IETF Logo Mail Archive

Re: [TLS] Draft TLS Extension for Path Validation

Ashley Kopman <akopman@conceptsbeyond.com> Fri, 03 June 2022 14:03 UTC

Return-Path: <akopman@conceptsbeyond.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D843EC15AADB for <tls@ietfa.amsl.com>; Fri, 3 Jun 2022 07:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conceptsbeyond-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K4hBZTXN1v4z for <tls@ietfa.amsl.com>; Fri, 3 Jun 2022 07:03:49 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1DAAC15AACE for <tls@ietf.org>; Fri, 3 Jun 2022 07:03:49 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id k4so7435022vsp.3 for <tls@ietf.org>; Fri, 03 Jun 2022 07:03:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conceptsbeyond-com.20210112.gappssmtp.com; s=20210112; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=Cw23vPqtQw/zuq9Q5OapCc2z3eZ3mSllaiRGeu5jcPo=; b=eAOj5CmR7jMBm0Pjn+H5OC0TkmBptnWaeZzl2tNQLPJdGnUfCeHH4bnFSEkPn8zbP/ MF+gF8Qp7Nxed/Qld/kRVbrR+eFs5O86zEXeFemauKpv5ldrEscOgHH1ioYaj3uRxwZy v0FGeduZRwEZc4b++6q+RnlSNZZgSUz3dhlIprqsZMIywEqP6W0Ba1lcblyl1mjG7YDD 35vBe9T3/9Z5s1FaukuFIGTbTIFMdsjzva8mb9v7NTr40Ihhz1Z5UZAHxHZgzVkmGmXX vNxXcq8V9ck6Mew28E0X8e8coHZoEa2ObiaP8Xy0PlpGop/FmU0uAbTGNVc0oeY0Nzzy IJNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=Cw23vPqtQw/zuq9Q5OapCc2z3eZ3mSllaiRGeu5jcPo=; b=WFAo/ZDutpd6g5g/uRx63glWXDd1+I4tDf5rU4PsyZjxfUDHjEqmEz2oWbslUfBj7O vtX2gMag+vIQQVy8fJY35A67t0iciCvMTe9FNUSIXp09ncpQWgWJPaJXdKAcMk6PL9tA FKAepm+TJyGMt+pm1nQ3Z/MrAkSKER0jSU9Aw12h0JYt/7dn5uC+j4u1dKEwK2mzy4VM 3HZZgEmFQbjTkAWGejwkZwHa2BUc3TMc3IlrAlU6J4T6d2uvJBsgKqABJIK4qLAChU82 WMzKu13FTyXxAhneEGk/qOJfkin8uMXB9bI1NAXwO/q8IylNJNqW9o73tZ7T/ayO1Qa3 KuDg==
X-Gm-Message-State: AOAM532Td18ZAnXUvHRAtoXg7cmuhZAJ00jKeGJp2nyqdXbDK8JGO7Mn V4RoGGfkRw8L7suJ4bqVD5XfD4dyALvowA6mzKlVFtxMjxLRmbwjYRb8bt66ta35+pR4c+jCyAU 4+749XjK4ml7FMtPoTuMOfZVm1MDu5388rB1o/LTZZxWFoeoH8cnd4IZ11AJdaWih
X-Google-Smtp-Source: ABdhPJwGJzK0n/+1Sn0l8hD6okYZr1msLnCX6lBDQ2aiWG0xD6SkpQP/ShEnmsFurGsD9vJjkxL0wg==
X-Received: by 2002:a67:c297:0:b0:349:5ee1:23b4 with SMTP id k23-20020a67c297000000b003495ee123b4mr4408004vsj.43.1654265028290; Fri, 03 Jun 2022 07:03:48 -0700 (PDT)
Received: from smtpclient.apple (2603-9001-6b09-5247-11ec-d22f-ceaf-c989.inf6.spectrum.com. [2603:9001:6b09:5247:11ec:d22f:ceaf:c989]) by smtp.gmail.com with ESMTPSA id 207-20020a1f02d8000000b0034350d68fd9sm1240625vkc.0.2022.06.03.07.03.47 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Jun 2022 07:03:48 -0700 (PDT)
From: Ashley Kopman <akopman@conceptsbeyond.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B86A53EC-C251-4607-875D-83BE4CE4C83E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Fri, 03 Jun 2022 10:03:46 -0400
References: <2790C640-0841-43BC-94CA-0890ECEA672A@conceptsbeyond.com> <Yo50IQhyJM/VABlL@LK-Perkele-VII2.locald> <3107A6D9-BF01-48D7-9626-4E6C00A4E1A6@conceptsbeyond.com> <CA+n4P2oNax-=SBharnuxuY99C6RTgOQyi3tABEbZgkRnAVybew@mail.gmail.com> <3852275a-f319-352a-98b4-9ff1c3ae5de9@htt-consult.com> <CABcZeBOeWpqR2pRiidKw2-jBw+vpXBtXF82irG1tJ64ACz711w@mail.gmail.com> <D059D3F1-C069-4C68-AEA3-EA4FA8429BFC@conceptsbeyond.com> <CAN40gStqMKY3JN27rEApZuBwGpXWYbX4QAbcXsPEu-Khr=1tZg@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
In-Reply-To: <CAN40gStqMKY3JN27rEApZuBwGpXWYbX4QAbcXsPEu-Khr=1tZg@mail.gmail.com>
Message-Id: <E32FBFBB-20B5-4BB3-853B-E504D67C20FD@conceptsbeyond.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cNYQ_e8WmLgVqR8uVEpn4nUOjh0>
Subject: Re: [TLS] Draft TLS Extension for Path Validation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2022 14:03:53 -0000

Version -01 of this draft has been submitted https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-01.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-01.txt>

It incorporates updates based on the comments we have received so far.
Limit this to (D)TLS 1.3, removed (D)TLS 1.2
Removed extension from Server Hello, only included in Client Hello and Certificate messages
Make clear that the server does not need to send the certificate chain when sending an SCVP response, only the end-entity certificate.
Thank you to everyone who has provided feedback.

Ashley Kopman


> On Jun 1, 2022, at 9:42 AM, Ira McDonald <blueroofmusic@gmail.com> wrote:
> 
> Hi Ashley,
> 
> Bear in mind that DTLS 1.3 languished in the RFC Editor's queue for over a year.
> 
> The major TLS libraries have had implementations and have been doing interop testing
> for a long time.  Simply doing software update to current library versions would make
> DTLS 1.3 available in civil aviation.
> 
> FWIW - The Common Criteria standard workgroup for Network Devices (routers, switches, 
> etc.) has approved the mandatory requirement for DTLS 1.3 in their next version (draft in 
> July 2022 for publication in fall 2022).
> 
> Cheers,
> - Ira
> 
> On Tue, May 31, 2022 at 12:32 PM Ashley Kopman <akopman@conceptsbeyond.com <mailto:akopman@conceptsbeyond.com>> wrote:
> Eric,
> 
> Thank you for your comments.
> 
> My initial concern with limiting this to (D)TLS 1.3 was that the DTLS 1.3 RFC has just been released and support is not yet widely available. However, our use case is for civil aviation and it will take time for the community begin using it. By that time there should be sufficient support for DTLS 1.3. I believe it is possible to limit this to (D)TLS 1.3. I will make the update to the draft.
> 
> Thank you,
> 
> Ashley
> 
> 
>> On May 28, 2022, at 5:27 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> I took a quick look at this draft. A few comments follow.
>> 
>> 
>> VENUE
>> The correct venue for this work is the TLS WG. This is a relatively
>> straightforward piece of work that is clearly within the TLS WG's
>> charter scope ("This includes extensions or changes that help
>> protocols better use TLS as an authenticated key exchange protocol").
>> To that end, I don't think we need a BOF or SECDISPATCH. I would
>> encourage you to ask for TLS WG time in PHL.
>>  
>> 
>> TECHNICAL
>> In general, we are trying to avoid extending (D)TLS 1.2, so it would
>> be good if we could limit this to (D)TLS 1.3. Is that possible?
>> 
>> I realize that the certificate_status message extension includes a new
>> message, but I think that's proven to be kind of an anti-pattern.
>> If you are going to put this in (D)TLS 1.2, I would just put it in
>> a ServerHello extension, which more closely parallels (D)TLS 1.3.
>> 
>> If you use extensions, then you can register them with Specification
>> Required, which would allow you to publish in the Independent Stream
>> (or some other venue) to register the code points should the TLS
>> WG choose not to take up this work.
>> 
>> -Ekr
>> 
>> 
>> 
>> On Thu, May 26, 2022 at 4:53 PM Robert Moskowitz <rgm-sec@htt-consult.com <mailto:rgm-sec@htt-consult.com>> wrote:
>> This is the Aviation use case I mentioned in earlier mails.
>> 
>> I will be submitting a BOF request tomorrow, performa.
>> 
>> Of course it is for the ADs to decide if this is a standalone BOF or a 20min slot in SECDISPATCH.
>> 
>> How much time people want to discuss it is in large measure related to the discussion we engender here.
>> 
>> Thank you for your attention.  And thank you for reviewing and making this a solid design that we can get deployed for avaiation Air-to-ground and any similar use case.
>> 
>> Bob
>> 
>> On 5/26/22 19:43, Ashley Kopman wrote:
>>> 
>>> The use case for the D(TLS) Path Validation extension in civil aviation has been submitted https://www.ietf.org/archive/id/draft-segers-tls-cert-val-ext-use-case-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-val-ext-use-case-00.txt> there is also referenced slide deck available http://conceptsbeyond.com/resources/SCVPValidationRequest_UseCase_CB.pdf <http://conceptsbeyond.com/resources/SCVPValidationRequest_UseCase_CB.pdf>
>>> 
>>> Thank you,
>>> Ashley Kopman
>>> 
>>>> On May 26, 2022, at 8:36 AM, Ashley Kopman <akopman@conceptsbeyond.com <mailto:akopman@conceptsbeyond.com>> wrote:
>>>> 
>>>> Ilari,
>>>> 
>>>> Thank you for your feedback.
>>>> 
>>>> You are correct in assuming that this was designed after the OCSP status_request extension. It is a valid point that the extension can likely be omitted from the server hello. The intent was to communicate to the client that the server supports the extension and will respond with the path validation information. However, since it is allowed for the server to respond with the extension and then not supply the path validation, it is not very useful overhead. I will remove the extension from the server hello.
>>>> 
>>>> You are also correct that sending the certificate chain becomes unnecessary. It was my intent to communicate that, but looking back at the draft, I don’t think I made it clear. I will add it.
>>>> 
>>>> Thank you,
>>>> 
>>>> Ashley
>>>> 
>>>> 
>>>>> On May 25, 2022, at 2:23 PM, Ilari Liusvaara <ilariliusvaara@welho.com <mailto:ilariliusvaara@welho.com>> wrote:
>>>>> 
>>>>> On Wed, May 25, 2022 at 12:40:13PM -0400, Ashley Kopman wrote:
>>>>>> Hi TLS,
>>>>>> 
>>>>>> I have just submitted a draft TLS Extension for Path Validation 
>>>>>> https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt> <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt <https://www.ietf.org/archive/id/draft-segers-tls-cert-validation-ext-00.txt>>
>>>>>> 
>>>>>> The proposal is for a Path Validation Extension to provide a new
>>>>>> protocol for TLS/DTLS allowing inclusion of certificate path
>>>>>> validation information in the TLS/DTLS handshake. Specifically, it
>>>>>> covers the use of Server-based Certificate Validation Protocol
>>>>>> (SCVP) for path validation.
>>>>> 
>>>>> Looking at how this is integrated to (D)TLS:
>>>>> 
>>>>> 
>>>>> For (D)TLS 1.2, the server extension does not seem to be technically
>>>>> necressary, and omitting it could simplify things. Yes, this design
>>>>> is the same as one used for OCSP stapling (status_request), but I
>>>>> found the server hello extension in OCSP to be seemingly unnecressary
>>>>> extra complexity.
>>>>> 
>>>>> For (D)TLS 1.3, why there are seemingly two server extensions, one in
>>>>> server hello, which is usually only used for low-level crypto stuff,
>>>>> which this is not, and another in certificate message (which makes
>>>>> sense for certificate-related thing.
>>>>> 
>>>>> 
>>>>> And this is maybe a stupid question, but I didn't find an answer by
>>>>> quickly looking at the draft nor the SCVP RFC, does the server need to
>>>>> send the certificate chain to the client if it sends the SCVP response,
>>>>> or just the end-entity certificate? Omitting the chain could save
>>>>> quite a bit of handshake size.
>>>>> 
>>>>> 
>>>>> 
>>>>> -Ilari
>>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org <mailto:TLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>

v2.23.0 | Report a Bug | By Email