Re: [TLS] Proposals for draft-ietf-tls-subcerts-02
Nick Sullivan <nick@cloudflare.com> Thu, 26 July 2018 23:03 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 933DF131255 for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 16:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eGvWxOP1fOGw for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 16:03:37 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948E813125B for <tls@ietf.org>; Thu, 26 Jul 2018 16:03:37 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id v8-v6so5938509oie.5 for <tls@ietf.org>; Thu, 26 Jul 2018 16:03:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AjxFksPwO/FqBoUYZc7HEDgAjvJNmpw0BTcex9CtGoE=; b=v+jUfr2smqMirx+Aq6eZd0rZBTM8vejMHnWnFbJ6rHvJ2HvezxWl5sAuXMrxlPAjip LXRH/omvP9a+zf5nvbAK8E7fy5N8XzsKsKOJhrm5TIAUDN1zbbsOwN3xD5gUPJsQxchz N47MHeoh+2CorQfmEVuNhh4SmoTOGg/Bv2148=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AjxFksPwO/FqBoUYZc7HEDgAjvJNmpw0BTcex9CtGoE=; b=Qt87t1pnUcKl1jmDEbadNl4wDcqIbuh9vo/qNy3vrO1QmIWG82D6/PFXFYP3AYypbj 1Yys71aoBQTs/x875x8pk75TaVH3CLQGgtj9LkiJIQVgnsO5nPFgIxnZfy00rowd49Ff ElBjVDKHnNMbdkwOTqNEi8CkK0BA+AAIJgedW4naj/7n+P9jzBzEGY72ftQ/wMryg1py tGB4wFDuwLsaVviOugds24NGStwAjny9YtyHsMwyQtmWcnAkl2TuXKEpe59Dv6rRnkw/ lqrnSo5X4hi7uHpoqhpvtHkl+KnlbyGyQ5V44PhsiAsBIjRROrGQ8UF2+lDvDJo3OOm1 /qJw==
X-Gm-Message-State: AOUpUlEa4fE2JBGVfxgnRooYneC3SSPJiAcWYv4SV9EBwIifcxI2Ux3z tMAu4kAuwNeNLmDZB4XNHHQ/wQrOlCXCBCITwCtIqw==
X-Google-Smtp-Source: AAOMgpd4Wde7ewuO/ogsy91OCW4NrDL+B//0IEKDkzKh4UzFoZA0yGhkt+iwPLjOwL+T5UYiJrF5MsTFG+UsoagbvK4=
X-Received: by 2002:aca:dc55:: with SMTP id t82-v6mr4305695oig.159.1532646216797; Thu, 26 Jul 2018 16:03:36 -0700 (PDT)
MIME-Version: 1.0
References: <MWHPR22MB046162AC2C43A3A56FB1A8C4C6550@MWHPR22MB0461.namprd22.prod.outlook.com> <20180724202423.GA28235@LK-Perkele-VII> <C3194247-EF67-4A59-AB83-260918ECF74D@ll.mit.edu> <MWHPR22MB0461FC1102E9F077185AD97FC62B0@MWHPR22MB0461.namprd22.prod.outlook.com>
In-Reply-To: <MWHPR22MB0461FC1102E9F077185AD97FC62B0@MWHPR22MB0461.namprd22.prod.outlook.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 26 Jul 2018 16:03:25 -0700
Message-ID: <CAFDDyk-s+AcmrG=stfhANyCrB1eXxgu7Qx-E-d+rmzStZM6DTg@mail.gmail.com>
To: "Patton,Christopher J" <cjpatton@ufl.edu>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000051a9f50571ef01f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZzCPFvY3rN_RXp8aE8iNrhLIZFs>
Subject: Re: [TLS] Proposals for draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 23:03:41 -0000
I support these changes. Nick On Thu, Jul 26, 2018 at 11:01 AM Patton,Christopher J <cjpatton@ufl.edu> wrote: > Thanks all for the feedback! In light of your observations, we've revised > the changes proposed for draft-02: > https://github.com/tlswg/tls-subcerts/pull/13. > > > The changes for draft-02 are as follows: > > > > > - Drop support for TLS 1.2. > - Add the protocol version and credential signature algorithm to the > Credential structure. > > > - Specify undefined behavior in a few cases: when the client receives > a DC without indicated support; when the client indicates the extension in > an invalid protocol version; and when DCs are sent as extensions to > certificates other than the end-entity certificate. > > > Any additional feedback is welcome. > > > Thanks, > > Christopher Patton > > > ------------------------------ > *From:* Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> > *Sent:* Tuesday, July 24, 2018 4:40 PM > *To:* Ilari Liusvaara; Patton,Christopher J > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 > > I object to re-interpreting/overloading the Critical flag. It has one and > only one meaning: "If the parser does not understand the given attribute, > it must abort parsing if this attribute is marked as Critical (or ignore > this attribute and continue parsing if the Critical flag is not set)". > > > On 7/24/18, 16:25, "TLS on behalf of Ilari Liusvaara" < > tls-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote: > > On Tue, Jul 24, 2018 at 07:24:09PM +0000, Patton,Christopher J wrote: > > Hi all, > > > > > > I've taken the liberty of addressing the changes to the delegated > credentials extension that were requested at IETF: > > > > https://github.com/tlswg/tls-subcerts/pull/13 > > > > > > > The changes that would be adopted in draft-02 are as follows: > > > > * Drop support for TLS 1.2. > > * Allow the critical bit of the X.509 extension to be set. > > * Add the protocol version and credential signature algorithm > > to the Credential structure. > > * Make the KeyUsage of the delegation certificate stricter. > > * Specify undefined behavior in a few cases. > > > > It was suggested that we add optional "must-use-DC" semantics to the > > certificate. The solution we came up with was to add a "strict" flag > > to the extension that is set if (and only if) the extension is marked > > critical. The idea is that if the "strict" flag is set and the server > > doesn't offer a DC, then client must abort the handshake, In my > opinion, > > the complexity this adds to the protocol outweighs the potential > benefits. > > > > Comments on the PR are welcome. > > This has the signifcant critical flag issue. It should at minimum be > explicitly called out, as I do not know any precendent for this kind of > behavior (check that some extension is critical yes, but not changing > meaning of extension depending on critical flag). > > > I watched the presentation and the resulting Q&A again. Short summary > of > relevant stuff: > > - The motivation in the slides is to reduce exposure of private keys to > memory disclosure vulernabilities, without reducing performance. > - The orignal proposal was to add a TLS Feature extension value. No > discussion. > - The drawback of "strict mode" would be causing issues with servers > that can not effectively switch between certificates. > - There is question about fallback. Paraphrased answer: LURK. > > > TLS Feature extensions have some really unwnated properties here. They > are never critical on client side, and they have OR-inheritance. You > definitely do not want OR-inheritance here. > > Well, after this, the best usecase I can come up with strict flag is > still dealing with LURK endpoints that can not do proof-of-possession > or format checking[1]. > > > [1] TLS 1.2 and 1.3 servers should only ask for signatures and only > over the following kinds of data: > > - <64 bytes> 03 00 17 41 04 <64 bytes> > - <64 bytes> 03 00 18 61 04 <96 bytes> > - <64 bytes> 03 00 19 85 04 <132 bytes> (rare, P-521) > - <64 bytes> 03 00 1A 41 04 <64 bytes> (rare, brainpool) > - <64 bytes> 03 00 1B 61 04 <96 bytes> (rare, brainpool) > - <64 bytes> 03 00 1C 81 04 <128 bytes> (rare, brainpool) > - <64 bytes> 03 00 1D 20 <32 bytes> > - <64 bytes> 03 00 1E 38 <56 bytes> (rare, X448) > - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <32 bytes> > - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <48 bytes> > > None of these covers delegated credential signatures, which would > cause any attempt to ask for DC signature to fail if the format is > checked.. > > > > -Ilari > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Ilari Liusvaara
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Patton,Christopher J
- Re: [TLS] Proposals for draft-ietf-tls-subcerts-02 Nick Sullivan