Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)

Dave Garrett <davemgarrett@gmail.com> Wed, 15 July 2015 16:27 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA6A1A1A66 for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 09:27:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPqbZotVcqOp for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 09:27:30 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E931A1A62 for <tls@ietf.org>; Wed, 15 Jul 2015 09:27:30 -0700 (PDT)
Received: by qkbp125 with SMTP id p125so31849331qkb.2 for <tls@ietf.org>; Wed, 15 Jul 2015 09:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=uzB1l+ZvuYam3RuHMjo+kfDs4HSP4NhvuSJKqb17yOU=; b=KUVPCxgi9b0zTX1bSZQwnm1pk2QeQyjTkRFNKvG26HtYadrlsw9GhyoKfYB2IWKJcx pms4NOnbPlVDP2buXPmDjTW/WJAM4l1DodasdFI2NgCBkQM9P0pEMnNibMsJT1q7FJyk aBLvv7FX0SZe4baH9yyi5OcNGpxMKDvSOO60KW+W2H2wZbxPaL+HRpTfT6NLga2aACKU ua8h+ESmK6C0n0nNWBcJoxil0nR08/8KBV2sAPPuuhF4CCzCtV+evWHHdP7F6QOgV3DL hLPjK+jGc8EH163LyVzrKYbHrK/CL91vOulmZGAeVms/2ujlCKdjpNHcNRWrRZvXXIUJ uvpg==
X-Received: by 10.55.23.151 with SMTP id 23mr9489418qkx.1.1436977649996; Wed, 15 Jul 2015 09:27:29 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by smtp.gmail.com with ESMTPSA id 47sm2503619qgt.15.2015.07.15.09.27.29 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 15 Jul 2015 09:27:29 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Wed, 15 Jul 2015 12:27:27 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <20150715141523.GA13669@LK-Perkele-VII>
In-Reply-To: <20150715141523.GA13669@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201507151227.27894.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Sh3m1BsEqP7ZYvErN4J5n1Ti8YI>
Subject: Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 16:27:32 -0000

On Wednesday, July 15, 2015 10:15:23 am Ilari Liusvaara wrote:
> Let's review: draft-ietf-tls-tls13-07

Eric obviously does all the heavy lifting here, but I can reply to a
few bits in the areas I've touched.

> (Note: I omitted some stuff I saw recently discussed (e.g. pruning
> unused crypto algorithms) or I remember discussed. I didn't explicitly
> check issue list when doing this).

Some of these already do have issues/PRs so I'll cite them here along
with the bits I have fixed in my WIP branch for the discussions we've
been having about alerts and certs.

I have quite a few PRs pending review by ekr, at the moment. Note that
PR 195 is under my name, but is mostly Sean Turner's commits. It's large
and was bitrotted severely over time, so ekr and I had to clean it up.
(the original is PR 152 with bits from 150)

> > Header
> 
> Isn't 4346 already obsoleted by 5246, which this document also obsoletes?
> 
> 4366 seems to be jointly obsoleted by 5246 and 6066.
> 
> 5246 and 5077 are not in numerical order, whereas the rest are.

I have a pending PR that fixes this:
https://github.com/tlswg/tls13-spec/pull/198/files

> > 1.2. (Major Differences from TLS 1.2)
> 
> Is this meant to be changelog or list of changes? It in current form
> looks more like a changelog.

It is just a changelog for now. Will definitely need to be replaced by a
summary for final RFC.

> > 5.2.2. (Record Payload Protection)
> 
> There looks to be latter limits that restrict ciphertext size to 2^14
> +1024, which is smaller than 2^14+2048 here (but those limits might be
> tightened further).
> 
> As for amount of expansion needed for length-hiding, I think that being
> able to represent 16384-byte record with no padding would be enough
> (since record sizes cap at 16384 bytes anyway).

https://github.com/tlswg/tls13-spec/issues/55

> I don't think client extensions are optional anymore in TLS 1.3 (being
> required for successful handshake.

I'll address this in my WIP branch for changes we've been discussing on-list.

> > 6.3.1.2. (Server Hello)
> 
> Well, at least it wouldn't be backward compatiblity hazard to remove
> session_id_len, since it comes after server version.

There's a comment in there from ekr asking if we should remove. The answer
is a clear yes, seeing as backwards compatibility is already gone here.

https://tools.ietf.org/html/rfc5246#section-7.4.1.3

The compression field was already dropped, so there's no point in having a
placeholder for this unless a new placeholder is added for that too.

This message does not need to maintain backwards compatibility, though.
It can never be sent to a pre-TLS 1.3 client, as the client has to offer 1.3+
for the server to negotiate it. A note that this structure has changed since
1.2 is probably warranted for servers that want to also know how to send
a proper one for backwards compatibility, but modifying it here isn't helpful.

> > 6.3.1.4. (Hello Extensions)

> Some candidates:
> - truncated_hmac: Block modes have been removed.
[...]
> - renegotiation_info: The renego bug is fixed anyway.

I have bits for both of these on my WIP branch. (not in any of my PRs pending
ekr's review, yet)

> > 6.3.1.5.5. (Early Data Indication)
> 
> s/MUST not/MUST NOT/ in description of early_data with client auth?

I fixed that in my WIP for all the alert and certs changes we've been
discussing on list.

> > A.4. (The Cipher Suite)
> 
> Probably remove note about 001C and 001D, since lots of ciphersuites are
> now reserved to avoid collisions with old ones.

I have a pending PR that updates the whole section.
This bit is already dropped.

https://github.com/tlswg/tls13-spec/pull/180/files

> > C.1. (Random Number Generation and Seeding)
> 
> Replace SHA-1 with SHA-256?

Done in my WIP along with rest of SHA-1 deprecation,
as was discussed very recently.



Dave