IETF Logo Mail Archive

Re: [TLS] Review of PR #209

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 16 September 2015 00:42 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23371B29F5 for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 17:42:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UJu4xRyuPK9 for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 17:42:28 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0789.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:789]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D6361B29F0 for <tls@ietf.org>; Tue, 15 Sep 2015 17:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bpnK6wOIN46hA12nuplWvdde91qLB4oHgJvSkD77sHE=; b=TACgdHdIwSLAgI8gpDhB9kv9byIqOoBenJ8ypqzENSyM8YW5DxjggXIXmIAT/SHSYi/G6Dt0Oabl5oTNbllNxm2PTmFjMZO6OLn1EFIiaDRnkhQeF8PuL4BZNY1T5tli4iPFUMBBtDRGcrI4PghuwbPP8Y9M5bG949muFlrrcr4=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1394.namprd03.prod.outlook.com (10.163.81.140) with Microsoft SMTP Server (TLS) id 15.1.268.17; Wed, 16 Sep 2015 00:42:09 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0268.017; Wed, 16 Sep 2015 00:42:09 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Review of PR #209
Thread-Index: AQHQxuqZE5b0AgbP4UGzDBeqZzcHy54+TSMggAAif4CAAAGN4IAAC/mAgAAJcACAAA7sAIAABCQw
Date: Wed, 16 Sep 2015 00:42:09 +0000
Message-ID: <BLUPR03MB1396166B0F74176B3E6ABD038C5B0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CABkgnnWtUjH1b3xm_peffNxNpxXE9rudJLJpn1ExNpE7B29AhA@mail.gmail.com> <BLUPR03MB13962416E8D8AD71CFFE13C08C5C0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABkgnnX5VrvWwEiPq2DvEWexPSjLjpjy_1JDSmj31bytZTFP6A@mail.gmail.com> <BLUPR03MB139663BBF24BF86EBDAF10C58C5C0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABkgnnXOoW4PkZPi7JBjOC=eJYFU+M1e99KXvoSyJ0AVm+vCRQ@mail.gmail.com> <BLUPR03MB1396CB3E120A8ED9DF7BC6C08C5C0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABkgnnUBQ3XEJ6sP5qa_T+sActXUfXzzOQ+O=nvHe9euZfMk1A@mail.gmail.com>
In-Reply-To: <CABkgnnUBQ3XEJ6sP5qa_T+sActXUfXzzOQ+O=nvHe9euZfMk1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1394; 5:p6K5r1Ht8c/iylNknGfPXEUqi2xzyqwftcFF1Dyjme8XFMlIu1JBwGvQvn2BLlr1x/43nkue+aM7x4IkOFGmtrHvJ6n6Yz1W9qxI5Zxxz9bXEz7tEX5Pbx6tDZEYHchEAgbFWsyNx+YE3XYUzX1vGA==; 24:+AYvPgyCklmJd/4/QU3V4T4LD0PT8f2lzPDIOWKHyKVZrL4iYKhf1JogQlEHgOYWzUmpVMg7PXsGBONZo5t65yDi/Af5FRcLDBn93qc+Kis=; 20:1YBkz5T05EJ6h3cD02mnwcEtOWMMUw4THx7CKyfwNs+zAznHhUkRfFFvtZRqegS6XM9SGF30HTB3nA68YIVlbg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1394;
x-microsoft-antispam-prvs: <BLUPR03MB139496519DFA106F7C3A993E8C5B0@BLUPR03MB1394.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425019)(601004)(2401001)(520078)(5005006)(520075)(8121501046)(3002001)(61426019)(61427019); SRVR:BLUPR03MB1394; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1394;
x-forefront-prvs: 07013D7479
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(24454002)(51444003)(13464003)(189002)(377454003)(54356999)(10290500002)(105586002)(2950100001)(86362001)(10400500002)(50986999)(40100003)(92566002)(110136002)(106356001)(5007970100001)(106116001)(101416001)(5001960100002)(2900100001)(8990500004)(19580405001)(5003600100002)(77156002)(5001860100001)(99286002)(5005710100001)(189998001)(5002640100001)(62966003)(33656002)(19580395003)(122556002)(77096005)(81156007)(46102003)(97736004)(86612001)(74316001)(93886004)(87936001)(76176999)(68736005)(11100500001)(64706001)(5004730100002)(76576001)(10090500001)(4001540100001)(5001830100001)(102836002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1394; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2015 00:42:09.7103 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1394
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gAuqMbjSe1FyjadpQ5DfZR3ygQY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Review of PR #209
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 00:42:32 -0000

> The client is now uncertain about whether the server has remembered their certificate.  That's bad if there are actions that might be denied to the client in the absence of the certificate.

But the server will send a CertificateRequest in this case and the client will have a chance to authenticate. 

> You could say that the easiest remedy is to offer the certificate again, because that removes the uncertainty.  But a major reason for having resumption is to avoid the public key operations on both peers, so that's not a great solution.

That's why instead I say the client should send the ticket and if it turns out insufficient, the client will get a CertificateRequest :).

> ... but that doesn't mean that someone couldn't build a system that offers different content in response to client authentication AND that system could have TLS 1.3 clients authenticate without prompting in order to get that different content.

This is a new use case; with PR #209 I'm mostly trying to support existing use-cases. But if you want to enable this new scenario, we can consider something like this:
- CertificateRequest can include a random ID;
- Client Certificate and CertificateVerify would either echo the ID from a CertificateRequest, or use a new random ID if it's unsolicited;
- NewSessionTicket would use an ID matching the client Certificate/CertificateVerify.

This also solves the unsolicited vs. requested client Certificate issue we talked about earlier. This of course introduces a bit of extra complexity.

> After all, asking has consequences that you might want to avoid, like the "pick a certificate" dialog in browsers.  (Maybe you only need this behavior for bespoke clients.)

I'm not sure about this.

"Pick a certificate" dialog means that the client:
a) Does not know whether the user wants to send a credential to a server;
b) Does not know which of the multiple available credentials to send to the server.

If you have a system where the client app knows that a certificate is required, and knows the specific certificate to send, there is no need for the dialog. Such a system is ready to respond to a CertificateRequest (without showing the dialog), or it could send the certificate unsolicited. I think that uncertainty, not CertificateRequest, is the reason for the dialog.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Tuesday, September 15, 2015 4:53 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Review of PR #209

On 15 September 2015 at 16:19, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
>> I'm concerned that this produces an indeterminate state on the server.
>> What if that Certificate doesn't conform to the request in some way: was the Certificate just a unilateral offer that was sent before the client received the CertificateRequest, is the client unable to understand the CertificateRequest, or is the client in error?
>
> Traditionally, it was not an error for the client to send an empty Certificate message, or to offer a credential that does not match the parameters in the CertificateRequest. From the server's perspective, it doesn't matter what went wrong: the server treats the client as unauthenticated in this case (and possibly alerts/disconnects).

Right, but not all applications work on that model.  Some make the request and block on a response.

> Because we want to allow the client to volunteer a certificate, there can be a situation where the server sends a CertificateRequest and receives an unsolicited client cert before the client can respond to CertificateRequest. We can add a flag to the client Certificate message to distinguish unsolicited creds from requested ones. Would this address the concern?

That would work.

>> That doesn't work for clients that send credentials without prompting.
>
> Not sure what you mean, can you elaborate on the scenario?

Client connects to server and completes the handshake.
Client sends certificate immediately after Finished.
Server sends NewSessionTicket after seeing Finished or CertificateVerify; client is unable to tell which.
Later, Client resumes using the ticket.

The client is now uncertain about whether the server has remembered their certificate.  That's bad if there are actions that might be denied to the client in the absence of the certificate.

You could say that the easiest remedy is to offer the certificate again, because that removes the uncertainty.  But a major reason for having resumption is to avoid the public key operations on both peers, so that's not a great solution.

This isn't a problem with TLS <=1.2, because there is no client authentication without prompting, but that doesn't mean that someone couldn't build a system that offers different content in response to client authentication AND that system could have TLS 1.3 clients authenticate without prompting in order to get that different content.
After all, asking has consequences that you might want to avoid, like the "pick a certificate" dialog in browsers.  (Maybe you only need this behavior for bespoke clients.)

v2.23.0 | Report a Bug | By Email