RE: [TLS] Review of draft-santesson-tls-gssapi-00
Stefan Santesson <stefans@microsoft.com> Thu, 01 February 2007 18:09 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HCgN8-0001Qd-BR; Thu, 01 Feb 2007 13:09:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HCgN6-0001Jt-VQ for tls@ietf.org; Thu, 01 Feb 2007 13:09:20 -0500
Received: from smtp-dub.microsoft.com ([213.199.138.181]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HCgN5-00043o-I1 for tls@ietf.org; Thu, 01 Feb 2007 13:09:20 -0500
Received: from dub-exhub-c302.europe.corp.microsoft.com (65.53.213.92) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.24; Thu, 1 Feb 2007 18:09:18 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by dub-exhub-c302.europe.corp.microsoft.com ([65.53.213.92]) with mapi; Thu, 1 Feb 2007 18:09:18 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Eric Rescorla <ekr@networkresonance.com>, "tls@ietf.org" <tls@ietf.org>
Date: Thu, 01 Feb 2007 18:09:16 +0000
Subject: RE: [TLS] Review of draft-santesson-tls-gssapi-00
Thread-Topic: [TLS] Review of draft-santesson-tls-gssapi-00
Thread-Index: Acc+YydFJXSvnnDOR+i2EMwn5y51OAHwpByA
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF01D9BF0FA@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <20070122202751.CCBC45C01E@laser.networkresonance.com>
In-Reply-To: <20070122202751.CCBC45C01E@laser.networkresonance.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 34d35111647d654d033d58d318c0d21a
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Eric, Thank you for the review and the initiative to get a discussion going on this draft. All of your comments are valid and lines up with what I thought would be the critical issues to discuss. In the end it's a question of whether these changes to TLS are defendable in relation to the benefit to the industry and the usability of the protocol. Response to your comments 1-3. 1) TLS gets no guarantee of the quality of parameters given by GSS-API. But TLS is no entity so in a way that is the wrong question. The implementers of this protocol choose to trust the properties of their GSS-API based technology. The solution of this draft enables them to extend the trusted authentication methods for TLS sessions to the GSS-API methods they already use and trust. This can't accidently degrade the security for regular TLS users. But this is nothing new. This line was already crossed by RFC 2712. 2) The extended roundtrips is an un-escapable consequence. If necessary I believe we can define an upper boundary of the number of roundtrips. You are right that the TLS state machine must rely on GSS-API for validating and concluding the GSS-API exchange. Without being handed the resulting key material from the GSS-API layer, the TLS state machine must fail. I feel convinced that it is possible to define the appropriate set of rules for the TLS state machine on when to close the connection and fail graciously. 3) I believe the precedent was set by RFC 2712. Security wise we do nothing worse than RFC 2712 already do. This draft do however solve a number of problems with RFC 2712. I do not agree that this makes a hole in TLS. This feature will not be enabled unless its specifically agreed between the parties who thereby make the decision to trust GSS-API to provide authentication and keying material. Stefan Santesson Senior Program Manager Windows Security, Standards > -----Original Message----- > From: Eric Rescorla [mailto:ekr@networkresonance.com] > Sent: den 22 januari 2007 21:20 > To: tls@ietf.org > Subject: [TLS] Review of draft-santesson-tls-gssapi-00 > > $Id: draft-santesson-tls-gssapi-00-rev.txt,v 1.3 2007/01/22 20:27:34 > ekr Exp $ > > I have reviewed this document and as I indicated in San Diego, I have > serious architectural concerns about the way that it interconnects TLS > and GSS-API. > > 1. It's totally unclear what security guarantees TLS is supposed > to be getting from GSS. In fact, it's not possible to be clear > because there is just some set of mechanism IDs. That may be > fine in limited environments but it's not fine in the general case > where other extensions might be used with TLS. > > 2. TLS assumes a fixed number of round trips which is determinable > from the resumption state. By contrast, once this draft establishes > that GSS is to be used, an arbitrary number of round trips may occur > in some way that is invisible to TLS. First, that's a big change to > the state machine and second it's architecturally problematic. It's > true that there's an indicator in the message for whether it's the > last payload or not, but there's no way for the TLS state machine to > independently determine whether that has been tampered with. It needs > to rely on the GSS state machine. That's problematic both from an > engineering and security standpoint. > > 3. It sets a precedent that the way to interconnect TLS to external > security mechanisms is via creating a hole in TLS to carry their > mechanisms. This makes TLS more complicated, which is of course > the enemy of security protocols. > > > TLS provides a generic mechanism for linking up to externally exchanged > keys, courtesy of RFC 4279. All you need to do is arrange for your > mechanism to create a PSK-Identity binding on both sides and then > you can do an ordinary TLS exchange using TLS PSK. > > In the WG meeting, I heard concerns from the proponents of this draft > that they then needed to arrange a way to carry the GSS handshake and > that since their application protocols already had a cutout for TLS > they wanted to exploit that cutout. I'm not insensitive to this point, > but that doesn't make it architecturally sound. > > > -Ekr > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Review of draft-santesson-tls-gssapi-00 Eric Rescorla
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Eric Rescorla
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- [TLS] Re: Review of draft-santesson-tls-gssapi-00 Simon Josefsson
- [TLS] RE: Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- [TLS] Re: Review of draft-santesson-tls-gssapi-00 Simon Josefsson
- [TLS] RE: Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 EKR
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 EKR
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 EKR
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- [TLS] Re: Review of draft-santesson-tls-gssapi-00 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Stefan Santesson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Jeffrey Altman
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Yoav Nir
- [TLS] TLS state machine Stefan Santesson
- RE: [TLS] TLS state machine Pasi.Eronen
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- [TLS] Re: Review of draft-santesson-tls-gssapi-00 Simon Josefsson
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Ari Medvinsky
- RE: [TLS] Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- [TLS] Re: Review of draft-santesson-tls-gssapi-00 Simon Josefsson
- Re: [TLS] Re: Review of draft-santesson-tls-gssap… Jeffrey Altman
- [TLS] RE: Review of draft-santesson-tls-gssapi-00 Pasi.Eronen
- RE: [TLS] Re: Review of draft-santesson-tls-gssap… Stefan Santesson
- RE: [TLS] TLS state machine Stefan Santesson
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Re… Jeffrey Altman
- Re: [TLS] Re: Review of draft-santesson-tls-gssap… Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Re… EKR
- Re: [***SPAM*** Score/Req: 11.0/5.0] Re: [TLS] Re… Jeffrey Altman
- RE: [TLS] TLS state machine Pasi.Eronen
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Jeffrey Altman
- Re: [TLS] TLS state machine Bodo Moeller
- Re: [TLS] TLS state machine Bodo Moeller
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Martin Rex
- Re: [TLS] Review of draft-santesson-tls-gssapi-00 Nelson B Bolyard
- RE: [TLS] Re: Review of draft-santesson-tls-gssap… Stefan Santesson
- Re: [TLS] TLS state machine tom.petch