[TLS] AD review of draft-ietf-tls-oob-pubkey

Sean Turner <turners@ieca.com> Tue, 16 April 2013 14:06 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5F31921F971A for <tls@ietfa.amsl.com>; Tue, 16 Apr 2013 07:06:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.764
X-Spam-Status: No, score=-101.764 tagged_above=-999 required=5 tests=[AWL=0.501, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hwAC2bdf5LsD for <tls@ietfa.amsl.com>; Tue, 16 Apr 2013 07:06:23 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8127D21F96FE for <tls@ietf.org>; Tue, 16 Apr 2013 07:06:23 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 38A879A5FF73C; Tue, 16 Apr 2013 09:06:23 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com []) by gateway01.websitewelcome.com (Postfix) with ESMTP id 289AB9A5FF6FF for <tls@ietf.org>; Tue, 16 Apr 2013 09:06:23 -0500 (CDT)
Received: from [] (port=54590 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1US6Wc-0007by-QG; Tue, 16 Apr 2013 09:06:22 -0500
Message-ID: <516D5ADE.3050506@ieca.com>
Date: Tue, 16 Apr 2013 10:06:22 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: tls@ietf.org, draft-ietf-tls-oob-pubkey@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-Sender: (thunderfish.local) []:54590
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: [TLS] AD review of draft-ietf-tls-oob-pubkey
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 14:06:24 -0000

I'd like to discuss some of these before issuing an IETF LC.  There's no 
implied importance based on the order.

0) abstract: I'd delete the 2nd paragraph it really sounds like 
marketing.  The third paragraph is also a repeat of what's in the 1st 
paragraph - I'd just delete it.  Finally, need to be clear that you're 
also defining two new TLS extensions:

  This document specifies a new certificate type and two TLS extensions,
  one for the client and one for the server, for exchanging raw
  public keys in Transport Layer Security (TLS) and Datagram Transport
  Layer Security (DTLS) for use with out-of-band public key validation.

1) s1 does a good job of motivating the need for server side keys but 
falls a little short on client keys.  Why does the intro to the bullet 
list mention how the client can get the server's certificate with the 
last bullet also talking about the client's key?  Also, is the paragraph 
after the bullets just an explicit example of the last bullet?

Seems like the first sentence should be:

   Traditionally, TLS client and server public keys ...

and then maybe:

  Alternative methods are available that allow a TLS clients/servers
  to obtain the TLS servers/client public key:

    o  TLS clients can obtain the TLS server public key from a
       DNSSEC secured resource records using DANE [RFC6698].

    o  The TLS client or server public key is obtained from a
       [PKIX] certificate chain from an Lightweight Directory
       Access Protocol (LDAP) [LDAP] server or web page.

    o  The TLS client and server public key is provisioned into
       the operating system firmware image, and updated via
       software updates. For example:

       * Some smart objects use the UDP-based Constrained
         Application Protocol (CoAP) [I-D.ietf-core-coap] to
         interact with a Web server to upload sensor data at
         a regular intervals, such as temperature readings.
         CoAP [I-D.ietf-core-coap] can utilize DTLS for securing
         the client-to-server communication.  As part of the
         manufacturing process, the embeded device may be
         configured with the address and the public key of
         a dedicated CoAP server, as well as a public key for
         the client itself.

2) s1: The last paragraph needs to indicate that this document defines 
two new certificate extensions:

  This document registers a new value to the IANA certificate
  types registry for the support of raw public keys.  It also
  defines two new TLS extensions, "client_certificate_type" and

3) I think the introduction needs to make it very clear that without the 
out-of-band binding between the public key and the entity that no 
authentication is actually being performed.  Add something like the 
following to the end of s1:

   The mechanism defined herein only provides authentication when
   an out-of-band mechanism is also used to bind the public key
   to the entity presenting the key.

4) s3: r/raw public key certificates/raw public keys

5) wrt Figure 3 maybe we can just list the ones we know about? And, RFC 
5480 updated 3279 wrt ECDSA public keys so it needs to point there:

   [RFC3279] and [RFC5480] define the following OIDs:

Key Type             | Document                   | OID
RSA                  | Section 2.3.1 of RFC 3279  | 1.2.840.113549.1.1
Digital Signature    |                            |
Algorithm (DSS)      | Section 2.3.2 of RFC 3279  | 1.2.840.10040.4.1
Elliptic Curve       |                            |
Digital Signature    |                            |
Algorithm (ECDSA)    | Section 2.1.1 of RFC 5480  | 1.2.840.10045.2.1

                  Figure 3: Example Algorithm Identifiers.

and add 5480 as reference.

Grumble: would have listed RSASSA-PSS but it's not supported.

6) And on those references, I think the references for 3279 and 5480 end 
up normative.  All are standards track so no downref issues.

7) s3: I think it's not just an algorithm it sometimes includes 
additional parameters.  Also need to include the AlgorithmIdentifier 
syntax. I think that means some slight tweaking:

  The SubjectPublicKeyInfo structure is defined in Section 4.1 of RFC
  5280 [PKIX] and does not only contain the raw keys, such as the
  public exponent and the modulus of an RSA public key, but also an
  algorithm identifier.  The algorithm identifier can also include
  parameters.  The structure, as shown in Figure 2, is
  encoded in an ASN.1 format and therefore contains length information
  as well.  An example is provided in Appendix A.

    SubjectPublicKeyInfo  ::=  SEQUENCE  {
      algorithm            AlgorithmIdentifier,
      subjectPublicKey     BIT STRING  }

    AlgorithmIdentifier  ::=  SEQUENCE  {
      algorithm               OBJECT IDENTIFIER,
      parameters              ANY DEFINED BY algorithm OPTIONAL  }

               Figure 2: SubjectPublicKeyInfo ASN.1 Structure.


   [RFC5480]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Elliptic Curve Cryptography Subject Public Key
              Information", RFC 5480, March 2009.

8) I'm thinking we need to say DER encoded in the above as well:

   an DER encoded ASN.1 [X.690] format

here's the reference:

    [X.690]    ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
               Information technology - ASN.1 encoding rules:
               Specification of Basic Encoding Rules (BER), Canonical
               Encoding Rules (CER) and Distinguished Encoding Rules

9) s4.1: Are some words missing from the following:

  In order to indicate the support of out-of-band raw public keys,
  clients MUST include the 'client_certificate_type' and
  'server_certificate_type' extensions extended client hello message.

extensions "in an" extended client hello message?

10) s4.2:  Maybe reword this slightly:


  If the client indicated the support of raw public keys in the
  'client_certificate_type' extension in the client hello and the
  server is able to provide such raw public key then the TLS server
  MUST place the SubjectPublicKeyInfo structure into the Certificate


  If the client hello indicates support of raw public keys in the
  'client_certificate_type' extension and the
  server also supports raw public keys then the TLS server
  MUST place the SubjectPublicKeyInfo structure into the Certificate

But, a more important question is the meaning of that paragraph above. 
Doesn't that override the "sorted by client preference" from s3?

11) s6: Got some questions about the following:

   This information will be needed to make
   authorization decisions.  Without a secure binding,
   man-in-the-middle attacks may be the consequence.

1st isn't that authentication.  2nd isn't it masquerade attacks?  3rd 
it's not really a may it's more an is likely to be?

12) In s6, it indicates:

   This document assumes that such
   binding can be made out-of-band and we list a few examples in
   Section 1.

This statement begs the question as to whether there needs to be a 
requirement on protocols that use this extension to specify the method 
used to provide the out-of-band binding.  In other words something like:

   Specifications that make use of the extension MUST specify the
   mechanism by which the identity and the public key are bound.
   Otherwise, authentication is not possible.

13) How are we supposed to check whether key is still considered "good"? 
  If you can't that might be okay, but you need to mention that there's 
no mechanism to support this yet or that that also needs to be done 

14) Are there any other extensions that don't make sense to negotiate if 
raw keys are chosen?  For example, if the the client and server settle 
on raw keys do either of the ocsp stapling extensions make sense anymore?

15) In s7, ask IANA to point the Certificate's Type Registry to this draft.