IETF Logo Mail Archive

Re: [TLS] Comment on draft-thomson-tls-sic-00

John Mattsson <john.mattsson@ericsson.com> Fri, 29 March 2019 19:05 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B595612027A for <tls@ietfa.amsl.com>; Fri, 29 Mar 2019 12:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zf_rnRdeZNZs for <tls@ietfa.amsl.com>; Fri, 29 Mar 2019 12:05:22 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10060.outbound.protection.outlook.com [40.107.1.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A605812026B for <TLS@ietf.org>; Fri, 29 Mar 2019 12:05:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q/pgd6StMkkJAR7Jalmh64pRBucpi7xItDXhT/wIefA=; b=E1NlPA4Fm4oIbalYlF/+BL1/zv+wpf/0MfWWbg7XTTjeakTuE6yCRjA7EUu41h38mcecfGvnacGp3hy1ctryxJIPVg9VRiyTZDsNWQcBrXA1JR2MjoELyfzBbtxBt0JAjVMYtkNumFKeHwArzcjfQ2cow5YrOdEKEbL3WtbqVmE=
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com (20.176.6.24) by VI1PR07MB5727.eurprd07.prod.outlook.com (20.178.121.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.8; Fri, 29 Mar 2019 19:05:18 +0000
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047]) by VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047%5]) with mapi id 15.20.1750.014; Fri, 29 Mar 2019 19:05:18 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: Comment on draft-thomson-tls-sic-00
Thread-Index: AQHU5hHk9r1yI3Oidk+mAiqUq9JKM6YierSAgACOngA=
Date: Fri, 29 Mar 2019 19:05:18 +0000
Message-ID: <3C099064-52D9-49C3-9180-A01FBDEE876A@ericsson.com>
References: <AC987170-3F9F-4682-B49B-872B9028692F@ericsson.com> <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com>
In-Reply-To: <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [212.24.152.234]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c1ab699d-24ee-42e8-43fe-08d6b4797c2d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB5727;
x-ms-traffictypediagnostic: VI1PR07MB5727:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <VI1PR07MB57272B1960A60FCE4EC7E69E895A0@VI1PR07MB5727.eurprd07.prod.outlook.com>
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(376002)(396003)(136003)(366004)(13464003)(199004)(189003)(51444003)(106356001)(76176011)(229853002)(305945005)(966005)(5660300002)(256004)(14444005)(6306002)(5640700003)(36756003)(6436002)(6246003)(105586002)(316002)(68736007)(58126008)(7736002)(86362001)(44832011)(2351001)(99286004)(83716004)(71200400001)(71190400001)(8936002)(6512007)(81166006)(11346002)(186003)(2906002)(26005)(476003)(2501003)(53936002)(82746002)(2616005)(478600001)(33656002)(8676002)(6506007)(14454004)(102836004)(486006)(446003)(97736004)(25786009)(6486002)(3846002)(6116002)(53546011)(6916009)(66066001)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5727; H:VI1PR07MB4175.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: k7frlhcJFw0vJY4ur0Bb4p0By+i+A2uJv00EWciUQC7USZzuX/VH4vroZ26VtObLCmRjB08eFp0qqD6bDLuM7Gvusl1MpWZXbNCd9wesQpra/BfDMJQteFddOKUWQqEwR4FqFAlCgJP+otLp7/LTUy/gD+c34X8Psnehvj9ovnUQjc/xcp4m32aamQaM+5M10oR3yeaKfhq3OVXwWoHW/OLMmSS6RA8rmAT6LhzcZ6aRpj3uTiaN+cCxmBSc5XUiXiV4VzVzBTfLvdv9bsFUmyNFI5mb1VcDjcqURzp8njG8F8hAXWP3inGLGl4dENV4G2OHpm0GBW2a1ZdNHmV0vBEg+XUUg+h/GuzRznX6F9terBE+C5nWcPpqiSo/YdxQQkZg9w8/5UzGcQqggM6vxljqrz9ovwX43Rc82SLNpbE=
Content-Type: text/plain; charset="utf-8"
Content-ID: <712917236D0D0C42BF1D00741F278DC3@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c1ab699d-24ee-42e8-43fe-08d6b4797c2d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 19:05:18.6007 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5727
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hPkYKGIEM1eEB4TIQa24s5i9Fvk>
Subject: Re: [TLS] Comment on draft-thomson-tls-sic-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 19:05:25 -0000

And one more....

"The 0xTBD flag can only be send in a ClientHello or CertificateRequest message.  Endpoints that receive a value of 1 in any other handshake message MUST generate a fatal illegal_parameter alert."

This goes against draft-nir-tls-tlsflags

"A server that supports this extension and also supports at least one of the flag-type features that use this extension and that were declared by the ClientHello extension SHALL send this extension with the intersection of the flags it supports with the flags declared by the client."

I assume the sic sic extension should be sent in EncryptedExtensions.

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Friday, 29 March 2019 at 11:34
To: "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: Comment on draft-thomson-tls-sic-00

    Some more comments after reading the draft in detail.
    
    - The abstract and introduction only talks about the ClientHello use case. Should shortly mention the CertificateRequest use case as well.
    
    - I notice that the draft does not have any requirement on how the client gets access to the intermediary certificates. I think this is the right approach.
    
    The problem discussed in EMU is that that many access points drops EAP connections after 40 - 50 packets and that EAP-TLS connections with large certificate chains may therefore be unable to complete.
    
    One approach discussed in EMU is that the client could take intermediate certificates from an earlier EAP-TLS connection that was dropped by the access point. This drafts currently allows that. I think that is correct. I cannot see that the distribution of intermediary certificates need any security requirements as the client can verify them with the help of one of its trust anchors.
    
    Cheers,
    John
    
    -----Original Message-----
    From: John Mattsson <john.mattsson@ericsson.com>
    Date: Friday, 29 March 2019 at 10:29
    To: "TLS@ietf.org" <TLS@ietf.org>
    Subject: Comment on draft-thomson-tls-sic-00
    
        Hi,
        
        I am strongly supporting of solving the problem this draft is trying to solve. This is a problem that the EMU WG has identified and discussed in the past.
        
        https://tools.ietf.org/html/draft-ms-emu-eaptlscert-02
        
        I will add text discussing draft-thomson-tls-sic-00 to draft-ms-emu-eaptlscert-03 and ask for agenda time in EMU at IETF 105 to discuss if draft-thomson-tls-sic-00 solves the problems of the EMU WG.
        
        The EMU WG actually shortly discussed this Monday if the WG thought there was any updates to TLS that needed to be driven in the TLS WG.
        
        Cheers,
        John

v2.23.0 | Report a Bug | By Email