IETF Logo Mail Archive

Re: [TLS] Spencer Dawkins' No Objection on draft-ietf-tls-tls13-26: (with COMMENT)

Sean Turner <sean@sn3rd.com> Thu, 08 March 2018 13:32 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDE9126CE8 for <tls@ietfa.amsl.com>; Thu, 8 Mar 2018 05:32:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10ZsEfZHoSLP for <tls@ietfa.amsl.com>; Thu, 8 Mar 2018 05:32:25 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85AEA126E64 for <tls@ietf.org>; Thu, 8 Mar 2018 05:32:25 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id z197so6745389qkb.6 for <tls@ietf.org>; Thu, 08 Mar 2018 05:32:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=daET1AB6hEbDU9VAbl2WvhH0LKaqjdUaRkhD2kPPA6I=; b=cWKVaJJsfZNo6wGNNzgL0Wsm6//B7xQuCKjbCZtqkTwkdca4pkWmsUUMe9B5QVd8nD 681WdBv1kdy/c0UzGX5hcKGYwgn/6CzG6cQ9H18BaXGIDKs3vWR4nvoR1qdiFPcBP0fx 75YbPxOd28F2PMnpuMNfnvFCaQXF5A1IzZg6Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=daET1AB6hEbDU9VAbl2WvhH0LKaqjdUaRkhD2kPPA6I=; b=J0dXpTNfvfYi8pWAr0lpp9RBlAs9kQezqjCW5ZVtdjyIadNJINYJojWPOpchmq+Xyh uZFeqvXwc6uQv40rIe90o38ea7YmjzSHH6KmHvVTBNfdsAe3Eee/PA8Pm9tP387SowW/ DvfyX/Ag2IRXA/h2uYbjVEPcfELfwc/cqheuW8rjtTgsJea0mGZlqj8nbv+KtmV/FtXM IptxXqAI5+7//ociPbigZXfKKBETVjHrKeCRKifgkO6fCOS+U4EyD4DJ+p9ORzEs5AKT UcNNCwfJJ7tFf2K9He2HHtjYLuVBX9CZsjjhz3VnKX0HcZAXAr74eOHwAqD6fiOkmIhJ 8Rpg==
X-Gm-Message-State: AElRT7G9UNitOH+UMgTANLlku2hhL5jEhgKiwJYUWd0aN6rO3qzOrqEQ 6HctUvBkA75QpU+DJP+rumPgdw==
X-Google-Smtp-Source: AG47ELsHZQQ0qWkDVRx04I8yOoCikPtS7Gva4ehjyDkJK3XuPollC6CypDZrjs5CI8vm+j1HWOySWQ==
X-Received: by 10.55.40.194 with SMTP id o63mr40424839qko.49.1520515944585; Thu, 08 Mar 2018 05:32:24 -0800 (PST)
Received: from [172.16.0.18] ([96.231.225.106]) by smtp.gmail.com with ESMTPSA id i185sm12658014qkd.30.2018.03.08.05.32.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Mar 2018 05:32:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CABcZeBNSyTcm07wF82-amxWaWQyxnVZHd76_=9+CB-9ap_nVTg@mail.gmail.com>
Date: Thu, 08 Mar 2018 08:32:08 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-tls13@ietf.org, tls-chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AFD79771-1B2F-4F78-B951-60A8CCF24157@sn3rd.com>
References: <152048673810.21351.933470084847190231.idtracker@ietfa.amsl.com> <CABcZeBNSyTcm07wF82-amxWaWQyxnVZHd76_=9+CB-9ap_nVTg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, Spencer Dawkins <spencerdawkins.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aztSEcmp9mgq9ysv-j-nwlr22zU>
Subject: Re: [TLS] Spencer Dawkins' No Objection on draft-ietf-tls-tls13-26: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2018 13:32:28 -0000


> On Mar 8, 2018, at 08:10, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Wed, Mar 7, 2018 at 9:25 PM, Spencer Dawkins <spencerdawkins.ietf@gmail.com> wrote:
> Spencer Dawkins has entered the following ballot position for
> draft-ietf-tls-tls13-26: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Nice work. Of course, no one reads a 150-page document without wondering about
> a few things ...
> 
> I suspect that
> 
>    Because
>    TLS 1.3 changes the way keys are derived it updates [RFC5705] as
>    described in Section 7.5 it also changes how OCSP messages are
>    carried and therefore updates [RFC6066] and obsoletes [RFC6961] as
>    described in section Section 4.4.2.1.
> 
> is a run-on sentence. Perhaps a period after "section 7.5"?
> 
> Thanks, yes.

Fix in https://github.com/tlswg/tls13-spec/pull/1169

> Is "forward secrecy" (the term used in this draft) the same thing as "perfect
> forward secrecy" (the term I hear most often, and it does appear in one
> reference title)?
> 
> Close enough. The basic problem is that people get hung up on "perfect".
> So, consider the case where you generate a fresh DH key every hour or
> so, but you reuse it for that period. It's clear you get forward secrecy
> once that key s deleted but is that "perfect" because you have a window
> of exposure uring that hour? So, we just decided to use "forward secret"
> 
> The use of "mandatory" as the name of a vector in
> 
>   In the following example, mandatory is a vector that must contain
>    between 300 and 400 bytes of type opaque.
> 
> was pretty hard to parse until I read further. Did anyone else find that
> confusing?
> 
> I don't :)

It’s at least on the same page so it’s not too hard to scan lower.  If we called it hooziewazit it’ll still be after it ;)

> In this text,
> 
>   When multiple extensions of different types are present, the
>    extensions MAY appear in any order, with the exception of
>    "pre_shared_key" Section 4.2.11 which MUST be the last extension in
>    the ClientHello.  There MUST NOT be more than one extension of the
>    same type in a given extension block.
> 
> I didn't see what to do if the MUST NOT is violated. Is that worth mentioning?
> 
> I don't think it's necessary. In general, you can always abort on a protocol
> violation like this, but there's no known reason you would *need* to, other
> than it would create interop problems if (say) A thinks extension #1 matters
> and B thinks #2 matters, but of course there are lots of possible causes
> of interop. This is different from cases where there are clear security
> problems if you don't check some value or something.
> 
> 
> In this text,
> 
>    An
>    implementation which receives any other change_cipher_spec value or
>    which receives a protected change_cipher_spec record MUST abort the
>    handshake with an "unexpected_message" alert.  A change_cipher_spec
>    record received before the first ClientHello message or after the
>    peer's Finished message MUST be treated as an unexpected record type.
> 
>    Implementations MUST NOT send record types not defined in this
>    document unless negotiated by some extension.  If a TLS
>    implementation receives an unexpected record type, it MUST terminate
>    the connection with an "unexpected_message" alert.  New record
>    content type values are assigned by IANA in the TLS Content Type
>    Registry as described in Section 11.
> 
> I wondered if there was a difference between an unexpected record type and and
> unexpected message.
> 
> Ah, good. One alert for two conditions:
> 
> 1. An unexpected record type at the record layer.
> 2. An unexpected handshake message.
> 
> 
> I wondered why
> 
>    Newer
>    clients or servers, when communicating with newer peers, SHOULD
>    negotiate the most preferred common parameters.
> 
> was not a MUST.
> 
> Ugh, this is actually not even a normative statement, It's just a statement of
> what the protocol is supposed to do. Good catch!

I made it a MUST in:
https://github.com/tlswg/tls13-spec/pull/1172

spt

v2.23.0 | Report a Bug | By Email