decided not to.
> Appendix B has a claim that “values listed as _RESERVED were used in
> previous versions of TLS and are listed here for completeness”, though
> that is not exactly true, e.g., for ContentType.invalid_RESERVED(0)
I see you fixed this as well.
> Section C.3 notes that “Certificates should always be verified to
> ensure proper signing by a trusted Certificate Authority”, which does
> not use RFC 2119 language, but might be seen as in conflict with
> opportunistic encryption in some circumstances. I don’t object to
> this text, but it seems worth mentioning.
I think the "Absent a specific..."
> Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding
> definition that has not yet been defined.]]”, which should not make it
> into the final spec!
Fixed.
On Mon, Mar 27, 2017 at 11:23 PM, Kaduk, Ben <bkaduk@akamai.com> wrote:
> On 3/13/17, 12:30, "Sean Turner" <sean@sn3rd.com> wrote:
>
> This is a working group last call announcement for
> draft-ietf-tls-tls13-19, to run through March 27. Please send your reviews
> to the list as soon as possible so we can prepare for any discussion of
> open issues at IETF 98 in Chicago.
>
> As the price of running the WGLC right during the meeting lead-up, my
> review comes in at the last minute.
>
> Generally, it is in good shape. I think I still owe some text about what
> we aim for and expect to achieve with respect to side channel resistance,
> though at this point it may be too late to get that text in :(
>
> The following is basically a laundry list of the minor issues; I will send
> editorial notes under separate cover, probably as a pull request.
>
> It was already mentioned that the “major differences from TLS 1.2” section
> should not be a changelog, but I agree with that.
>
> Should Figure 4 (“message flow for a zero round trip handshake”) include a
> “+ early_data” for the server’s flight? (The legend for Figure 4 also
> lacks the explanation for the ‘+’ symbol.)
>
> The language on page 30 is perhaps unclear:
>
> Because TLS 1.3 forbids renegotiation, if a server receives a
> ClientHello at any other time, it MUST terminate the connection.
>
> Is that any TLS server, or just one that has negotiated and is using TLS
> 1.3?
>
> In the description of legacy_compression_methods on page 31, we make
> restrictions on “every TLS 1.3 ClientHello”, but do not say how such things
> are identified. (Hmm, maybe we also do so elsewhere in the document, too,
> now that I search for where) we explicitly define what a client
> “considered to be attempting to negotiate using this specification (i.e., a
> TLS 1.3 ClientHEello) on page 87, as supported_versions including 1.3.
> Which, is maybe not the most future-proof thing.
>
> The description of version negotiation (to populate ServerHello.version)
> on page 32 seems to leave undefined what the server should do when
> receiving a ClientHello that does not contain a supported_versions
> extension. (Also, I don’t think “ClientHello.supported_versions
> extension” is a well-defined syntax.)
>
> When covering the server_random version downgrade sentinels, we do not
> mention what is to be done when downgrading to TLS 1.0, which I thought was
> still a permitted version by this spec.
>
> It’s a little odd that we list in enum ExtensionType on page 35 a strict
> subset of the extensions enumerated in the table on the following pages.
>
> Do we want to add some commentary about the extant SHA1 collisions when we
> say that {rsa_pkcs1,dsa,ecdsa}_sha1 are only SHOULD NOT?
>
> I’ll note that we define 256 private use ECDHE group code points but only
> four such FFDHE group code points. Probably fine, but a bit surprising.
>
> Should we forbid duplicate entries in PreSharedKeyExtension.identities?
>
> Conversely, we might want to explicitly say that duplicate
> OIDFilter.certificate_extension_oid fields should be expected in
> OIDFilterExtensions, to enable the case where multiple values must be
> present. Or is that supposed to work by concatenating(?) the multiple
> values’ DER encodings in the certificate_extension_values field?
>
> I’ll call out for Russ’s attention at the end of Section 4.4.3 where we
> say that “implementations MUST NOT combine external PSKs with
> certificate-based authentication.” Is there any reason not to qualify that
> as some sort of “don’t’ do it until it’s defined”?
>
> Should Alert.level be Alert.legacy_level?
>
> The editors copy has already removed the reference to RFC 4507, which is
> obsoleted by RFC 5077 (and was not cited anywhere, anyway).
>
> Appendix B has a claim that “values listed as _RESERVED were used in
> previous versions of TLS and are listed here for completeness”, though that
> is not exactly true, e.g., for ContentType.invalid_RESERVED(0)
>
> Section C.3 notes that “Certificates should always be verified to ensure
> proper signing by a trusted Certificate Authority”, which does not use RFC
> 2119 language, but might be seen as in conflict with opportunistic
> encryption in some circumstances. I don’t object to this text, but it
> seems worth mentioning.
>
> Page 113 still has the “[[NOTE: TLS 1.3 needs a new channel binding
> definition that has not yet been defined.]]”, which should not make it into
> the final spec!
>
> -Ben
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Benjamin Kaduk
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- [TLS] WGLC: draft-ietf-tls-tls13-19 Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Yoav Nir
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dave Garrett
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Olivier Levillain
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Kaduk, Ben
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dave Garrett
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Kyle Nekritz
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Olivier Levillain
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Hubert Kario
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Dr Stephen Henson
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Martin Thomson
- Re: [TLS] WGLC: draft-ietf-tls-tls13-19 Benjamin Kaduk