Re: [TLS] AD review of draft-ietf-tls-grease-02
David Benjamin <davidben@chromium.org> Mon, 29 July 2019 21:00 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5AF0120162 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2019 14:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.251
X-Spam-Level:
X-Spam-Status: No, score=-9.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-CRO11O21NW for <tls@ietfa.amsl.com>; Mon, 29 Jul 2019 14:00:29 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D92A1203ED for <tls@ietf.org>; Mon, 29 Jul 2019 14:00:29 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id r6so56675676qtt.0 for <tls@ietf.org>; Mon, 29 Jul 2019 14:00:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KdCEVVAwoNbHZRp5u8JE5zd8InuI2ipLDalXU3hqiPg=; b=TABi4uEuKBSst1BQz04RKIDnYFrM6MTCu5iZXTB47onFLHCs/7xv0wKD3SPkWCjeLT IDfI95FH2kEj53HCPDv5QMZBlyPvq4afFmLm1YOoR/bS/x065Vob1OCsyqhiIdw9MDP+ ujOAHrXaI++mE462yUmgPkGUI27HRXD2/Cglw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KdCEVVAwoNbHZRp5u8JE5zd8InuI2ipLDalXU3hqiPg=; b=Hkar5BhF6FgXT6jFMY6nTSL7N8Ya+cLIDJpg4NBU5kY0EsNrRcSQC5wt1XQkiCYKxh licVzlNxTTOlRtRxKSl5adzEdFykeniL4Rmz6QWMgwgTIFMxvDZ0uxIUhXTCYTlRrkJb keXSR66d41o79WBFINuI/JA24wO8mk/eg2GYP58doyRCa4uoVmlFQm52PhdBCMgmf10P 1btciQ2dnRF4EUnNABt/9EOCIosFLxcYtvElvnuu4tsD9eB6jDEufasbGWBgtyoRvXwS u3lSWTSsHY186e36svjvL7X8CbKM8SvSv96yBfW+/zUM4KmWI5wqju+jt53AYhhmtItL qpvw==
X-Gm-Message-State: APjAAAUaVHzmXrMWcRd29q5jbA5wvcR1Fct0xStZMYGE+5EZXCTrE7OW A5Jqo3S1hNnywFzqjr/E51NKOCOd/RwLGpvycVWm
X-Google-Smtp-Source: APXvYqzE1gqPZmfocLJ8XwlAGM4jtKPTXsakd3NEilfiC0DMsSGXeVs886bMrH1+72rW7m/DCnc9KdvyFz80XBwfjJo=
X-Received: by 2002:a0c:b163:: with SMTP id r32mr81754713qvc.169.1564434028434; Mon, 29 Jul 2019 14:00:28 -0700 (PDT)
MIME-Version: 1.0
References: <20190703171111.GK13810@kduck.mit.edu> <CAF8qwaDWCywCJmwBbr7QeEgNRyZodt1mK8xxJBYVfuGzyNVSVA@mail.gmail.com>
In-Reply-To: <CAF8qwaDWCywCJmwBbr7QeEgNRyZodt1mK8xxJBYVfuGzyNVSVA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 29 Jul 2019 17:00:12 -0400
Message-ID: <CAF8qwaBzdPbbsryOqreErZ5aE4FwBVd2f2QKHBz6dmUk4OjuyQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-tls-grease.all@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a7284058ed82e1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_29BGF1admxIk-9eFr7D2GKmVXk>
Subject: Re: [TLS] AD review of draft-ietf-tls-grease-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 21:00:37 -0000
Changes in draft-ietf-tls-grease-03. On Mon, Jul 8, 2019 at 6:23 PM David Benjamin <davidben@chromium.org> wrote: > Thanks for the comments! I've addressed them in > https://github.com/tlswg/draft-ietf-tls-grease/pull/10. > > On Wed, Jul 3, 2019 at 1:11 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >> Section 1 >> >> The TLS protocol [RFC8446] includes several points of extensibility, >> including the list of cipher suites and the list of extensions. The >> values in these lists identify implementation capabilities. TLS >> >> We could probably make this text a little more precise (for one, there's >> not a single list of extensions since many messages can carry >> extensions). So, maybe "the list of cipher suites and several lists of >> extensions" and "The values transmitted in these lists"? >> > > Done. > > >> Section 2 >> >> Can we add an editorial note that values prefaced with "{TBD}" are >> suggested values but subject to change prior to final allocation by >> IANA? >> > > Done. Also made the other such notes match the style used in the TLS 1.3 > draft. > > >> Future versions of TLS or DTLS [RFC6347] MUST NOT use any of the >> above values as versions. >> >> Process-wise, this feels like an attempt to Update: the (D)TLS core >> specs, which we can't do in an Informational document. So it would >> probably be better to say something "The values thusly allocated are no >> longer available for use as version numbers by (D)TLS implemnetations". >> Things are made somewhat awkward by there not being a registry of >> protocol versions, sadly... >> > > Done. > > >> Section 3.1 >> >> Are there any of these for which we want to say "the client MUST NOT >> advertise a list consisting solely of GREASE values"? It would probably >> be fine to do this for, say, key_share, but not for, say, cipher_suites. >> But perhaps the reader will be smart enough to figure out what works >> without prodding from us... >> > > I dunno, I feel like that's a bit overkill, but I can include something in > that vein if others disagree. A cipher suite list full of GREASE is > functionally equivalent to a list containing some weird cipher no one > implements. > > >> Clients MUST reject GREASE values when negotiated by the server. >> Specifically, the client MUST fail the connection if a GREASE value >> appears any in the following: >> >> I did not attempt to audit the (omitted) list for completeness; the >> first sentence should cover any situations that are not specifically >> listed, right? >> > > It should. I replaced "Specifically" with "In particular" so that's > clearer. > > >> Section 3.2 >> >> When processing a ClientHello, servers MUST NOT treat GREASE values >> differently from any unknown value. Servers MUST NOT negotiate any >> GREASE value when offered in a ClientHello. Servers MUST correctly >> ignore unknown values in a ClientHello and attempt to negotiate with >> one of the remaining parameters. >> >> Similarly to the above, we might consider adding a parenthetical noting >> that there may not be any remaining valid parameters, and that's not >> necessarily fatal. >> > > Done. > > >> Note that these requirements are restatements or corollaries of >> existing server requirements in TLS. >> >> (side note) Some future reviewers might complain about using normative >> language to duplicate exisiting requirements from other documents; in >> this case, I don't mind, myself. >> >> Section 4.1 >> >> o A server MAY select one or more GREASE extension values and >> advertise corresponding extensions with varying length and >> contents. >> >> nit: I don't think "corresponding" is quite the right word; maybe >> "advertise those extensions"? >> > > Rephrased this and elsewhere. > > >> o A server MAY select one or more GREASE signature algorithm values >> and advertise them in the "signature_algorithms" extension. >> >> I'm not necessarily expecting any action based on this comment, but I >> note that status_request, signed_certificate_timestamp, >> certificate_authorities, oid_filters, and signature_algorithms_cert are >> also currently defined for CertificateRequest but we do not call out any >> extension-specific greasing for them. Of that list, only >> signature_algorithms_cert seems like it might be calling out for special >> handling, to me... >> > > Added signature_algorithms_cert. > > >> Section 4.2 >> >> When processing a CertificateRequest or NewSessionTicket, clients >> MUST NOT treat GREASE values differently from any unknown value. >> Clients MUST NOT negotiate any GREASE value when offered by the >> server. Clients MUST correctly ignore unknown values offered by the >> server and attempt to negotiate with one of the remaining parameters. >> >> (following the theme) I don't remember any cases where the client can >> succeed if the list becomes empty after pruning unknown values ... if we >> are deciding that we want to say anything on this topic at all. >> > > Added a similar parenthetical. > > >> Section 5 >> >> Implementations advertising GREASE values SHOULD select them at >> random. This is intended to encourage implementations to ignore all >> unknown values rather than any individual value. Implementations >> MUST honor protocol specifications when sending GREASE values. For >> instance, implementations sending multiple GREASE values as >> extensions MUST NOT send the same GREASE value twice. >> >> Feel free to tell me that I'm being internally inconsistent, but in this >> case "MUST NOT send the same GREASE value twice" does not seem like a >> good place to use normative language to restate an existing requirement. >> So I'd rather see lowercase "must not" and possibly a section reference >> to 8446 ยง 4.2 ("[t]here MUST NOT be more than one extension of the same >> type in a given extension block."). >> > > Rephrased this. > > >> Section 6 >> [[TODO: Update IANA considerations for TLS 1.3 and rebase over draft- >> ietf-tls-iana-registry-updates.]] >> >> Can the shepherd please work with the author to make the needed changes? >> >> IIRC the main change for TLS 1.3 is the "TLS 1.3" column for >> extensiontype values. >> >> Since this document is Informational, we have to be Recommended "N" for >> everything. >> > > Oh oops, I must have missed this when rebasing over TLS 1.3. Added the > relevant columns. > > >> Thanks for the note about the specific values listed being just >> suggestions. >> >>
- [TLS] AD review of draft-ietf-tls-grease-02 Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-grease-02 David Benjamin
- Re: [TLS] AD review of draft-ietf-tls-grease-02 David Benjamin