[TLS] Secdir last call review of draft-ietf-tls-certificate-compression-07

Christian Huitema via Datatracker <noreply@ietf.org> Fri, 29 November 2019 01:01 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A84120801; Thu, 28 Nov 2019 17:01:37 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Christian Huitema via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: last-call@ietf.org, draft-ietf-tls-certificate-compression.all@ietf.org, tls@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.111.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Christian Huitema <huitema@huitema.net>
Message-ID: <157498929764.5575.7815291384505057169@ietfa.amsl.com>
Date: Thu, 28 Nov 2019 17:01:37 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f-I8Byt2WKg_TIjIrRsofLyS_Ns>
Subject: [TLS] Secdir last call review of draft-ietf-tls-certificate-compression-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 01:01:38 -0000

Reviewer: Christian Huitema
Review result: Has Issues

I have reviewed draft-ietf-tls-certificate-compression-07 as part of the
security directorate's ongoing effort to review all IETF documents being
processed by the IESG. These comments were written primarily for the benefit of
the security area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

Draft-ietf-tls-certificate-compression-07 defines two new TLS extensions to
negotiate and then apply compression of the Certificate message. The draft is
clear and well written, and the extensions are already widely deployed. I would
like to say "ready", but I have to say "almost".

This document is almost ready, except for one nit and one issue.

First, one nit. The draft references the "Certificate message", but there is no
formal reference section 4.4.2 of RFC8446. Please add that, maybe at the
beginning of section 4. It may seem obvious to members of the TLS WG, but
uninformed readers will appreciate.

Second, my actual concern. Compression may leak information, because different
certificate chains will compress differently. The authors mention that an
attacker will not be able to inject data in the certificate chain, and thus
that attacks of the CRIME variety are unlikely. That's correct, but that's not
the entire story.

TLS 1.3 will encrypt the compressed certificate message but the length of that
message could be deduced from the length of the server's encrypted message.
Attackers might be able to derive from that length the identity of the server,
even if the SNI is encrypted.

One could say that in the absence of compression the length of the certificate
chain is also available. Indeed, the problem is flagged in
draft-ietf-tls-esni-05, which states in section 5.3 that "it (the server)
SHOULD pad the Certificate message, via padding at the record layer, such that
its length equals the size of the largest possible Certificate (message)
covered by the same ESNI key."

Certificate compression introduces a level of complexity here. If only some
servers in the anonymity set support compression, attackers can work with a
smaller anonymity subset. If all attackers support compression, the padding
should try to match the largest Compressed Certificate.

It might be good to discuss this issue in the security consideration section.