[TLS] Comments on PR #95
Watson Ladd <watsonbladd@gmail.com> Wed, 24 December 2014 21:21 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912941A1AF0 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 13:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VU67i7UV8eDi for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 13:21:00 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0FC1A1AE3 for <tls@ietf.org>; Wed, 24 Dec 2014 13:21:00 -0800 (PST)
Received: by mail-yk0-f182.google.com with SMTP id 131so4161508ykp.13 for <tls@ietf.org>; Wed, 24 Dec 2014 13:20:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=pQR3Gdf/8m2uzCRCOU7sthCNOlLBg4ioF2LAEha/9rI=; b=tXeambh6gidQq7RX6iSnQBKK+A6pAEhSLLC4J6v3lNgpY0SMFXx54pH/28Q9EzK8pr tox2pDZHobYdjQ10HHYxyLTKR2ex2I+ZFvuaaFyVRkPi7U3cGbQNGdxp/fVOMNpMrNzR t1DRej3hfzWjG4NRXTM6eI12uTqim0nFwXQB8uO1OvmB4cHseLQ3XU0ijC9hXy9k1LeW 7p7fPYJ6mHrI/mCNgsC/oCjhnVFOyGFbM6wOBShKrcMmzoULM/yMFn9gYgukDd+4NCrM QiQyLVrOIF4uI/3fS1WFoq5gf4MWt3uKKWasC9Gb0ymQGBS9fqwOFwqLtSN37EypW/dg zCPQ==
MIME-Version: 1.0
X-Received: by 10.170.91.194 with SMTP id i185mr1575046yka.20.1419456059423; Wed, 24 Dec 2014 13:20:59 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Wed, 24 Dec 2014 13:20:59 -0800 (PST)
Date: Wed, 24 Dec 2014 16:20:59 -0500
Message-ID: <CACsn0cndXFXgnvE36JsaaNafRpcWvGh0B_P1iZieAZbAeNzwvQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SZ56IUCdQ8mbCXgoa7jow8KGysg
Subject: [TLS] Comments on PR #95
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 21:21:02 -0000
Dear all, I've read PR #95 with a critical eye, and in addition to some infelicities of the text, see some more substantial issues. This email is my notes in the order they occurred to me: not necessarily correlated with severity. I've tried to triage them, but may have done so inaccurately. Most of these are editorial in nature. Line 291: we're citing DSA. old text. More broadly, applications don't care how we provide what we provide: they care about the end goals. At some point this should be revised accordingly. Line 418: Security means what exactly? Line 437-453: this needs to be rewritten. Why are we talking about SSL v3, when any similarity is like that of a whale to a platypus? Line 743: I'm confused by the comment on how one finds the length of the signature data: it seems to be sent on the wire, but the document says " The length of the signature is known because the algorithm and key used for the signing are known prior to encoding or decoding this structure.", which is a different method. I recommend removing that last sentence: the parser should parse with as little input as possible from above. Line 836: 800 lines in, and we've gotten about nowhere: defined a PRF, and a representation format. Now we hear that TLS doesn't provide some security properties, but we don't know what those are. A succinct, correct description should appear at the beginning and again in the security considerations section. Line 1015: Zero-length fragments of application data as traffic analysis countermeasure? I think this was written when padding between the fragment and record layers existed, and I'll have to check how this was supposed to work. As it stands, I've not yet gotten to a description of the record layer at the time I read this. Lines 1066-1072: We've got a perfectly good nonce in the sequence number. Why not use that? Oh right, hysterical raisins. Line 1119: Open issue #5. I've got to think about this one. Likely as not this will be a very complicated change, that makes TLS 1.3 a lot harder to implement. Line 1190: More forward references to resumption. Note that authentication status isn't defined as part of what gets resumed. I believe, but am not sure, that this was part of what made the SSL v3 multihoming fallback attack work. Line 1439: Finally, the handshake protocol. In this description there are a ton of forward references, that make understanding this a bit tricky. What's an Encrypted Extensions method, on line 1505? While the earlier description of the Alert protocol was by type of message, this overview is chronological. Line 1623: We're getting to the beef. But the reader already knows this: no need to reintroduce the handshake protocol. Line 1763: It's not clear what servers have to do, or not do, to deal with stolen session IDs. They need to not "breach security", whatever that means. Line 1863: Previously, hello extensions were relegated to a different document. Now they are needed for backwards compatibility. Line 1912: Was anyone using SRP? The more generic we have to make TLS 1.3, and the more we have to shoehorn in, the more complex it gets. This open issue could get hairy. Line 2199: Mandating the presence of the signature_algorithms extension would simplify things considerably. There are a bunch of open issues in the description of the handshake protocol, and some warts. I haven't thought about provability yet. Line 2995: A TODO DTLS, probably related to the possibility of the Update message being lost. I don't remember how DTLS deals with this in the handshake, but there data is not being sent with the new keys before the other side acknowledges receipt. Will think about it. Does ignoring an update still update the record layer? There does not seem to be a way to request a certificate in the update protocol. Line 3151: AES-GCM or AES-CCM seem the logical options here. Line 3165: This doesn't seem to be a very fleshed out security considerations section. Line 3606: Do we need the glossary? The implementation notes needs a substantial amount of work. The advice on random number generation is vintage 90's. The discussion of certificate checks could be substantially expanded. A lot of attacks that have been used in the wild are not discussed here. Line 4015: SSL v2? Really? Line 4034: This is not a security analysis. http://eprint.iacr.org/2014/182.pdf is a security analysis. It would be much more helpful if this was significantly edited: there is some valuable information in here, but much of it is misleading. Line 4185: This reads a bit strangely with things like DANE. Yes, I don't think DNSSEC has adequate security, and it's worth noting that CAs can be a problem. I think it's worth telling implementors to study the lessons of attacks in the past. This version of the draft is very clearly a work in progress. 0-RTT was introduced in a different pull-request, and I've not given it a hard look. Sincerely, Watson Ladd
- [TLS] Comments on PR #95 Watson Ladd
- Re: [TLS] Comments on PR #95 Eric Rescorla
- Re: [TLS] Comments on PR #95 Eric Rescorla
- Re: [TLS] Comments on PR #95 Watson Ladd
- Re: [TLS] Comments on PR #95 Eric Rescorla
- Re: [TLS] Comments on PR #95 Tom Wu
- Re: [TLS] Comments on PR #95 Ilari Liusvaara
- Re: [TLS] Comments on PR #95 Watson Ladd