Re: [TLS] tls 1.3: renegotiation
Andrei Popov <Andrei.Popov@microsoft.com> Mon, 28 July 2014 20:11 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB30C1B28EA for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwj5pqrzE_3y for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:11:51 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F94C1B28EB for <tls@ietf.org>; Mon, 28 Jul 2014 13:11:37 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.995.14; Mon, 28 Jul 2014 20:11:33 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0995.014; Mon, 28 Jul 2014 20:11:33 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Robert Ransom <rransom.8774@gmail.com>, Sean Turner <TurnerS@ieca.com>
Thread-Topic: [TLS] tls 1.3: renegotiation
Thread-Index: AQHPpPeOOHAiusOfmU2fGY+VxmMv6puxMxAAgAS4VbA=
Date: Mon, 28 Jul 2014 20:11:32 +0000
Message-ID: <da5c2db0d5c248d196333718e5674685@BL2PR03MB419.namprd03.prod.outlook.com>
References: <7C3D5CF9-2B17-4953-A13D-C5E7226D13E7@ieca.com> <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com>
In-Reply-To: <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0286D7B531
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(199002)(189002)(479174003)(24454002)(377454003)(13464003)(31966008)(54356999)(19580405001)(92566001)(83322001)(87936001)(50986999)(19580395003)(83072002)(76176999)(46102001)(107046002)(86612001)(33646002)(86362001)(2656002)(76482001)(76576001)(85852003)(99396002)(74662001)(74502001)(101416001)(77982001)(81542001)(105586002)(79102001)(64706001)(74316001)(106116001)(80022001)(99286002)(21056001)(85306003)(4396001)(20776003)(106356001)(81342001)(95666004)(15975445006)(108616002)(3826002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hDsg5FxfqL6q1-dK4AzM7OyBiPs
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] tls 1.3: renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 20:11:58 -0000
I agree with Robert, and oppose removal of renegotiation for the reasons listed. Also, the removal of renegotiation will complicate the deployment of TLS1.3 and limit its applicability. E.g. it is not clear to me how these configurations would work (when TLS client auth is required): 1. TLS 1.3 with an existing HTTP/1.1 server; 2. Existing TLS 1.2 library with HTTP/2 stack on top of it. It looks like one would need to deploy both TLS1.3 and HTTP/2 at the same time. Once TLS 1.3 and HTTP/2 are deployed, the way a site implements TLS client auth will depend on the combination of TLS version and HTTP version negotiated: TLS1.3 + HTTP/2 -> New-style TLS client auth (TBD). TLS1.3 + HTTP/1.1 -> No way to support TLS client auth? TLS1.2 + HTTP/2 -> No way to support TLS client auth? TLS1.2 + HTTP/1.1 -> TLS client auth via renegotiation. Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Robert Ransom Sent: Friday, July 25, 2014 12:28 PM To: Sean Turner Cc: TLS@ietf.org (tls@ietf.org) Subject: Re: [TLS] tls 1.3: renegotiation On 7/21/14, Sean Turner <TurnerS@ieca.com> wrote: > At the TLS interim meeting held on Sunday July 20th, 2014, there was > consensus to remove renegotiation on the assumption we will provide a > rekeying facility of some form and client initated client authentication. > This message serves to confirm that consensus. Please indicate by > July 25th, 2014 whether you disagree with this (and why). I oppose removal of renegotiation, for the following reasons: * Renegotiation is a single feature which serves many purposes. I believe that fixing the design, APIs, and implementations of renegotiation will be easier than designing the protocols, designing the APIs, and implementing every feature which would be needed to replace it. * The client-initiated client authentication feature will require a ‘channel binding’ to the existing TLS connection, which -- as Nico Williams has pointed out -- is sufficient to work around renegotiation-based attacks at the protocol level, by binding the application data sent before renegotiation to the authentication performed during the renegotiation handshake. Adding a channel binding to renegotiation would not require as many changes to existing code as adding an entirely new client authentication feature would, and would provide less room for new implementation bugs to creep in. * Renegotiation can share most of its code with the implementation of the initial connection handshake, even after a channel binding is added to it. Each of the new features added in order to replace renegotiation is likely to share considerably less code with the initial handshake, and their implementations are likely to receive considerably less use and less testing than any piece of code used in implementing renegotiation. In addition, I believe that it is not possible for the WG to make an informed decision as to whether renegotiation should be removed at this time: * The rekeying feature and client-initiated client authentication feature have not been specified yet, even to the point of stating the requirements which each feature will meet. It is not possible for the WG to determine whether the features intended to replace these two uses of renegotiation will be fit for their intended purposes at this time. Robert Ransom _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] tls 1.3: renegotiation Sean Turner
- Re: [TLS] tls 1.3: renegotiation Robert Ransom
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Andrei Popov
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Robert Ransom
- Re: [TLS] tls 1.3: renegotiation Andrei Popov
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Martin Thomson
- Re: [TLS] tls 1.3: renegotiation Nikos Mavrogiannopoulos