IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-exported-authenticator questions

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 22 July 2017 05:35 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A681294A2 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 22:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AcjivgqAIykp for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 22:35:00 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id A191E126D85 for <tls@ietf.org>; Fri, 21 Jul 2017 22:35:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1FDC139E4E; Sat, 22 Jul 2017 08:34:59 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id Idfy8uF-dVvc; Sat, 22 Jul 2017 08:34:58 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id D412D2313; Sat, 22 Jul 2017 08:34:54 +0300 (EEST)
Date: Sat, 22 Jul 2017 08:34:54 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170722053454.5tvj52zpknbq2bqr@LK-Perkele-VII>
References: <D6717B12-60FE-4E08-812E-4C5FB1B908F6@sn3rd.com> <20170720070217.xvwmrd3ootvjr2fu@LK-Perkele-VII> <bfe006b2-681c-e766-4df6-2adf503b4a73@akamai.com> <CACsn0c=LP33E+1B5ZhAFGMq7aSW=LjdTTmu0j8oekcrxkvYwuw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0c=LP33E+1B5ZhAFGMq7aSW=LjdTTmu0j8oekcrxkvYwuw@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SIiNGuatE10sh4IZSN1XUA6o82k>
Subject: Re: [TLS] draft-ietf-tls-exported-authenticator questions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2017 05:35:03 -0000

On Fri, Jul 21, 2017 at 10:17:08PM -0700, Watson Ladd wrote:
> On Fri, Jul 21, 2017 at 12:55 PM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
> > Unrelated to Ilari's questions, I wonder if we want to say anything about
> > certificate_request_context values being unique across both in-TLS
> > post-handshake auth and exported authenticators.
> 
> This context is not a security sensitive thing: it is for disambiguation.

I'm not so sure about that.

If crc is repeated within a connection, then the old certificate
message can be replayed.

If crc is guessed, then reply can be pregenerated anytime during
connection.

However, neither seems crticial, but might be of magnitude to note.


-Ilari

v2.23.0 | Report a Bug | By Email