Re: [TLS] WGLC for draft-ietf-tls-ticketrequests

Daniel Migault <daniel.migault@ericsson.com> Sat, 16 November 2019 06:01 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0208A1200B2 for <tls@ietfa.amsl.com>; Fri, 15 Nov 2019 22:01:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HO18ZdgV0K25 for <tls@ietfa.amsl.com>; Fri, 15 Nov 2019 22:01:56 -0800 (PST)
Received: from mail-vs1-f54.google.com (mail-vs1-f54.google.com [209.85.217.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7D151200CC for <tls@ietf.org>; Fri, 15 Nov 2019 22:01:55 -0800 (PST)
Received: by mail-vs1-f54.google.com with SMTP id u18so7071134vsg.5 for <tls@ietf.org>; Fri, 15 Nov 2019 22:01:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vj/MQkjSFExQZYImLhHilmbj2s8LZIZIsvPOTkWS/Yc=; b=frD2NhvuokLq7SWfQfzh0EMdYJlSS/iGAhYuKxALYgxuXM/IGXZjmkPnubNFVmkwLz +7Sj7FA3TCc04ySdgdtLzO9I6ycTbb5sDX37Qhj2eBw4/3BJ24HzvjxOjZiV67Wlq4UH kJTKzrY/dxi/FAnbAjEVv4Nz65c3ilp+8omBGySQ3FADyln2KRYhgHj6IdpN59478geh eyOVInGNKJQFESXFA73RA3USVGPfsj7jXy8Atf+/VtmChqGY3IpeaoG4+ZLpncpM9zCv LVFd+OdYSnccUY89l3/W5WdmQEY8ZDIVcu13UQ5XFppn621iCZ48ZCvxCAMFOE2yzQ75 dxgA==
X-Gm-Message-State: APjAAAXy2hMFkADNmauOHG94Tp2aWyHPKEUYHhMGmko8TTtP1MnlITi6 nN6tbkXz3WmXRc+yvmwYR9DlhEcG3bj5GF5NKQo=
X-Google-Smtp-Source: APXvYqyNibenIHMommSBywuEqLBAdBKABUo2dbkC0GV8t1YPE3/agL0xP7LDC5k1NqCCpzzY1BWJ190IPI+zRpiD9fg=
X-Received: by 2002:a05:6102:810:: with SMTP id g16mr11304235vsb.69.1573884114769; Fri, 15 Nov 2019 22:01:54 -0800 (PST)
MIME-Version: 1.0
References: <2FB1D8AD-2C22-4A09-B7AF-0EFD6F0DBACA@sn3rd.com> <0469b84c-3009-427a-99ca-e7f6817f0b6c@www.fastmail.com> <CADZyTknhZDi2JD5WRbKEOGDafHjhTkUm6QhOhv1kkA9BT1nekw@mail.gmail.com> <37ff9a64-2749-4558-a675-5b251f06eb3a@www.fastmail.com> <CADZyTkkS-CipB00+JMRrjNZqXhyCTdBhV11oydCNCCeG_M6ORg@mail.gmail.com> <6fc786f3-9fbe-4f8e-92d3-cd9ceb7f3703@redhat.com> <CADZyTkny6jpk=0gg-=yT3C3zY6N88a6t1RKjfKN+bNU6YbLshw@mail.gmail.com> <07d49b6f-e79d-4058-878f-7a57d5b6f241@redhat.com> <CADZyTkmRP-xq5NjH1p914HFX3wpiYRkz3rr5yO99x87Q-N+-hg@mail.gmail.com> <825db7ba-7b2c-4a4e-ab93-c7792b446463@redhat.com>
In-Reply-To: <825db7ba-7b2c-4a4e-ab93-c7792b446463@redhat.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sat, 16 Nov 2019 01:01:43 -0500
Message-ID: <CADZyTkmZ51bi3H1PKikPyc-Db78D+WC1mcvdHuV=G-cR6dbBoA@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000941e9505977073ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZLgdU_mq-qI3ULs3UGrhIUzJe9g>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ticketrequests
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 06:01:58 -0000

Hi Hubert,

I do not understand why tickets sent after PHA would be useless. It is also
unclear if not one solution means there are multiple good solutions - in
which case we could pick one - or that there is not one.  At least I would
envisioned something around the lines below.

For a given handshake as presented below, here are the NST with associated
number (n_0, ..., n_3) without any count value provided by the client. When
the client provides count I would expect these number to become (n'_0, ...,
n'_3) with n'_u = min(max(count- sum(n'_j, j<u), 0), n_u). Basically, you
send n_0, n_3 until counter is reached. Other NST are ignored. This seems
to ensure that only count NST are sent while not being overly complex.  I
believe that have a deterministic behavior from the server is beneficial.


Of course this is a first draft, and this may be refined.


          Client                                               Server

          ClientHello
          + key_share               -------->
                                                  ServerHello
                                                  {Finished}
                                    <--------     [Application Data*]
    <--------   NST (n_3)
          {Certificate*}
          {Finished}                -------->
                                    <--------     NST (n_2)
          [Application Data]        <------->     [Application Data]
                    <---------    NST (n_1)
                    <--------     CertificateRequest
  PHA response      --------->
                                    <---------    NST (n_0)
Yours,
Daniel


On Fri, Nov 15, 2019 at 8:44 AM Hubert Kario <hkario@redhat.com>; wrote:

> On Friday, 15 November 2019 13:00:14 CET, Daniel Migault wrote:
> > Hi  Hubert,
> >
> > On Thu, Nov 14, 2019 at 12:33 PM Hubert Kario <hkario@redhat.com>; wrote:
> >
> >> On Thursday, 14 November 2019 18:18:52 CET, Daniel Migault wrote:
> >>> Hi Hubert,
>
> >>> I understand the reasons for SHOULD. At least this should be
> documented.
> >>> To
> >>> address your first point, of course the specification applies to the
> >>> server
> >>> that support the extension.
> >>
> >>> Your second concern is solved by limiting the
> >>> NTS of KEX.
> >>
> >> by "KEX" you mean handshake? but New Session Ticket messages are not
> sent
> >> during handshake, they are sent after handshake is finished
> >
> > yes. I would consider the NST as part of the handshake even for those
> sent
> > after the post-handshake authentication.
>
> that would make tickets useless for sessions that use PHA

> I agree better terms may be used.
> > The rekey aspect seems to me out of the handshake.
>
> rekey also don't impact the keys used for derivation of session ticket
> secrets...
>
> >> so how exactly you want to decide when server stopped sending NSTs after
> >> handshake finished?
> >>
> >
> > That the spec does not mention it does not mean this will not be defined.
> > Instead it means each implementer will have its own logic, definitions
> and
> > outputs. The same reasoning occurs to the complexity argument,not
> > specifying it does not reduce the complexity but let it to the
> > implementation with all unexpected corner cases.
>
> my point is that there is no good way to define it, if you want the count
> to be
> limited, you need provide a good way to do that
>
> I say that there isn't one, so defining it is futile
>
> >>> The third point is addressed by the minimum of the (count,
> >>> server_nbr). Note that I see count as a maximum. Overall I do not think
> >>> this would add much complexity.  The only complexity I see is when a
> >> server
> >>> sends NTS at different time in the KEX.
> >>
> >> again, and what if the server misbehaves?
> >>
> >
> > Again, it would be a bug but the current spec is very permissive, at
> least
> > in my opinion. I do not believe that not specifying the expected
> behaviors
> > will prevent misbehaviors to happen, it, instead simply legitimates them.
>
> a MUST requires strict definition, which we can't provide, a SHOULD is
> already
> in the draft
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>