IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

John Mattsson <john.mattsson@ericsson.com> Fri, 05 March 2021 18:42 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E0C53A29C0 for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 10:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXotPshRwz1T for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 10:42:46 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140051.outbound.protection.outlook.com [40.107.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D043A29BF for <tls@ietf.org>; Fri, 5 Mar 2021 10:42:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Brp7QTJP4cCt0Bdn4cgo9JOfyJnPfow/tjI5YMJhou2I3gIDAYB09hfW6sTbN5Tgx3MxK9tLFJ+IzOr1Ekam6BhsG/MWFTl8nHmCDZlrmlUgqvYQF8Pi1YGdvaJGk2oCNm0FVDnZ2bwOXPI1/n2EU8kM1r9o4nygLCkhEO/ZKXYS565pXfsGcpkJ0DDMKXfQLdsb5+WVDWcrTQXup4Ed6I4PWZ6/D5a9k+Kck3aaYB/dUmphK0QRBkg+HkgrciKAlK7D4bbNKHX5RGi3B+MgIMThg6hFD4jiPJYFNy7EUI4D755HOtD1zv0bNBT4uVwNVkNcg5sCLo34UnAG7MI8cA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VbEoIU+TBw4JkQIKGqr86LwviAZwmbJaaYaxJ6UVehc=; b=bXpZRSWYFnujNnQSH2TXN5kLoGbYDPGJZ+TzKdGgAIlWIHcevGI6vhq5xYLOAPrHTMTBSAJLLuCKeW2Sfty1dE4ivargwL0ChWRznZ+ZpFjTDeHVN4QSB/bVeHEYnICnNPozeTBEQmCnejSFAX9KIObUf1QwtBI6HEa/YUlBXMKaIQqpba+eTRqn7Hag6+irxMwOdi/PdMdiI4Sv4yKFVeoIQ16QpEIaF9mTmQ2lIaa9UNZSTM0WaFzwBi2+g5fjIfBhGHaUTiJZch4iz6a8vmHy4X9OijCCFSAmRRcE9Jt4B5a4mCVbNobCobMCJpbXqOfFufCEhOfsZA0uL2WN4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VbEoIU+TBw4JkQIKGqr86LwviAZwmbJaaYaxJ6UVehc=; b=WyJxgFytqqrZ98AW+YpoaCjC5ILw7b9eTO600J1B4GZPzA47pzqlai9AKzIc01BgGP+lUmxJYQflQcoHq9zAlOC0+ZYLTHdk6WQV+mqqHJlWES+qAjXxl+ajstI2VGGA7IJD9NCs5NxwCnNs0Claei0FyPyFr6uXMTFP/nuci48=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0702MB3545.eurprd07.prod.outlook.com (2603:10a6:7:83::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Fri, 5 Mar 2021 18:42:40 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3912.023; Fri, 5 Mar 2021 18:42:40 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Nico Williams <nico@cryptonector.com>
CC: "Fries, Steffen" <steffen.fries@siemens.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloA=
Date: Fri, 05 Mar 2021 18:42:40 +0000
Message-ID: <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost>
In-Reply-To: <20210305173516.GV30153@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: cryptonector.com; dkim=none (message not signed) header.d=none;cryptonector.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d1e5261c-77c2-4f20-9042-08d8e006748e
x-ms-traffictypediagnostic: HE1PR0702MB3545:
x-microsoft-antispam-prvs: <HE1PR0702MB354546FABAFC7E682D4C1DE489969@HE1PR0702MB3545.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QMri/FFTjJ511lyWKrDNz7rPYTbs5Tt6vh7ZQlH8sLTHHvP6Pgd68DCROSxRqXXP6MHwbMEjYQIfmOjsmOx8gjD+F4k7orhg45DUsSEpVGKExpEx3nC6Zo4RlYxDIrlqUJQgYtfRYF2Pe+TbnYjkO8TAM/9bxQdLhKB9+rPa97tukWc9sE9TtV1w1qu97dDK1L74SvqCNLf5YyOdbayP/6IVmE6N6IdOCYmjLTk1YLoQmGToFfYI6d5dz+K3731QTXCX94KR4TGf32tHL/3mqhjbBdKjUDG1wLq2Uhbu/ohtf1SdsBMqEZr/NeVv4GJsORTkSYOsd762mF7mdDLmYabJPWmb5txiGPLMGSXSjViKT+n8FwbXX3gy2nRDMXLE18+oL5ignmeFRj69v7rM+FOQMdqFyJ6gBywMSn+CZC4GdCsR1TDVRE91o7pNSfb/K9gp/HOWDWprB9CA2njR+xMdvWfeKFHFtg3dg74ggxPl5lBvsnxk8R7XRpF0VcTJutmIQu/kYR5iLudsH38NcBGcA0r1xjZuJ5+tfgVHEGyNm6RdpGufbysqGAes4EDQ++VCA3haFQZcHrS4KmwvJfdaD2X83z7u4KOQfDfsEHykyg+iI2qadmQZ0ton3zq5
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(136003)(366004)(39860400002)(376002)(6916009)(71200400001)(4326008)(53546011)(6512007)(26005)(33656002)(6506007)(186003)(86362001)(83380400001)(44832011)(66946007)(64756008)(66476007)(66556008)(66446008)(76116006)(5660300002)(8676002)(8936002)(6486002)(2906002)(54906003)(316002)(478600001)(36756003)(2616005)(219973002)(557034005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: EdM3CFloHN/aV7Fh85h8roZLe6eGO8PL2rCmpVX7Dluw6rKEocSmrzOcP7syP8xoYU4Pc7i3GlMOGLOBNZFFbWpGeIznbKEZul2KS6UaxuJedcTjwMnQaFMwcITgdZ+NZLChNAHUGzMB+OHt9LUVPuyUn69biXM4MHt7Y6rjVbTak0/w3v8p0V3HogzwVyzVSrBvyhpAaXW17z6iV1+3RXXKJRnD1COtQftTj639SWTqAvO86BxIjAB/c/7/02984IXmIqvjmqCwjvWzh5XEP5AjxrCvNSWQLP/Z+ksam3opbkC/H0ZmBWhZMIe1BAVYUMB569EqNFxJDYLpJXaF1DQVTC+ritkvpAp2Rfa5dJR9G/pTwrbjgBMqThvv8BMiqTS87pX3Dn5XINNmwop+ufVOGpqs3jBCrfnTw7xmCRZtamZ1TjcYikGoN1P1hvix25wEJOH2J8SwQWlRZLa8UL7DjS7SeD64pui7Mz8iJTmqwpR2eS1KlkzXOhnNmxyxSAhJsx079wkIj+nw2NfrHcl5pTcAlMq8P/SKDyXeefW3KAr2DI4R17ixQfDiEab9exWQ8rPKYmCfx0Lqfv6AiODY4XNEG9fkr7QGZhU9uX1IaXJLrmmk/5B98q0rzDvQwB/LWPeiPSuvfkp+cvsvrEtOXwzgEwT6cBa82nVlrb5P+YVTzpfFAz3EHh/zzRGrMMI+16ftquddgNcskFmmtBx1g7ZrAOyVVGiHBmZlo8hpHHx74e3MtwAinpzOKCCN9mEDHWEXVzaNwt3A07nCguMHAPsJ1+T/dBq8hRCxkkdtgePJy5gRJuP5fKWyYNCPtlUlnjFXWAw6KJ/Pehxyy8+pldekUIWLrM9vJSKyzohio7mdPRQkkZ54WQyufVNjmnziMZQSRq8bG5rBcBECU5GwXHhb0w/IJvWh7Gc85WviNZzrFfBqG14HMyFIwpmA2NDJb48JG7iBKeTjt1IUkhihKVZBlymDxRxOEeik2A0KHk3gkBhMgsneUZk6yDou349vYHOkJFhSRC+KxqgsG9+gpy6uURe7mxlEK0ZNHU6yPukdfy0RU2HY3CL9f8QTWeuLgiJWGycJgcs9AabosP3Rl0dCDWtnlQaC3X7wxgYuxF+TWHvq71LFJ1NBeS9b/+Wq98TzlvfTIguLRMV2dGNE8S1m87+hJa6n3NxZDPpVOgfOEd1shw4tZxcDIRrsYB4BGKlDBaqtmYgvlcfbSBGDb3aW0y8e9XQ0xVzyMzDwSJySNBrnfhZUR0h7KeW/Vga729Uw4bda4waKViwTsD5hEgt1fvx1dG/QtxMrlePlJfmOFnTUSQZ6BQdsP0yn
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <B177F1335899FD4D8B480C1159F8FD7A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1e5261c-77c2-4f20-9042-08d8e006748e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2021 18:42:40.1311 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pIiFVu41jZiZcfyK49KTCgA0jOP7IWCIAFPARPlndtBsBtg7DnG4G9rtULJYVd12eAocIMe32APsiR9HXCK3MnZFGgXsSwSLgesvkwtQks8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3545
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VU_INVYIeUaJSwUlCKCvc3Un-44>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 18:42:49 -0000

>While renegotiation will never be re-added, there is post-handshake
>authentication (RFC 8446, section 4.6.2), and while that is currently
>about authenticating the _client_ to the server, it should be trivial to
>extend the protocol to support re-authenticating the server to the
>client as well.

I think the current Post-Handshake authentication is not really suitable for long-term connections. It assures that the other party is still alive but it does not shut out any other third parties with access to application_traffic_secret_N. Such parties may have gotten the key with or without collaboration with one of the nodes.

Agree that the negotiation part of renegotiation should not come back. Below is a sketch of what I think would be needed Post-Handshake for DTLS/SCTP with DTLS 1.3:

       {KeyShareEntry}         -------->
                                              {KeyShareEntry}
                                          {CertificateVerify}  
                               <--------           {Finished}  
       {CertificateVerify}
       {Finished}              -------->


               Derive-Secret( ... ) = exporter_secret_N

Cheers,
John

-----Original Message-----
From: Nico Williams <nico@cryptonector.com>
Date: Friday, 5 March 2021 at 18:35
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "Fries, Steffen" <steffen.fries@siemens.com>, "TLS@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

On Fri, Mar 05, 2021 at 05:01:04PM +0000, John Mattsson wrote:
> On Friday, 5 March 2021 at 15:02, Fries, Steffen wrote:
> > I've got a question regarding application of TLS 1.3 to protect long
> > lasting  connections. Specifically on the trigger to perform a
> > revocation check for the utilized certificates in the handshake. 

You can perform OCSP or CRL checks on the RPs at any time.  You don't
need a protocol trigger for it.  You can use a timer.

The issue is that the EE certificate (or intermediates in the chain
perhaps) could expire or be replaced before the connection ends, and
then you might want the EE to present a new certificate and, if for a
new key, then also a proof of possession.  One could use session
renegotiation back when it existed, but it does not now.

> > Hence the question if there is a feature in TLS 1.3, which would
> > provide the functionality to invoke a mutual certificate based
> > authentication.

While renegotiation will never be re-added, there is post-handshake
authentication (RFC 8446, section 4.6.2), and while that is currently
about authenticating the _client_ to the server, it should be trivial to
extend the protocol to support re-authenticating the server to the
client as well.

Authenticating the client to the server and vice-versa would be
independent, at least when using certificates, though not so much when
using PSK.  Each relying party would send a CertificateRequest message
on a timer based on local configuration of certificate freshness policy
and/or the peer's certificate's expiration time, or whatever you like.

Nico
--

v2.23.0 | Report a Bug | By Email