IETF Logo Mail Archive

Re: [TLS] [Errata Held for Document Update] RFC8446 (6205)

Martin Thomson <mt@lowentropy.net> Wed, 17 January 2024 03:39 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06AC6C14F721; Tue, 16 Jan 2024 19:39:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="FqWogiA2"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="jcKw0XyD"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQbFBlFCiJ6f; Tue, 16 Jan 2024 19:39:40 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B55FC14F61F; Tue, 16 Jan 2024 19:39:39 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 96E8A3200AD2; Tue, 16 Jan 2024 22:39:38 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Tue, 16 Jan 2024 22:39:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm1; t=1705462778; x=1705549178; bh=tHIjXZ7li87XZZ63z3fpcHcNCrIVk3R8 L756/9I6MiI=; b=FqWogiA2hBy6B1JmAUY6i3oUVgtITEUBTgFJopUMsJq5thFc jbyEJB/oj1x1nmUAPGXwDlnwd5p7i5cTTTiQ0duGGTk8tOq+lb+vHgSPOOlv7WM5 CkZ1BNaYIVjR1ZSkcaX0amWPGGWeJIukPkz4acJt5+8DTPa8GhV2LIutYvC+m/rO FvG9a1pOZ+ZZ7jsyrAhb9NB+MGVjuvT0C9LDLvyxQy8m0YdclzPFWyGJtvvWO2N1 mtH/FdNtFPFXvEMrC/+wdOpXR5MaSv1kEcTEKHvKd8ushSQcP9siIB10UxuYbUMv KsXGjloiYbmzFIyq6qeAO0T6a7M67aHPQ5psIQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1705462778; x= 1705549178; bh=tHIjXZ7li87XZZ63z3fpcHcNCrIVk3R8L756/9I6MiI=; b=j cKw0XyDCo2RY6Jb5qpg4zpJBYS0gW2cV4HJezl84wxAUZxQRsLwgYzpXLS2GvFWz M54TmB9LS7jUrflqoVCBN+5bB8K0SNcAuOtBtdDCnQEKXShTKYXeL97rEEx/1Uon gA6EpKNgZcAeqGRU87a9Bir5BpAhWrslNdVMTtzrW5rUaZvvZ6NG9TA6hYan+TYC y/sCDkWBJS5uEu3obfEPr72bMC478ofY9BEZBlUaDuPCXyvdhYu6tdLdB+nLffT7 +ygeOpPJ56MR1juXiRORef7Aizk0mJV6phKY5OpqLXQzfik1dRY5fs1EyDs5bF0I szw4R0cwH8Bs1Rr8qoqlA==
X-ME-Sender: <xms:-UunZdlAu2FUEctvFY2CHGEl4HKmTcvwQVhe14DLGt-7nUO8jiCh-g> <xme:-UunZY2u_xY9Eh3qqjcY5s9HXzeOsCvX3Xm57_OmWnPlVpZbjUll0S9bMj9DwvtcI 1fXmdpifazePUj1uNI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvdejgedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdfo rghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqne cuggftrfgrthhtvghrnhepfffhkeeutddvgfduuddtjeetvdelkeejuedttedtfeehueek teeltdeuheeihfeinecuffhomhgrihhnpehrfhgtqdgvughithhorhdrohhrghdpihgvth hfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:-UunZTpYDKkhGJjqmvofYVcllaUH4-78S0kyiKw5A2p_C4uQ0WdJAg> <xmx:-UunZdkY4ffuLses38bGasL-Hvi_0IJIHziaUm6i7MZ66px2bMVUnQ> <xmx:-UunZb1OehmHS9Nj3-qG2PZ2d6Zp_C1mDsKQMN0gOOc_sMGOrWyU1Q> <xmx:-kunZZCWx8D4DLrtuwwCV0TTHIDmGaM5V2IoIZmWueU1zk0mDiMxyQ>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BBF352340080; Tue, 16 Jan 2024 22:39:37 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1374-gc37f3abe3d-fm-20240102.001-gc37f3abe
MIME-Version: 1.0
Message-Id: <27c15dd9-cd8a-4e1f-a3ea-767623a7ccf6@betaapp.fastmail.com>
In-Reply-To: <CABcZeBO1YGhJGVCugLq=eEORT4f61yYmVkFXHkim2arupszU+g@mail.gmail.com>
References: <20240117005914.EE3C41BA410B@rfcpa.amsl.com> <CABcZeBO1YGhJGVCugLq=eEORT4f61yYmVkFXHkim2arupszU+g@mail.gmail.com>
Date: Wed, 17 Jan 2024 14:39:16 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Eric Rescorla <ekr@rtfm.com>, rfc-editor <rfc-editor@rfc-editor.org>
Cc: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/huNB822qpuqMahwAxsOSRyNfFlQ>
Subject: Re: [TLS] [Errata Held for Document Update] RFC8446 (6205)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 03:39:45 -0000

Yeah, we talked about this one and came to a reasonable conclusion that was based on what I wrote at the time, but better because RFC 8773 exists.

The added text:

> In the absence of some other specification to the contrary, servers which are authenticating with an external PSK MUST NOT send the CertificateRequest message either in the main handshake or request post-handshake authentication. [RFC8773] provides an extension to permit this, but has not received the level of analysis as this specification.

You could improve further, slightly, on an editorial basis:  s/the level of analysis/the same level of analysis/

On Wed, Jan 17, 2024, at 13:12, Eric Rescorla wrote:
> I believe that the current 8446-bis text addresses this. Martin?
>
> On Tue, Jan 16, 2024 at 4:59 PM RFC Errata System 
> <rfc-editor@rfc-editor.org> wrote:
>> The following errata report has been held for document update 
>> for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". 
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6205
>> 
>> --------------------------------------
>> Status: Held for Document Update
>> Type: Editorial
>> 
>> Reported by: Martin Thomson <mt@lowentropy.net>
>> Date Reported: 2020-06-04
>> Held by: Paul Wouters (IESG)
>> 
>> Section: 4.3.2
>> 
>> Original Text
>> -------------
>>    Servers which are authenticating with a PSK MUST NOT send the
>>    CertificateRequest message in the main handshake, though they MAY
>>    send it in post-handshake authentication (see Section 4.6.2) provided
>>    that the client has sent the "post_handshake_auth" extension (see
>>    Section 4.2.6).
>> 
>> Corrected Text
>> --------------
>>    Servers which are authenticating with a resumption PSK MUST NOT send the
>>    CertificateRequest message in the main handshake, though they MAY
>>    send it in post-handshake authentication (see Section 4.6.2) provided
>>    that the client has sent the "post_handshake_auth" extension (see
>>    Section 4.2.6).  Servers which are authenticating with an external PSK
>>    MUST NOT send the CertificateRequest message either in the main handshake
>>    or request post-handshake authentication. Future specifications MAY
>>    provide an extension to permit this. 
>> 
>> Notes
>> -----
>> The lack of qualification on "authenticating with a PSK" implies that the statement applies equally to both external and resumption PSKs.  However, there are two conditions being governed: whether a certificate can be requested during the handshake, and whether a certificate can be requested post-handshake.  The latter of these requires different rules depending on the type of PSK.
>> 
>> We know from the analysis of resumption (see https://mailarchive.ietf.org/arch/msg/tls/TugB5ddJu3nYg7chcyeIyUqWSbA/) that combining a PSK handshake of either type with a client certificate is not safe.  Thus, the prohibition on CertificateRequest during the handshake applies equally to both resumption and external PSKs.
>> 
>> For post-handshake, Appendix E.1 already discusses the risks of combining PSKs with certificates, citing the same analysis as above.
>> 
>>    [...]  It is unsafe to use certificate-based client
>>    authentication when the client might potentially share the same
>>    PSK/key-id pair with two different endpoints.
>> 
>> For this reason an external PSK is not safe to use with post-handshake authentication.  A resumption PSK does not have this property, so the same prohibition doesn't apply.
>> 
>> Splitting the requirements as proposed makes this split clearer.
>> 
>> --------------------------------------
>> RFC8446 (draft-ietf-tls-tls13-28)
>> --------------------------------------
>> Title               : The Transport Layer Security (TLS) Protocol Version 1.3
>> Publication Date    : August 2018
>> Author(s)           : E. Rescorla
>> Category            : PROPOSED STANDARD
>> Source              : Transport Layer Security
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email