Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
Martin Thomson <martin.thomson@gmail.com> Thu, 06 August 2015 20:33 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3D51A00C8 for <tls@ietfa.amsl.com>; Thu, 6 Aug 2015 13:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSzohNQmnXsZ for <tls@ietfa.amsl.com>; Thu, 6 Aug 2015 13:33:53 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F86E1A001A for <tls@ietf.org>; Thu, 6 Aug 2015 13:33:53 -0700 (PDT)
Received: by lbbpu9 with SMTP id pu9so22221348lbb.3 for <tls@ietf.org>; Thu, 06 Aug 2015 13:33:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rMh2BPeC695DaSKJk2t4uLrWlEvhq5UEoD2TuEz7ItQ=; b=QnMxikVOijm+pOlp+y+GghxsX8J0gwoVuvSOE/5bNHPbtTddWY5n/NjVoCGjQmljyz YEi8a+dZ83x+81UoGv11E8bjon3j61WW2XRaoxUG7Jl1ohVAHuu29j5tpZ3Vl6vkyZOl dxHoHv2vffGm2GL9Au8PRp0QwaWESdNOSqKC+y8PbKRoAPlZVTKxAkdQydfDiQ+y6ctq w4N0OzFAZteNQsCu1y4EZRDMp1Uf4rnAUYhdu6nHJkaQPEh+pA2YVw7R3WjrsjfyPdu2 USQH3U1JW4qJoIjbRjo+TWZ+Z9UzSI0UsNpgP3wlpmJagRxX0FKxXOi6KWQSQlRsl09A Aaog==
MIME-Version: 1.0
X-Received: by 10.152.121.4 with SMTP id lg4mr4178541lab.112.1438893231800; Thu, 06 Aug 2015 13:33:51 -0700 (PDT)
Received: by 10.25.197.87 with HTTP; Thu, 6 Aug 2015 13:33:51 -0700 (PDT)
In-Reply-To: <CAOgPGoBivgXGKpZH=4mSkrVaKyg9YPi05rphs3VOcvuiFfPzrg@mail.gmail.com>
References: <CAOgPGoBivgXGKpZH=4mSkrVaKyg9YPi05rphs3VOcvuiFfPzrg@mail.gmail.com>
Date: Thu, 06 Aug 2015 13:33:51 -0700
Message-ID: <CABkgnnU++z-r3m2p-+k-6i8BwE5o9wXULS0RVJfCG1+nmkY13Q@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QsDAPtcJQ8aLlLBRH0iZguB5Oqo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 20:33:55 -0000
I've read this draft before, but this is considerably different to what I read, and I haven't been following the discussion, so consider this as a review with fresh eyes. First the high points. I think that this is useful, the right scope, and reasonably well formulated. I have a couple of minor points Figure 2 is in error: it shows CertificateRequest instead of Certificate. I'd like to see the document explicitly note that msg_type and length from the handshake message are not covered by the hash. The description of what is covered is a little too terse (and badly formatted). I'm not sure that I like the lack of both negotiation and signaling for the hashes that are used here. Though I think the chances of a collision being found, or that a collision would lead to an attack, are slim, I would rather see this use the PRF hash so we have at least that much flexibility. If the current design is retained, I would like to see a little discussion of this in the document. A little analysis of the properties we expect the hash to provide would also be good. I think that truncated hashes might be advantageous from the server side. Given that the server only uses hashes to identify which of the offered (available, known?) cached information is in use, is there any reason you can't save additional space by arbitrarily truncating the hash? In many cases I would imagine that the client would be offering only one option and even if there were a small number of options presented, a single byte would suffice to disambiguate. I'm trying to think why you might want the full-length hash on the client side, but I believe that the only problem there is that there might be a collision between the certificates that a server might offer if you truncate too aggressively. The connection still relies on the server presenting proof of knowledge of a key that the client extracts from a certificate bound to the server identity, so I believe that it would be equally secure if you removed all mention of certificates from the protocol. And that makes me nervous, because I'm fairly sure that Karthik will tell me that I'm wrong very shortly; since we've put in a lot of work to cover key fields in the handshake hash, and I'm concerned that this could be exploited somehow. The more I think about this, the more I think that we need a little more analysis on this point (i.e., what properties the hash function needs to provide and why). If it has already happened, mention of that in the security considerations is needed. (I think that truncation on the server side is safe if the client uses a strong hash function to identify the certificate, but I'm frequently wrong about these things.) On 6 August 2015 at 10:24, Joseph Salowey <joe@salowey.net> wrote: > Hi Folks, > > This is the Working Group last call for draft-ietf-tls-cached-info-19. This > document has undergone modification since last WGLC so another WGLC is > appropriate. This document is a dependency for the DICE working group > TLS/DTLS profile. Please send your comments to the TLS list by September 2, > 2015. > > Thanks, > > J&S > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] WGLC for draft-ietf-tls-cached-info-19 Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Hannes Tschofenig
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Hannes Tschofenig
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sankalp Bagaria
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Karthikeyan Bhargavan
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson