IETF Logo Mail Archive

Re: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02

Subodh Iyengar <subodh@fb.com> Wed, 16 January 2019 02:35 UTC

Return-Path: <prvs=6919d9c1bf=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C98B13103A for <tls@ietfa.amsl.com>; Tue, 15 Jan 2019 18:35:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.394
X-Spam-Level:
X-Spam-Status: No, score=-5.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=cp/bHGx7; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=TuWcDMQV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DjVGk5PSKg4Y for <tls@ietfa.amsl.com>; Tue, 15 Jan 2019 18:35:32 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3239B131016 for <tls@ietf.org>; Tue, 15 Jan 2019 18:35:32 -0800 (PST)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0G2UIaF003441; Tue, 15 Jan 2019 18:35:30 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=t08tGsEYA/6IYaORxajqQ1ADN/2nbbEfxtHFSuOiNkQ=; b=cp/bHGx7yOhFkxgcmMWVPkzaT2RDnSZkhXC/AlW+Uxvp2MUwnFgK5kQYGAMdLgLWhDw2 pPQcxpam1TSbobo/N/7Tsm44TYYVwzwCT4vipUs1eD3lyBuVqkPl72evsLV+dbmsZnlC ZWn2PMYslCK750TVfOQ0YivLj3eSJnVbaT4=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2q1rt60grj-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 15 Jan 2019 18:35:29 -0800
Received: from frc-mbx03.TheFacebook.com (2620:10d:c0a1:f82::27) by frc-hub02.TheFacebook.com (2620:10d:c021:18::172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 15 Jan 2019 18:35:22 -0800
Received: from frc-hub05.TheFacebook.com (2620:10d:c021:18::175) by frc-mbx03.TheFacebook.com (2620:10d:c0a1:f82::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 15 Jan 2019 18:35:22 -0800
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3 via Frontend Transport; Tue, 15 Jan 2019 18:35:22 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t08tGsEYA/6IYaORxajqQ1ADN/2nbbEfxtHFSuOiNkQ=; b=TuWcDMQV9VM1oXxRT+2CDflMMSU879OaEhAdukgGEfCQFuMAEPSzdPJMWauu+RVXYanWcB1Hcl1cFuQHY338+qf81MhH5YoOG67qg0WqjchL8ipOsgwtpADmGvkWYvQxbK76qe9AN8B1Y/OrLWDFwhRKoC4zJ5uUMIfHsFvTUeA=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1840.namprd15.prod.outlook.com (10.174.255.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.18; Wed, 16 Jan 2019 02:35:21 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::2dcf:43ad:f1a5:4eca]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::2dcf:43ad:f1a5:4eca%8]) with mapi id 15.20.1537.018; Wed, 16 Jan 2019 02:35:20 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02
Thread-Index: AQHUrTjO5Xfdo/YFZ0WGZmDoo9VjL6WxKkyZ
Date: Wed, 16 Jan 2019 02:35:20 +0000
Message-ID: <MWHPR15MB1821A7E45DDEED81D2018F03B6820@MWHPR15MB1821.namprd15.prod.outlook.com>
References: <CAN2QdAGyvhDG=PjqUjQ4OdjKvTtN_zGxdNf3iKGdN+tHeDRAkw@mail.gmail.com>
In-Reply-To: <CAN2QdAGyvhDG=PjqUjQ4OdjKvTtN_zGxdNf3iKGdN+tHeDRAkw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.216.158.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1840; 20:qcRFMcyGHZ6EUwnfo64Jpb6IgWGElQLHnT5a4KoLzUAuLVmXrT5ZgKB1ihMdNJUiCW0aXAyktvJh8mLFptQs3NlU2Ma2ephKJqtF6StzY05+YoU95RbzNpeDGrn+EDsbBPnDXhhOrIW8tpPVpn64WrvV52iEDqkk0Kjad1lNM4E=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b3e5e38e-dc3e-4e73-d13c-08d67b5b4291
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1840;
x-ms-traffictypediagnostic: MWHPR15MB1840:
x-microsoft-antispam-prvs: <MWHPR15MB18404BAFF901750BD051002DB6820@MWHPR15MB1840.namprd15.prod.outlook.com>
x-forefront-prvs: 091949432C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(136003)(366004)(376002)(346002)(396003)(199004)(189003)(54094003)(2906002)(99286004)(2501003)(3846002)(86362001)(71190400001)(71200400001)(8676002)(55016002)(966005)(6246003)(606006)(14454004)(316002)(229853002)(6436002)(97736004)(6606003)(6116002)(74316002)(110136005)(68736007)(102836004)(26005)(256004)(6506007)(53546011)(8936002)(76176011)(81166006)(236005)(9686003)(5660300001)(186003)(25786009)(54896002)(81156014)(33656002)(105586002)(476003)(7696005)(446003)(66066001)(11346002)(486006)(53936002)(7736002)(19627405001)(14444005)(478600001)(106356001)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1840; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rejjvc57ftAvoPOSZAqLleLN+iYRbWvs+bBmwurs1eI6j5mwV94XuzaVxHjsQ4GuS75BCnN/9aVpxFwAUHtkGx0GoR+KN/g+5HvtgQWGfM/Nx+akkJantnfDIj1eq7ISSfzgOlyDLbwGpNFt2Hrp/N55o3H0WquvtdiL+1ZIQppQ7barUIoEZg3U/kdeI0VFkrT1XQj0Yb9wIfOElpTZHQ1VdlXuXPpeNzQqqFfu74wnfvzg5vU8Jwd+I3rolYASgnCKp+ynl+UBKeZPJxAli9Cve1wxctfgY2swESQUDMgMw9n9WREbKhxNryAKxwAImWsc8Rei7zMEpzlHZz2YIopiaEKLagwaGP0gPuE4u6744PfTWHxix1YaxB1HDvvqky0fvaU04/6OS+vbDwquMDMWtDbp5PRPuzxGBtmSciw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1821A7E45DDEED81D2018F03B6820MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b3e5e38e-dc3e-4e73-d13c-08d67b5b4291
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2019 02:35:20.7155 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1840
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-16_01:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c3zEvUPff0ZkglRqmLSJN1PEw6E>
Subject: Re: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 02:35:35 -0000

Thanks for bringing these up Watson


>The first is that a delegated credential is pinned to a particular
version of TLS. Unfortunately this means that the rollout of a new
version of TLS (which libraries consider that they can do on their
own) makes an existing set of delegated credentials unusable, and the
signer of delegated credentials needs to accept a new version of TLS
as valid before the extension can be used with a new version. This is
similar to the issues prompting
draft-wood-tls-external-psk-importer-00 where PSKs depend on
negotiated parameters, and thus are difficult to use in practice.


Usually the negotiation happens during the processing of the client hello.

The certificate decision gets made a later. Is there a specific implementation detail

you're concerned about.


I think the negotiation of TLS version should be done first before deciding to use

DCs, and this needs to be done anyway because DCs are only valid TLS 1.3 and higher.


The existing set of creds would become invalid with a future version of TLS.

The method by which the TLS terminating server receives the DC is out of scope of this

document, however I hope people implement some sort of structure to their backend like


DC_objs = [ DC_obj1, DC_obj2,. ...]

DC_obj = { tls_version, private_key, DC structure, .etc.. }


which would make it so that they would automatically get new creds when they are updated.


Also there is the option of falling back to LURK style service if the DC doesn't exist. I wonder

if there is anything I'm missing here. The original rationale around DCs being bound to version

was to be able to preventing some attack on the current version of TLS which might expose an

oracle to be used against a future version of TLS that might fix it (like DROWN). If we think that this is not super

useful since we will never have oracle attacks in TLS 1.3, we can remove it as well.

> The second is that the DelegatedCredential indicates the algorithm
that was used to sign it. Someone who is a bit careless when
implementing might take that literally with the result that they
verify a DelegatedCredential with RSA algorithm and the certificate is
really an ECDSA certificate. I'll submit a PR with text for security
considerations/rewording the verification steps.


That would be great.


Subodh

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Watson Ladd <watson=40cloudflare.com@dmarc.ietf.org>
Sent: Tuesday, January 15, 2019 5:13:17 PM
To: tls@ietf.org
Subject: [TLS] Version pinning and indicating the signing algorithm in draft-ietf-tls-subcerts-02

Dear TLS WG,

While we were implementing delegated credentials we came up with the
following two problems. I thank David Benjamin for communicating the
first to me.

The first is that a delegated credential is pinned to a particular
version of TLS. Unfortunately this means that the rollout of a new
version of TLS (which libraries consider that they can do on their
own) makes an existing set of delegated credentials unusable, and the
signer of delegated credentials needs to accept a new version of TLS
as valid before the extension can be used with a new version. This is
similar to the issues prompting
draft-wood-tls-external-psk-importer-00 where PSKs depend on
negotiated parameters, and thus are difficult to use in practice.

The second is that the DelegatedCredential indicates the algorithm
that was used to sign it. Someone who is a bit careless when
implementing might take that literally with the result that they
verify a DelegatedCredential with RSA algorithm and the certificate is
really an ECDSA certificate. I'll submit a PR with text for security
considerations/rewording the verification steps.

Sincerely,
Watson

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=ZnSY03FUuGDkpTjaYw9S-739-JBe-iqsIaeiu32GMvU&s=sxKHoBLptrk0e_hub5oKvfRWf1akiS095tuHtXLCZ38&e=

v2.23.0 | Report a Bug | By Email