IETF Logo Mail Archive

Re: [TLS] Ben Campbell's Yes on draft-ietf-tls-tls13-26: (with COMMENT)

Sean Turner <sean@sn3rd.com> Wed, 07 March 2018 20:50 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78A2712D778 for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 12:50:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7Pj6o5-S2jN for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 12:49:59 -0800 (PST)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C34812D777 for <tls@ietf.org>; Wed, 7 Mar 2018 12:49:59 -0800 (PST)
Received: by mail-qt0-x233.google.com with SMTP id j4so4289377qth.8 for <tls@ietf.org>; Wed, 07 Mar 2018 12:49:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UtNTYCdtA35F+CITUMsNXxB5buU7eFb0ywtGMkYaqjA=; b=lJ0tAAmPiYxpz2lyRut6r6JtM5Su0GEBcyR94zIyPjR7FO7SOvnwIR5h1ShDzbPNgp pNuL8IjQe4fPUYLqSJofecqZ9KG8HcBZmKNGLRdXl45NjEzLaWbGJipQsEwGZGtOz5OX xskwLyjtVGtIA4gHni6Z0wGqpV2qxUDXh5kXw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UtNTYCdtA35F+CITUMsNXxB5buU7eFb0ywtGMkYaqjA=; b=ijHvhmZMS1/hCWnYTHDYu0sSq3LJrSbFw4AyP9DF3WsONdmjCShJ/ZdjQc1LTkQZVD qQusXP7dcTJYPlcKKQdYYxpg/FyQKxqBKJmuoeEgp8iWTa1WwbXjEJq/vs89KxpS0Gl/ 4qZbs13mMGrpDfoPE+nmbg+ASMdbUVoUS9W9gTD8M1LBka/nK4euf1gS9g+bOmdexqn+ caR17siJdKGzGbGsyCvMwVuD38qyWYv1o7bjEcKAOhcwCqMqQHFTKXT0fKZ0aCcZ2Q2Z Kf29J9LOjlrDWEerk+6S6bG29UNs+TMUlR99kGQVs4xgQd0WpLc7ly9hPnJDMpjPuLWP eY6Q==
X-Gm-Message-State: AElRT7E/UNukSyHatfTjY3g6oveGpObvnTl2v1Wc7+u8owYyDfH2KJy5 TKCrbum83WquFZBLd8qjD6w+Ng==
X-Google-Smtp-Source: AG47ELt5ClRa0sS13lPlTY/hcMt5QwGIXyGdLSL3pEwvnBZHcKmYxbY6LafDIsWAMGqVTI7MI1Hodg==
X-Received: by 10.237.41.194 with SMTP id o60mr37020812qtd.128.1520455798254; Wed, 07 Mar 2018 12:49:58 -0800 (PST)
Received: from [172.16.0.18] ([96.231.225.106]) by smtp.gmail.com with ESMTPSA id g13sm2580539qto.75.2018.03.07.12.49.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Mar 2018 12:49:57 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <152035726289.28354.15009436908256456026.idtracker@ietfa.amsl.com>
Date: Wed, 07 Mar 2018 15:49:54 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-tls13@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <43224E51-EBF9-4471-B133-B118DA1CE05A@sn3rd.com>
References: <152035726289.28354.15009436908256456026.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fj6ZwP7nhDvowrImHVDdvKfp1MQ>
Subject: Re: [TLS] Ben Campbell's Yes on draft-ietf-tls-tls13-26: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 20:50:02 -0000


> On Mar 6, 2018, at 12:27, Ben Campbell <ben@nostrum.com> wrote:
> 
> Ben Campbell has entered the following ballot position for
> draft-ietf-tls-tls13-26: Yes
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> There has clearly been a lot of work put into this. It's a surprisingly
> understandable document, given its length and the complexity of the subject. I
> am balloting yes, but I have a few minor comments and nits. None of these are
> showstoppers, so please do with them as you will.
> 
> *** Substantive Comments:
> 
> §4.1.2, first paragraph: " When a client first connects to a server, it is
> REQUIRED to send the
>   ClientHello as its first message. "
> 
> Is that intended to prohibit the use of STARTTLS or similar application layer
> patterns? (To be clear, this is not an objection, just a clarification request.)

No - this is just how it works TLS - clients send the ClientHello message first ;)

> §4.1.2, legacy_compression_methods: "Note that TLS 1.3 servers might receive
> TLS 1.2 or prior
>      ClientHellos which contain other compression methods and MUST
>      follow the procedures for the appropriate prior version of TLS."
> 
> Is that intended to require TLS 1.3 servers to always be willing and able to
> negotiate 1.2? §4.2.1 has a similar assertion:
> 
> "If this extension is not present, servers which are compliant with
>   this specification MUST negotiate TLS 1.2 or prior as specified in
>   [RFC5246], even if ClientHello.legacy_version is 0x0304 or later."
> 
> But §4.2.3 says:
> 
> "Note that TLS 1.2 defines this extension differently.  TLS 1.3
>   implementations willing to negotiate TLS 1.2 MUST behave in
>   accordance with the requirements of [RFC5246] when negotiating that
>   version."
> 
> ... which seems inconsistent (noting that this paragraph talks about
> "implementations" rather than "servers", so perhaps there's a subtle difference?

In short kinda, sorta yes: §s4.2.1 includes the following:

   Implementations of TLS 1.3 which choose to support prior versions of
   TLS SHOULD support TLS 1.2.

Not sure it’s inconsistent given that the 2nd quote is about the server needs to do with the information it’s getting from the client.

> §4.2.1.1: The section is marked for removal. Do you expect that RFC
> implementations will ever need to interop with draft implementations? If so,
> the information in this section may continue to be useful for some time.

I think it’ll be useful for about as long as it takes for them to rev their code bases, which I am sure hoping is faster than the 6 or so weeks it’ll take for this draft to get to through the RFC editor’s queue.

> §D.5: This section has a lot of normative requirements that seem important. I
> wonder why it has been relegated to an appendix.

§D.5 is about backward compatibility and though we negotiations with 1.2 is a SHOULD we say nada about earlier versions.  And, we don’t want to say anything about earlier versions.   And, some of this is technically repeated from other RFCs, eg. 5768 and 6176 saying don’t do SSL2/3. So, it ended up in an appendix.

> *** Editorial Comments and nits:
> 
> §2: "If (EC)DHE key establishment
>   is in use, then the ServerHello contains a "key_share" extension with
>   the server’s ephemeral Diffie-Hellman share which MUST be in the same
>   group as one of the client’s shares. "
> 
> missing comma prior to "which”.

(grammar police are banging on my door as we speak)
So is the which clause restrictive or non restrictive?  I’m going with this this clause being restrictive (hence no comma).

> §4.1.1: "Note that if the PSK can be used without (EC)DHE then non-
>   overlap in the "supported_groups" parameters need not be fatal, as it
>   is in the non-PSK case discussed in the previous paragraph."
> 
> I read "need not be fatal" to mean that it may still be fatal at times. Is that
> the intent?

Yes that is the intent.

> §11: The IANA considerations have a number of constructions similar to "SHALL
> update/has updated". Is that text expected to collapse to "has updated" at some
> point?

Yes - once we’ve gotten the a-okay from IANA, well as the RFC editor to make it just say “has updated” etc.

> §E.2.1: [BDFKPPRSZZ16]  : Best citation anchor evar

:)

v2.23.0 | Report a Bug | By Email