IETF Logo Mail Archive

Re: [TLS] Draft TLS Extension for Path Validation

Ashley Kopman <akopman@conceptsbeyond.com> Tue, 31 May 2022 16:32 UTC

Return-Path: <akopman@conceptsbeyond.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545AFC14792E for <tls@ietfa.amsl.com>; Tue, 31 May 2022 09:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conceptsbeyond-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBqtTvkkF8wG for <tls@ietfa.amsl.com>; Tue, 31 May 2022 09:32:22 -0700 (PDT)
Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E30C14CF00 for <tls@ietf.org>; Tue, 31 May 2022 09:32:22 -0700 (PDT)
Received: by mail-vs1-xe29.google.com with SMTP id m2so14117177vsr.8 for <tls@ietf.org>; Tue, 31 May 2022 09:32:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conceptsbeyond-com.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=0xCStOoj61fu7tYzwHs/eYGf4uxW6A7X8akpLvS75y0=; b=ITorCLIn0kLiRTR34gBTOlpRBgL4RXxlCEC0+QTdcBEm2v8/9N9wwnhgeyhECPEJL/ hI9geIeIFYbAoXVwqD/dZYvJatvbOm1NIiazstffbpxK95tZZWB3azROc/8mtL23jhlo xqACpLgGEqrhtyFBrVMW288+d7WZ3q4sK7222bUaL1HOF1BJoqwB6HvpX2aA4hGEUbqD sWm6n/8RgqhCTL5oo69/tJZ/sfVMugXsa7ApUcP+3RCf+hbFdw/UWJ5eeB5NfQWplUCO IXKNMK8rysomuhex5FXIaUeuGEXL4wv9Ud5xzsgMlat9dOHP1TVNTk4/4VsQAV1Orrwk g1Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=0xCStOoj61fu7tYzwHs/eYGf4uxW6A7X8akpLvS75y0=; b=OxyCajIIztG0tQ+cqzmb5atOczXXpSX+UCrV8YLTxsGAPPkNYV/zt7Vb83HuWmetng DyewObkBgkhHNPDz0iqzHRSG7UEOXADwTT8AsrofDGeh8q/aSikCT2A/0F8QYk0mNJep C93RtlT1wCyLlaDmZd18VzzyLmbt8umhdlCRZ4DMBmIDhR14Ayxb5d2a1pyUB8Co9aBA p/L1VaNDdNNboEkk2QEwTE0MxWzLT2t9UixJdg4H0fhYdFGJN0ij9JabUC4pDeYm9MUt 98xY5HtjJ3hLrBlJFVW5RMRR2V03EKt+PhkvZoMRBfLXgu5uDIayw+O1wVF7JX8mt+WJ sdGg==
X-Gm-Message-State: AOAM531jhhsyPi6UXTZmis5rQh1RgUhBDN0ggshR2tx/ZjVcjjCLIcFP MmrGbJb76MmLFcOVvIbRACdWVJmRJqYE3A==
X-Google-Smtp-Source: ABdhPJx7qhTn0pH1qyDXk9cVYxTfJx5DI25j0HHgHNy7DEOIklGNqvTiyDSXVtoYtoNCRk9FvDojLQ==
X-Received: by 2002:a05:6102:512c:b0:337:d190:38db with SMTP id bm44-20020a056102512c00b00337d19038dbmr16049356vsb.39.1654014740353; Tue, 31 May 2022 09:32:20 -0700 (PDT)
Received: from smtpclient.apple (071-047-208-038.res.spectrum.com. [71.47.208.38]) by smtp.gmail.com with ESMTPSA id m128-20020a1fa386000000b0034e6f1fd049sm1726317vke.19.2022.05.31.09.32.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 May 2022 09:32:20 -0700 (PDT)
From: Ashley Kopman <akopman@conceptsbeyond.com>
Message-Id: <D059D3F1-C069-4C68-AEA3-EA4FA8429BFC@conceptsbeyond.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3D6D4C5A-1237-47B1-A1E4-62C2E7CE63F9"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 31 May 2022 12:32:18 -0400
In-Reply-To: <CABcZeBOeWpqR2pRiidKw2-jBw+vpXBtXF82irG1tJ64ACz711w@mail.gmail.com>
Cc: Robert Moskowitz <rgm-sec@htt-consult.com>, "<tls@ietf.org>" <tls@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <2790C640-0841-43BC-94CA-0890ECEA672A@conceptsbeyond.com> <Yo50IQhyJM/VABlL@LK-Perkele-VII2.locald> <3107A6D9-BF01-48D7-9626-4E6C00A4E1A6@conceptsbeyond.com> <CA+n4P2oNax-=SBharnuxuY99C6RTgOQyi3tABEbZgkRnAVybew@mail.gmail.com> <3852275a-f319-352a-98b4-9ff1c3ae5de9@htt-consult.com> <CABcZeBOeWpqR2pRiidKw2-jBw+vpXBtXF82irG1tJ64ACz711w@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SgY1OVrCTVeljkTQXM5RakBqd3U>
Subject: Re: [TLS] Draft TLS Extension for Path Validation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 16:32:26 -0000

Eric,

Thank you for your comments.

My initial concern with limiting this to (D)TLS 1.3 was that the DTLS 1.3 RFC has just been released and support is not yet widely available. However, our use case is for civil aviation and it will take time for the community begin using it. By that time there should be sufficient support for DTLS 1.3. I believe it is possible to limit this to (D)TLS 1.3. I will make the update to the draft.

Thank you,

Ashley


> On May 28, 2022, at 5:27 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> I took a quick look at this draft. A few comments follow.
> 
> 
> VENUE
> The correct venue for this work is the TLS WG. This is a relatively
> straightforward piece of work that is clearly within the TLS WG's
> charter scope ("This includes extensions or changes that help
> protocols better use TLS as an authenticated key exchange protocol").
> To that end, I don't think we need a BOF or SECDISPATCH. I would
> encourage you to ask for TLS WG time in PHL.
>  
> 
> TECHNICAL
> In general, we are trying to avoid extending (D)TLS 1.2, so it would
> be good if we could limit this to (D)TLS 1.3. Is that possible?
> 
> I realize that the certificate_status message extension includes a new
> message, but I think that's proven to be kind of an anti-pattern.
> If you are going to put this in (D)TLS 1.2, I would just put it in
> a ServerHello extension, which more closely parallels (D)TLS 1.3.
> 
> If you use extensions, then you can register them with Specification
> Required, which would allow you to publish in the Independent Stream
> (or some other venue) to register the code points should the TLS
> WG choose not to take up this work.
> 
> -Ekr
> 
> 
> 
> On Thu, May 26, 2022 at 4:53 PM Robert Moskowitz <rgm-sec@htt-consult.com <mailto:rgm-sec@htt-consult.com>> wrote:
> This is the Aviation use case I mentioned in earlier mails.
> 
> I will be submitting a BOF request tomorrow, performa.
> 
> Of course it is for the ADs to decide if this is a standalone BOF or a 20min slot in SECDISPATCH.
> 
> How much time people want to discuss it is in large measure related to the discussion we engender here.
> 
> Thank you for your attention.  And thank you for reviewing and making this a solid design that we can get deployed for avaiation Air-to-ground and any similar use case.
> 
> Bob
> 
> On 5/26/22 19:43, Ashley Kopman wrote:
>> 
>> The use case for the D(TLS) Path Validation extension in civil aviation has been submitted https://www.ietf.org/archive/id/draft-segers-tls-cert-val-ext-use-case-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-val-ext-use-case-00.txt> there is also referenced slide deck available http://conceptsbeyond.com/resources/SCVPValidationRequest_UseCase_CB.pdf <http://conceptsbeyond.com/resources/SCVPValidationRequest_UseCase_CB.pdf>
>> 
>> Thank you,
>> Ashley Kopman
>> 
>>> On May 26, 2022, at 8:36 AM, Ashley Kopman <akopman@conceptsbeyond.com <mailto:akopman@conceptsbeyond.com>> wrote:
>>> 
>>> Ilari,
>>> 
>>> Thank you for your feedback.
>>> 
>>> You are correct in assuming that this was designed after the OCSP status_request extension. It is a valid point that the extension can likely be omitted from the server hello. The intent was to communicate to the client that the server supports the extension and will respond with the path validation information. However, since it is allowed for the server to respond with the extension and then not supply the path validation, it is not very useful overhead. I will remove the extension from the server hello.
>>> 
>>> You are also correct that sending the certificate chain becomes unnecessary. It was my intent to communicate that, but looking back at the draft, I don’t think I made it clear. I will add it.
>>> 
>>> Thank you,
>>> 
>>> Ashley
>>> 
>>> 
>>>> On May 25, 2022, at 2:23 PM, Ilari Liusvaara <ilariliusvaara@welho.com <mailto:ilariliusvaara@welho.com>> wrote:
>>>> 
>>>> On Wed, May 25, 2022 at 12:40:13PM -0400, Ashley Kopman wrote:
>>>>> Hi TLS,
>>>>> 
>>>>> I have just submitted a draft TLS Extension for Path Validation 
>>>>> https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt> <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt>>
>>>>> 
>>>>> The proposal is for a Path Validation Extension to provide a new
>>>>> protocol for TLS/DTLS allowing inclusion of certificate path
>>>>> validation information in the TLS/DTLS handshake. Specifically, it
>>>>> covers the use of Server-based Certificate Validation Protocol
>>>>> (SCVP) for path validation.
>>>> 
>>>> Looking at how this is integrated to (D)TLS:
>>>> 
>>>> 
>>>> For (D)TLS 1.2, the server extension does not seem to be technically
>>>> necressary, and omitting it could simplify things. Yes, this design
>>>> is the same as one used for OCSP stapling (status_request), but I
>>>> found the server hello extension in OCSP to be seemingly unnecressary
>>>> extra complexity.
>>>> 
>>>> For (D)TLS 1.3, why there are seemingly two server extensions, one in
>>>> server hello, which is usually only used for low-level crypto stuff,
>>>> which this is not, and another in certificate message (which makes
>>>> sense for certificate-related thing.
>>>> 
>>>> 
>>>> And this is maybe a stupid question, but I didn't find an answer by
>>>> quickly looking at the draft nor the SCVP RFC, does the server need to
>>>> send the certificate chain to the client if it sends the SCVP response,
>>>> or just the end-entity certificate? Omitting the chain could save
>>>> quite a bit of handshake size.
>>>> 
>>>> 
>>>> 
>>>> -Ilari
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email