Re: [TLS] Query for consensus on an "experimental/private-use" extension identifier

Kyle Hamilton <aerowolf@gmail.com> Fri, 18 December 2009 00:27 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7424A3A67AF for <tls@core3.amsl.com>; Thu, 17 Dec 2009 16:27:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwocfvKsgRuz for <tls@core3.amsl.com>; Thu, 17 Dec 2009 16:27:40 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id 4E6853A68C8 for <tls@ietf.org>; Thu, 17 Dec 2009 16:27:40 -0800 (PST)
Received: by pwi20 with SMTP id 20so1748701pwi.29 for <tls@ietf.org>; Thu, 17 Dec 2009 16:27:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=+58oWMULo7vNX2TS97Dgwlt8bhR6L4kP9fAzLBYttpg=; b=dlrW9xk+Y4SsJJmWPv6DklaW90Il2xEIISY6zkju7tPSKYHLkDFTWcyQnv4UXmv9j/ 0kBMnj98y9X78/PHYolH5jhoutf9XPQE/e17ZminrD9Aj9cxdzk7Lqz6ZrA4kwfDSC/W JCEXLSqRTz4Tunoto6TRBl67nmgNXlCe2EIs0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=uPEinlO5nVHHID5IfpOQQ50v/d1XiCGwVVgLVFFr2Oc7NO6PSmuXIR70x5Kr+NDP9R pIMW1PIs7oO4007a4brFlXKv7M1N1qJ3SXIofruXBmfkE4ghN/pB27M89i5kj8WSnaL9 giePSIAlFxpdwIdpPVp1Dqg8up21pNV3hZ9ZA=
MIME-Version: 1.0
Received: by 10.143.20.21 with SMTP id x21mr2096393wfi.17.1261096040801; Thu, 17 Dec 2009 16:27:20 -0800 (PST)
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31F77BEE@NOK-EUMSG-01.mgdnok.nokia.com>
References: <6b9359640912171335s76c04cc7o9434986d236c334b@mail.gmail.com> <808FD6E27AD4884E94820BC333B2DB774F31F77BEE@NOK-EUMSG-01.mgdnok.nokia.com>
Date: Thu, 17 Dec 2009 16:27:20 -0800
Message-ID: <6b9359640912171627v16628a8g49e1644d74920644@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Pasi.Eronen@nokia.com
Content-Type: text/plain; charset="UTF-8"
Cc: tls@ietf.org
Subject: Re: [TLS] Query for consensus on an "experimental/private-use" extension identifier
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2009 00:27:41 -0000

On Thu, Dec 17, 2009 at 2:25 PM,  <Pasi.Eronen@nokia.com> wrote:
> The "IETF Consensus" number allocation process is described in RFC
> 2434: it means writing an Internet-Draft, and getting it published
> as an IETF stream RFC (the actual allocation happens when the
> draft has been approved by the IESG).

Alright.  I'm just asking you (in your AD hat, thus this is an "IETF
Submission" under RFC2434):  Is there a particular way I have to use
the I-D submission tool?  Or do I just write an I-D that conforms to
the IETF format, upload it, and call it
'draft-hamilton-tlsext-private-allocation.txt' or something?

> However, I'd like to add that often such "private use" identifiers are
> intentionally designed so that they would trample over each other (so
> that they only work for private use/mutually agreed experiments, and
> are not used just to avoid going through the IETF process).
>
> If we, for example, created a "private use" extension where the first
> 4 bytes are the Enterprise Number (which anyone can get just by
> filling a web form), the effect would probably be pretty much the same
> as changing the IANA allocation policy for the whole registry to
> "First Come First Served".

Nobody would be forced to either use it or act on it, and it is a
viable mechanism for extensions that applications actually find
themselves needing (in my case, I need to obscure both the list of CAs
that the peer acting as the server will accept and the list of CAs
that the peer acting as the client will accept, in a way that is
noncompliant with the TLS specification).  I actually have a PEN,
22232.  I was thinking of making the first part of the extension be
the OID, in text form, of the extension.  Nobody would have to
interact with one that they do not understand.  (If an extension is
offered by the client, and is not recognized by the server, the server
doesn't send it back.  The client then has the option of continuing or
aborting the connection.  This was all specified as part of TLSEXT,
and I can't see anyone who's actually implementing a different
security policy than the one I have to work with actually doing
anything with the data therein (that's tagged with my policy) -- it
would only be able to be used by implementations that understood it,
and still be in the handshake message hash for those implementations
that didn't.)

The problem that exists in the the TLS WG is that it (collectively)
thinks its members knows everything, every possible location where its
protocol could be used, and thus every possible policy that it could
possibly be wanted to run under.  This leads the TLS WG to attempt to
encode what they think policy should be ('an unauthenticated server
MUST NOT send a ClientCertificateRequest; if it does, the client MUST
terminate with a fatal handshake_error') into absolute requirements in
technical documents, which is an absolute mistake.

I have several ideas that would extend the range of policies that can
be used in TLS -- among others, an election protocol for two peers,
neither of which believing it's a server or a client -- perhaps a peer
to peer protocol that says "we know how to do TLS" so that they just
operate in conjunction with each other, to essentially 'draw lots' for
who the server should be.  I'm also playing around with an idea where
a TLS-capable file descriptor is opened to a listener which
immediately sends a ClientHello, not a ClientHelloRequest.  I'm
playing around with them (they require a modification of the handshake
protocol sequence), but I do have a concrete reason why I need an
extension: the definition of "acceptable CA names", as it exists in
the TLS specification, cannot be changed among compliant
implementations.  In my case, I'm working with a bunch of peers, most
of which don't want to advertise in the clear that each accepts a
particular CA.

Since there's no way to know which CAs a particular peer works with
(the entire reason for the "acceptable CA list" in SSLv3 and TLS),
this means that I need to shash all of the names of CAs that the
client-cert holder has, and I need to be able to match them on the
peer with the list of acceptable CAs.  This is arguably the same
operation as sending "what CAs I will accept" from the server to the
client, and thus already belongs in the handshake hash.  Since I'm
trying to minimize the disruption to the protocol, this requires
either an extension, or the use of an additional record type (which
I'm not comfortable using, because it won't be included as part of the
handshake calculation).

The fact is that the working Area you are the Director of isn't really
motivated to provide workable security.  Each member is only motivated
to provide *the best security that they themselves need*.  Security is
a bunch of trade-offs, and one of them is "Secure so that the cost of
breaking the security is only slightly beyond the value of what is
secured".  In the grand scheme of things, TLS could have been made a
lot more generalized, and more people beyond SMTP and HTTP would
actually use it.

Since the range of available extension numbers is 15-34, I can't
simply ask for one for a single application.  I aim for my application
(and TLS implementation) to be compliant with the spec; I'm simply
stuck under additional constraints/requirements that TLS can not and
will not flex to accommodate.

Thus, my desire is for an extension that can be used for private
signalling among implementations that understand it.  There isn't even
a 'private use' allocation, much less a 'research' allocation.  And
that's just moronic.  (Or maybe it isn't.  Forcing entities which
understand this extension to do a sanity check on the data it
contains, rather than blindly accepting it, might do wonders for
increasing error detection rates.  Then again, my cynicism says it
won't.  Either way, I have a legitimate private need to be able to use
an extension that otherwise doesn't exist.)

I'd rather have a single extension that can have multiple semantics
than a single extension for each possible semantic; because of this,
it requires a means of signalling which semantic to use for it.  I'd
also like to see the more successful semantics break out of the
private-use extension mold and into standardized semantics, while the
less successful ones fade back into the primordial soup of unrealized
ideas.

-Kyle H