[TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 29 July 2024 17:08 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2715BC15107A for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 10:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KO57XLRDm793 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 10:08:07 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8725C14F6BC for <tls@ietf.org>; Mon, 29 Jul 2024 10:08:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id C331A1CF03 for <tls@ietf.org>; Mon, 29 Jul 2024 20:08:02 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 4H4LeanVQJNj for <tls@ietf.org>; Mon, 29 Jul 2024 20:08:02 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 8AB36230A for <tls@ietf.org>; Mon, 29 Jul 2024 20:08:01 +0300 (EEST)
Date: Mon, 29 Jul 2024 20:08:01 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <ZqfMcdieFaJxizJi@LK-Perkele-VII2.locald>
References: <d1589f89-35cb-489f-b195-30feb3e7e40f@dennis-jackson.uk> <SN7PR14MB6492663C2AE4A15639D62F5583AA2@SN7PR14MB6492.namprd14.prod.outlook.com> <e7aee41a-0df4-4048-8692-6805d06cfadd@dennis-jackson.uk> <CAEEbLAa5bZ3zQX=A74THsxtgkryF4sCVCt1P+BTdDi9faraciw@mail.gmail.com> <37483eb9-baed-468e-94d0-bf5054f878e1@dennis-jackson.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <37483eb9-baed-468e-94d0-bf5054f878e1@dennis-jackson.uk>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: FDF763KUNYSXMGHJWORZOK3DYZGJ4LS2
X-Message-ID-Hash: FDF763KUNYSXMGHJWORZOK3DYZGJ4LS2
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_2R7X4EZGG1OMhrbqpuBXc5-mbQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sat, Jul 27, 2024 at 06:56:17PM -0700, Dennis Jackson wrote:
> On 26/07/2024 15:24, Sophie Schmieg wrote:
> 
> > I don't think trust anchor negotiation needs a lot more discussion, over
> > what has happened already. All in all, I think it's a good mechanism
> > that is fairly well defined and it's not clear to me how it would
> > benefit from an interim.
> 
> The Trust Anchor Identifiers draft was first published only 4 weeks ago,
> received less than 10 minutes of discussion in the meeting and has a lot of
> unaddressed issues.
> 
> As I noted, many participants in the meeting expressed a preference for an
> interim so I would be surprised if there was support for adoption.
> Especially as the concerns I want to present are fundamental to the design
> rather than about issues which could be addressed later.

Another concern with TAI is its interaction with ECH.

- Currently, the draft retries the entire connection on failure. The
  worst-case number of connection attempts required is exponential in
  number of extensions that do whole-connection retries. Since ECH
  does that, TAI+ECH can require up to four connection attempts.

- For another correction mechanism, only HRR seems feasible. All the
  others would require modifying very sensitive places in TLS, which
  would require very careful analysis. Worse, such mechanisms would
  also alter handshake state machine, which could have severe impact
  on implementations.

  However, using HRR might not resolve the whole problem, because ECH
  might have some residual issues with anything that triggers HRR.


Another major concern with retrying entire connection on failure is
requiring major API changes on client side, in turn requiring major
application changes (outside things like HTTP client libraries,
which could encapsulate the changes).

In comparison, interface to give advice from DNS (even if it
requires application changes) is much more minor modification.
 
Even minor-looking things (e.g., asynchronous handshake signing) can
have major API implications.




-Ilari