Re: [TLS] 3rd WGLC for draft-ietf-tls-exported-authenticators

Watson Ladd <watsonbladd@gmail.com> Fri, 05 June 2020 11:29 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3CA43A148D for <tls@ietfa.amsl.com>; Fri, 5 Jun 2020 04:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2MvGAf6l7RQ for <tls@ietfa.amsl.com>; Fri, 5 Jun 2020 04:29:28 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18FCD3A1488 for <tls@ietf.org>; Fri, 5 Jun 2020 04:29:28 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id h188so5575119lfd.7 for <tls@ietf.org>; Fri, 05 Jun 2020 04:29:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fExovZiYu5XU4O6Pn5zneMS2200B9lA9lpayoSZgJlg=; b=CF0PVpBdnimtlND2nPnvgPdyLHga2QfTMxcjRSnhHHMbEmYvrOEK3S/SAPwL9vYsDT gRAiqOqPKvCZ0Jw+rbixbtErDCDocZTbMCK3NnlsqGk2IAkcb/0ax/b/uLsBZE6Pr5mr y4tPcdEXaKTERvJZ0lPBKxcTp8qnU8zQyR27+jg7/NeUFLHwSbQnBbc5s8GsUiagwbMO 2bG40WNMmX2MNpSAJGmvg07oHMsh9ATl44rTnY8xL110YETf5ZXVzWLcbSF/RJRheJcd aS6gKWtATlUTCr5on1KCtvfVNxcHa/77vSOmXNP7k8btfC3k95iqMkJWwupCqIx2Bh/b 5dCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fExovZiYu5XU4O6Pn5zneMS2200B9lA9lpayoSZgJlg=; b=a1/hRDdtN6aDGRX5ybuAiT7iIMlH6FuALvNQ8GJTSiVeBj4exfhnus9kvEE6gbVvPl mAyJ9K/ovNsaZhx4J+/4qquyHko/ZLw73m7V8SxmQOAvaiO6XQypidrOiuRWMtn067mH /eQXTzwsDo+MEwrearB0yHMnCkIshJkfcFOvyBXvIWTDymeNRSwSpYA3VT+1BHx3yiVd 6TpGIbw1xcbhGrp4yW/WaVp2J4Z0uRGfUb/efybobysk9ggdKWhVWWA11R4ZG+n3f3ht g/l/idlpZpi2buJWWdXkqU28NqKLg0x+T0sK0SZsDKvW5BCv5kCSAJnpa7T1GW4uYGw1 gsZg==
X-Gm-Message-State: AOAM531KyTaxIDFZtv1i/0KOgfKHRtyqaw/wYgqYxclYROs/I/w68zM1 TEDzGcP8Lzm6MMCmi5haEPhtRQHI2Q+lOhmJgqQ=
X-Google-Smtp-Source: ABdhPJy/oyRCAWKdwlLXvPIMfE7YCFrIBpvz2vnczpRAps5lWKeYAGAuAUvchtb8bUZe7I6PmKY9O8VYB0Bwlo+TBCQ=
X-Received: by 2002:ac2:4641:: with SMTP id s1mr5114849lfo.147.1591356564426; Fri, 05 Jun 2020 04:29:24 -0700 (PDT)
MIME-Version: 1.0
References: <16B2E133-DE69-4850-A23D-554FBCADEE5A@sn3rd.com> <1754FC7C-E06C-47C6-BCB0-84191EB15974@sn3rd.com>
In-Reply-To: <1754FC7C-E06C-47C6-BCB0-84191EB15974@sn3rd.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 5 Jun 2020 07:29:13 -0400
Message-ID: <CACsn0cnRtPmvJVK+_A+Nw3=RoHT+riUPXhhuZafOZSrj9AuOMQ@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Cc: TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZErCTbx_C3rhX8MVgAN-swgLczw>
Subject: Re: [TLS] 3rd WGLC for draft-ietf-tls-exported-authenticators
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 11:29:30 -0000

On Thu, Jun 4, 2020 at 9:48 PM Sean Turner <sean@sn3rd.com> wrote:
>
> Another reminder ...
>
> > On May 22, 2020, at 09:23, Sean Turner <sean@sn3rd.com> wrote:
> >
> > This is the 3rd WGLC for "Exported Authenticators in TLS" draft available at https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/. The secdir review during IETF LC raised some issues and as a result there have been a couple of new versions. Please respond to the list with any comments by 2359 UTC on 8 June 2020.

 I've implemented earlier drafts. I do have a concern with the
validate API as presented in the draft: it treats empty authenticators
as valid, and then returns the identity as a certificate chain that
must be validated by the application. Similar APIs have lead to easily
foreseeable pwnage. Instead I would recommend the validate API carry
out X509 validation against a trust store or validation function and
treat the empty authenticator as invalid. That way someone has to
think before not checking the certificate returned.

Sincerely,
Watson Ladd