IETF Logo Mail Archive

Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt

Eric Rescorla <ekr@rtfm.com> Mon, 03 September 2018 15:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A073E1292AD for <tls@ietfa.amsl.com>; Mon, 3 Sep 2018 08:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFfI2klq4dbv for <tls@ietfa.amsl.com>; Mon, 3 Sep 2018 08:30:58 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1845112008A for <tls@ietf.org>; Mon, 3 Sep 2018 08:30:58 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id j19-v6so772243ljc.7 for <tls@ietf.org>; Mon, 03 Sep 2018 08:30:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pzon2TO9dCFJcOwbLEu46FIN38POTvH7s4PO7Yt//28=; b=yq8sJscNXZ/8MzLiWohObg3N9jD9aDvN4EGBNtGA/+WeScSNsqe6t+/aqGbUatIpkk VKss83fzxgb7ODwG1i8Aa4yo9tdN671dAWlf57FOOYGd44ib1tE5TXGN3ltW++Pxj+g5 L1MKU/VLB9goFIawlW5+UK/rLZIo7ezWEOrduD9xrzr6U8ngUAJ8RIDtqaymCDPQpfAb ifOGC4+nJrmO2kfyX015fotA4G5YLsK6Hfg3VlibL+/fdNEwg2dFUCEdWArf7aXboqCc lRaC0aEOQs2EIVlfNU72/2OvG2LafZhTgs9PjzNALcinYRXUPdbl8UyEq5YrK2w2MIT8 53nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pzon2TO9dCFJcOwbLEu46FIN38POTvH7s4PO7Yt//28=; b=abhuVogwWL7Wfr43+Y52benzH80HET1F0r0VUbYRciK0pv5tcHBZwm+6UGv126LBS0 cRQiZD4rQtHmqZBzjgHjKtfBUI+Q3d12bxcNatLJ4pQK2XZMQ6jObZMQ/nDsSGog3VLw BKpWtw2W9y9DdqKPKMKvKmFuNwZWrnsO/F0iwWjRqKkdl02L4EeMbQp4viZDTm2POMdL 2uRhX6Nz+MItTWEf7k1DArKWk7NLDJDf1Di/XlWrSKDavhUpjSrpWSE4a+BCkrHe+Qks 56M1ErUsEenYlblpvt0X75bAjWwAet/sRZt+P4uszAMrRIl27szRALUy2PZQb19rCnlP FiGA==
X-Gm-Message-State: APzg51DaW51A/HL3Wzl7vZtzkKJrOFMQY39W52K3HOkWUNt41GA9Z1Hi uztA5fg1HMezhoOMQpJJxWdDkgWindxdQY1IbAq12Q==
X-Google-Smtp-Source: ANB0VdYcrza+Mi2KU1+BLbXztIWt7Q1Ue0y4tCHDSDv2MJ/G8FuA6W4sITLvW6hA/E27qReTPEpweGu7eEgNvnBvMog=
X-Received: by 2002:a2e:1248:: with SMTP id t69-v6mr17101013lje.129.1535988656373; Mon, 03 Sep 2018 08:30:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:538a:0:0:0:0:0 with HTTP; Mon, 3 Sep 2018 08:30:15 -0700 (PDT)
In-Reply-To: <4271830.1rrzgRcsFr@pintsize.usersys.redhat.com>
References: <153569768626.3253.16680905114240291331.idtracker@ietfa.amsl.com> <12005079.7UJsg1mpg9@pintsize.usersys.redhat.com> <CABcZeBNYGujXNYggham456ex0OWtqN0JP1x38wFpMt2qbUGRsA@mail.gmail.com> <4271830.1rrzgRcsFr@pintsize.usersys.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 03 Sep 2018 08:30:15 -0700
Message-ID: <CABcZeBOfuUAofdt7kdK-qW1OP+evSrhiiDHQbMqBO9NmQegZ2Q@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e11b80574f93aa0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_ujiHwXIUirjxCFJ78bu-QhUbgo>
Subject: Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2018 15:31:00 -0000

On Mon, Sep 3, 2018 at 8:20 AM, Hubert Kario <hkario@redhat.com> wrote:

> On Monday, 3 September 2018 17:15:24 CEST Eric Rescorla wrote:
> > On Mon, Sep 3, 2018 at 7:28 AM, Hubert Kario <hkario@redhat.com> wrote:
> > > On Monday, 3 September 2018 16:01:22 CEST Eric Rescorla wrote:
> > > > On Mon, Sep 3, 2018 at 4:18 AM, Hubert Kario <hkario@redhat.com>
> wrote:
> > > > > On Sunday, 2 September 2018 15:30:45 CEST Bruckert, Leonie wrote:
> > > > > > Htmlized:
> > > > > > https://tools.ietf.org/html/draft-bruckert-brainpool-for-
> tls13-00
> > > > > >
> > > > > > Abstract:
> > > > > >    This document specifies the use of several ECC Brainpool
> curves
> > >
> > > for
> > >
> > > > > >    authentication and key exchange in the Transport Layer
> Security
> > >
> > > (TLS)
> > >
> > > > > >    protocol version 1.3.
> > > > >
> > > > > So I understand why you need SignatureScheme registrations, but I'm
> > > > > completely
> > > > > missing the need for NamedGroup registrations – are the 26, 27 and
> 28
> > > > > tainted
> > > > > somehow?
> > > >
> > > > Yes. They are explicitly prohibited by the TLS 1.3 spec. See the
> > > > previous
> > > > discussion on-list.
> > >
> > > well, implementations that receive them in TLS 1.3 still MUST ignore
> them,
> >
> > What text do you believe requires that?
>
> every one that deals with forward and backward compatibility... the whole
> GREASE I-D...
>

You're going to need a much more concrete reference than that. In general,
if you receive a message that violates a MUST-level requirement, absent
some very specific requirement that you ignore that violation, you're
justified
in aborting the connection.




> > > not
> > > abort connection, so I still think it will create less confusion to
> > > re-allow
> > > them than to re-assign new codepoints
> >
> > The issue is that it's not possible to distinguish a non-compliant TLS
> 1.3
> > implementation which is inappropriately sending these code points from
> > one which actually supports Brainpool with TLS 1.3. Using new code
> > points makes this clear.
>
> and why having that distinction is that important?
>

Because otherwise you are risking interop problems:

1. A stack which supports TLS 1.2 and TLS 1.3 but only supports Brainpool
for TLS 1.2 (the only kind you can write at this point), and inappropriately
advertises the Brainpool curves in violation of the MUST above.
2. A stack which supports TLS 1.2 and TLS 1.3 and supports Brainpool for
both (assuming that we adopt your proposal and reactivate these code
points).

If stack 2 receives a CH from stack 1 and responds by selecting a Brainpool
curve, then there will be an interop issue when it sends an HRR [0]
selecting
the Brainpool curve.

-Ekr

[0] I'm assuming that the client doesn't offer a Brainpool KeyShare.

v2.23.0 | Report a Bug | By Email