IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

Martin Thomson <martin.thomson@gmail.com> Thu, 31 May 2018 01:48 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4203812E059 for <tls@ietfa.amsl.com>; Wed, 30 May 2018 18:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brTETRjDbx3w for <tls@ietfa.amsl.com>; Wed, 30 May 2018 18:48:37 -0700 (PDT)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3620D12DA01 for <tls@ietf.org>; Wed, 30 May 2018 18:48:37 -0700 (PDT)
Received: by mail-ot0-x22f.google.com with SMTP id n3-v6so23499933ota.5 for <tls@ietf.org>; Wed, 30 May 2018 18:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=uAYo1zHY/TeSPTx8+5K7rjtQjNmn3pMwaC9mVM+jssw=; b=gQW7F4/41IrK5iNkw5Pbo6VnNCtfyAuiKI3mpynVT+hqNr70UgI6XJfn/6CVF4aPC0 AhZFs01Y+8/vJbZ7L1J+WrHkhLNfJVFUdgO9WBie6daUyxr7wXpRbw1M98Z8nYASKZ5J tR30osQgR9n1EvbvgV1tkMNbR6TxqiANmDvcSHluVqwRIcb9DLF+t2p69qMhV4I8bsr8 tT5frFGUUYQLgwPzL9HEnFrud9oJ7An+mSbBhzdwkegGvU7RINjLUGNPVmp3J2j97CgZ vJx5TTzpvMsV3Cif0BrqdQ6ouPyy44reTSiCb5rkW/8jjBVAzgRjfNUVVyfNSjyi8xKI Rgeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=uAYo1zHY/TeSPTx8+5K7rjtQjNmn3pMwaC9mVM+jssw=; b=plnjfdQD6Mrzg/d/F6gqP0NhIbobCPWVCr5mV1P/aLUMPjvXLJ6ZF3Kl3Q9P95m2Gs ddMrzoMd1bQ0P7iysk7Yo+m6hdkrawVPAnQpVGGmfVwpZFe0HLXdSaib+EPfbWSU7tpM IUqUIGRlfC7DPeaF2orq4n9aDhpkdUA/PfP1V7Stfmbw83d2twAIgvgaERuCS2/tBTkR FDpWvKQ+Z551DImg5FHdH5d5IuI0MQZgLQNbvyn+Y82yT2AjtPJs4wDL8fhZmiLOn/oW XP0BveWQcVHUIFOTtt0cbhm4Enw6CkcV5I/uLJSXxsZahNtNaadiF7P0sUYMObCY7naT vK7g==
X-Gm-Message-State: ALKqPwdkyoHlrxpx4Ur+LLDMtEIrYriodCzQF6RLa0pVgWPYts08N3t6 Dlg1nowcywpYAbIkKfggjqdPNDvBUMVZMqytNA4=
X-Google-Smtp-Source: ADUXVKLxmNCw0bId96A++yoOnP5SQEnv0eCgtIJOCofmkwD4ASF37xZT5SFrjiH66K7P3Us2XOWz2QKSUyx6BldleVo=
X-Received: by 2002:a9d:3a65:: with SMTP id j92-v6mr3561619otc.352.1527731316438; Wed, 30 May 2018 18:48:36 -0700 (PDT)
MIME-Version: 1.0
References: <4E347898-C787-468C-8514-30564D059378@sn3rd.com> <1CBA2C18-DAB8-4751-B765-3BF76C7F170B@sn3rd.com> <19A28612-65CA-4667-9E4E-D47717AC9009@sn3rd.com> <CAOjisRypO2tSx4WEVqKCr7mzs2fnOTm9S5WqTLm9cGGjULVm1g@mail.gmail.com> <CAOjisRwUUjGXSanAh49aFo=DoFzuvKChD8G4150KNYF34Co3YQ@mail.gmail.com> <CABkgnnWntHXGMK4dkWtUOJ9DD9wOme+fOCK7+ejCvHufUOXNGg@mail.gmail.com> <CAOjisRwtxSQzVPfThanJ9w5T7DONEFDq--U7X-Jj7q5h80GdEQ@mail.gmail.com>
In-Reply-To: <CAOjisRwtxSQzVPfThanJ9w5T7DONEFDq--U7X-Jj7q5h80GdEQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 31 May 2018 11:48:25 +1000
Message-ID: <CABkgnnVm=iiYnmfPvT3LW0rqgSd_qLD6-bwcv7A7H-fAQQonzQ@mail.gmail.com>
To: Nick Sullivan <nicholas.sullivan@gmail.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>, Mike Bishop <mbishop@evequefou.be>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/anV9pF7gO6N5ZczzGfDQnmX63B0>
Subject: Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 01:48:41 -0000

I've reviewed changes.  Thanks for writing them up Nick.

Two concerns:

On #26, I think that there is a misunderstanding of how
signature_algorithms and signature_algorithms_cert work.  My
understanding is that the former applies to the entire chain, unless
the latter is present, in which case the latter applies to all
signatures produced by certificates in the chain other than the end
entity certificate.  Thus, signature_algorithms entirely governs the
choice of signature algorithm that is used in TLS itself, whereas
signature_algorithms_cert (if present) governs the use of signatures
that are used in building the certification path.

#26 switches to signature_algorithms_cert exclusively.  That's an
error, I think.

In #27, I think that dropping Certificate entirely isn't a good idea.
TLS 1.3 sends it, but leaves it empty.  There are a few reasons I
mention in the PR comments.
On Thu, May 31, 2018 at 11:23 AM Nick Sullivan
<nicholas.sullivan@gmail.com> wrote:
>
> I've put together some PRs to address the comments from last call. Comments welcome.
>
> Failing CertificateVerify due to MITM text:
> https://github.com/tlswg/tls-exported-authenticator/pull/28
>
> Comments from Ben Kaduk:
> https://github.com/tlswg/tls-exported-authenticator/pull/26
>
> Authenticated Denial:
> https://github.com/tlswg/tls-exported-authenticator/pull/27
>
>
> Nick
>
> On Thu, May 24, 2018 at 5:54 PM Martin Thomson <martin.thomson@gmail.com> wrote:
>>
>> Mike just inadvertently (?) discovered a problem with exported
>> authenticators.
>>
>> TLS post handshake authentication provides an authenticated refusal when a
>> certificate can't be found.  It turns out that the current design of the
>> HTTP/2 CERTIFICATE frame might need to rely on the same capability here.
>>
>> The current draft doesn't really say anything about what happens.
>>
>> https://github.com/tlswg/tls-exported-authenticator/issues/25
>>
>> On Sat, May 12, 2018 at 9:59 AM Nick Sullivan <nicholas.sullivan@gmail.com>
>> wrote:
>>
>> > Thanks all for the comments on the draft. Let me try to summarize the
>> comments and propose next steps.
>>
>> > Tim Hollebeek had a comment about 0 as the separator. I generally don’t
>> think this is a big issue, and prefer 0 because it is a natural way to
>> terminate a string. If anyone strongly disagrees, please reply to the list.
>>
>> > Roelof duToit raised a question about middlebox interoperability,
>> specifically that the exporters will not match if the TLS connection is not
>> end-to-end. There was a subsequent discussion about where to signal this
>> property. Martin Thomson suggested a signaling mechanism at the application
>> layer (https://github.com/httpwg/http-extensions/issues/617) and Eric
>> Rescorla suggested that the fact that this could cause CertificateVerify
>> failures should be called out in the document. I'll put a PR together to
>> add some helpful text around debugging CertificateVerify failures to
>> address Eric's suggestion.
>>
>> > Ben Kaduk had three points:
>> > - The certificate_request_context is prone to collisions with
>> post-handshake authentication and there are different spaces for the server
>> and client context values. He suggested some text in Section 3 and maybe
>> more explanation in Section 5.2 as well. I’ll put together a PR for this.
>> > - Section 4.1 talks of the length of the exporter value in terms of the
>> length of the
>> > TLS PRF hash, adding that cipher suites not using TLS PRF have to define
>> a hash function, but TLS 1.3 ciphersuites do not use the TLS PRF. I’ll put
>> together a PR to clarify the text around this clarifying that for TLS 1.3
>> cipher suites, the HDKF hash is what is meant.
>> > - The “signature_algorithms_cert” extension was not incorporated into the
>> draft. I’ll put together a PR for 4.2.1., 4.2.2. and 5.1. to incorporate
>> this extension.
>>
>> > I'll have the proposed changes for the above comments ready next week.
>>
>> > There were also some uncontroversial suggestions that I propose merging:
>> > https://github.com/tlswg/tls-exported-authenticator/pull/21
>> > https://github.com/tlswg/tls-exported-authenticator/pull/22
>> > https://github.com/tlswg/tls-exported-authenticator/pull/23
>> > https://github.com/tlswg/tls-exported-authenticator/pull/24
>>
>>
>> > Nick
>>
>>
>> > On Thu, May 3, 2018 at 1:16 PM Nick Sullivan <nicholas.sullivan@gmail.com>
>> wrote:
>>
>> >> Does anyone have any comments about the draft, criticisms, or votes of
>> support?
>>
>> >> Nick
>>
>>
>> >> On Thu, May 3, 2018 at 1:12 PM Sean Turner <sean@sn3rd.com> wrote:
>>
>>
>>
>> >>> > On Apr 21, 2018, at 10:25, Sean Turner <sean@sn3rd.com> wrote:
>> >>> >
>> >>> >
>> >>> >> On Apr 19, 2018, at 16:32, Sean Turner <sean@sn3rd.com> wrote:
>> >>> >>
>> >>> >> All,
>> >>> >>
>> >>> >> This is the working group last call for the "Exported Authenticators
>> in TLS" draft available at
>> https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/.
>> Please review the document and send your comments to the list by 2359 UTC
>> on 4 April 2018.
>> >>> >
>> >>> > … 4 May 2018 ...
>>
>> >>> Just a reminder the WGLC ends tomorrow.
>>
>> >>> spt
>> >>> _______________________________________________
>> >>> TLS mailing list
>> >>> TLS@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/tls
>>
>> > _______________________________________________
>> > TLS mailing list
>> > TLS@ietf.org
>> > https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email