Re: [TLS] tls 1.3: renegotiation

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 28 July 2014 20:11 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB30C1B28EA for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwj5pqrzE_3y for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:11:51 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F94C1B28EB for <tls@ietf.org>; Mon, 28 Jul 2014 13:11:37 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.995.14; Mon, 28 Jul 2014 20:11:33 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0995.014; Mon, 28 Jul 2014 20:11:33 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Robert Ransom <rransom.8774@gmail.com>, Sean Turner <TurnerS@ieca.com>
Thread-Topic: [TLS] tls 1.3: renegotiation
Thread-Index: AQHPpPeOOHAiusOfmU2fGY+VxmMv6puxMxAAgAS4VbA=
Date: Mon, 28 Jul 2014 20:11:32 +0000
Message-ID: <da5c2db0d5c248d196333718e5674685@BL2PR03MB419.namprd03.prod.outlook.com>
References: <7C3D5CF9-2B17-4953-A13D-C5E7226D13E7@ieca.com> <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com>
In-Reply-To: <CABqy+so=yV9Gp8aCp3cJ8wQRmd6JC-J9raEzgw1c1UDdFT2=JQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0286D7B531
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(199002)(189002)(479174003)(24454002)(377454003)(13464003)(31966008)(54356999)(19580405001)(92566001)(83322001)(87936001)(50986999)(19580395003)(83072002)(76176999)(46102001)(107046002)(86612001)(33646002)(86362001)(2656002)(76482001)(76576001)(85852003)(99396002)(74662001)(74502001)(101416001)(77982001)(81542001)(105586002)(79102001)(64706001)(74316001)(106116001)(80022001)(99286002)(21056001)(85306003)(4396001)(20776003)(106356001)(81342001)(95666004)(15975445006)(108616002)(3826002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hDsg5FxfqL6q1-dK4AzM7OyBiPs
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] tls 1.3: renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 20:11:58 -0000

I agree with Robert, and oppose removal of renegotiation for the reasons listed. 

Also, the removal of renegotiation will complicate the deployment of TLS1.3 and limit its applicability. E.g. it is not clear to me how these configurations would work (when TLS client auth is required):
1. TLS 1.3 with an existing HTTP/1.1 server;
2. Existing TLS 1.2 library with HTTP/2 stack on top of it.

It looks like one would need to deploy  both TLS1.3 and HTTP/2 at the same time. Once TLS 1.3 and HTTP/2 are deployed, the way a site implements TLS client auth will depend on the combination of TLS version and HTTP version negotiated:
TLS1.3 + HTTP/2 -> New-style TLS client auth (TBD).
TLS1.3 + HTTP/1.1 -> No way to support TLS client auth?
TLS1.2 + HTTP/2 -> No way to support TLS client auth?
TLS1.2 + HTTP/1.1 -> TLS client auth via renegotiation.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Robert Ransom
Sent: Friday, July 25, 2014 12:28 PM
To: Sean Turner
Cc: TLS@ietf.org (tls@ietf.org)
Subject: Re: [TLS] tls 1.3: renegotiation

On 7/21/14, Sean Turner <TurnerS@ieca.com> wrote:
> At the TLS interim meeting held on Sunday July 20th, 2014, there was 
> consensus to remove renegotiation on the assumption we will provide a 
> rekeying facility of some form and client initated client authentication.
> This message serves to confirm that consensus.  Please indicate by 
> July 25th, 2014 whether you disagree with this (and why).

I oppose removal of renegotiation, for the following reasons:

* Renegotiation is a single feature which serves many purposes.  I
  believe that fixing the design, APIs, and implementations of
  renegotiation will be easier than designing the protocols, designing
  the APIs, and implementing every feature which would be needed to
  replace it.

* The client-initiated client authentication feature will require a
  ‘channel binding’ to the existing TLS connection, which -- as Nico
  Williams has pointed out -- is sufficient to work around
  renegotiation-based attacks at the protocol level, by binding the
  application data sent before renegotiation to the authentication
  performed during the renegotiation handshake.  Adding a channel
  binding to renegotiation would not require as many changes to
  existing code as adding an entirely new client authentication
  feature would, and would provide less room for new implementation
  bugs to creep in.

* Renegotiation can share most of its code with the implementation of
  the initial connection handshake, even after a channel binding is
  added to it.  Each of the new features added in order to replace
  renegotiation is likely to share considerably less code with the
  initial handshake, and their implementations are likely to receive
  considerably less use and less testing than any piece of code used
  in implementing renegotiation.


In addition, I believe that it is not possible for the WG to make an informed decision as to whether renegotiation should be removed at this time:

* The rekeying feature and client-initiated client authentication
  feature have not been specified yet, even to the point of stating
  the requirements which each feature will meet.  It is not possible
  for the WG to determine whether the features intended to replace
  these two uses of renegotiation will be fit for their intended
  purposes at this time.


Robert Ransom

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls