Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 03 September 2016 21:45 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE7512B109 for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 14:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOILaZfNA9fm for <tls@ietfa.amsl.com>; Sat, 3 Sep 2016 14:45:00 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0114.outbound.protection.outlook.com [104.47.37.114]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E17012B010 for <tls@ietf.org>; Sat, 3 Sep 2016 14:45:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ANT+uKAKiBlAHFTGEpLbn2HgEMPhYF5N87scl7rANa4=; b=TnXn6aqDsM6phZU6mi4lSD1zBAow4e3Hn1wXTHTOeL01N7tHug4URgtJixuYxAN0GbUosG7yhOV90nK+/V9EaBXtKAkoIabc1zzEr8rJtT6Yw0mUyjIItQzqIvWPBCLILYMUYy3gla5Us5gsefThPNCPpbl55DRmBGay29Yszy4=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.599.9; Sat, 3 Sep 2016 21:44:55 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0599.016; Sat, 3 Sep 2016 21:44:55 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
Thread-Index: AQHSBh0LEBjt9n91j0iGFeZF2nqlIaBoS1kg
Date: Sat, 3 Sep 2016 21:44:55 +0000
Message-ID: <CY1PR0301MB0842BB37B3E8BA8DA5A5FE328CE40@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CABcZeBOfbb+p-BvqRhDJgVQLj_nSk-_Wud6sUnfWgA-QLYMhGg@mail.gmail.com>
In-Reply-To: <CABcZeBOfbb+p-BvqRhDJgVQLj_nSk-_Wud6sUnfWgA-QLYMhGg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:5::1d2]
x-ms-office365-filtering-correlation-id: 5d23c11d-3afe-43ed-051f-08d3d4438b51
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0842; 6:Xl7ugHbBiVS57XwBY74vu2xnzOl9bhHSgo5b56nZr8y4Q9CXDDQfJ0TRU2l7kIbgJOq3QOMyGj0f+LfKMC/vAAfFDyMp3jUwJ1vzajYslhJHQbeBeCczFYB756251BebuNEMwHIRmLHBoQD2MmKpyaSiRzj35QFucm4oHARrI6SqjC66Tnk9s+aIDa/pHMcSMJlw1loSxtL5Q5KLVL9L0ErbO+PLk/c/LPPAM81lhK3ZMZjY6KnB3fTqQmQnlNIvGpK/TWlCO1s/IirV8/4E+WP8SpoVl7FSqLks+MWPpIiv6wL8EzuaClT9MSQWjIJpxzYNFKgBALz0Nal0IATDRg==; 5:U5ed3iK3cm1J7L+wVcCKiLwChaaEEb668QD6SJrMDJYk4TthQHcvK1+Heoj+ew57H/OIUpIIyPzCpHqaK8Xl0ixllA8EcYSwE4PTYdPkCEKzPJjp31908G4Dd31KQwtEno8KwwN6XsnFACoX+9LxCQ==; 24:WuwuHFqYQN6bjae+g3eilrX9n7wggkyHClWNa0nqQnQRR8dvaTKGbMfCtUmh9i+gBXsXvldsqnNXubVTCt+WHfEJagJGSvWTc+VX8B49lX0=; 7:nkzeH+YcbtO3cnzm63ee2a0DOcLTL95R88oXXbojp2wbhtO7rYhdEd3RjQrlELGvzAGgin3IeQM1a2xHq0q2z9+WBTBJXBLaCl4n07qlENfOGjhnvurKgBgUYJu7Ubly0YYASBwWv/8OtrHLckwooC/peF11FRor6Smvh8W+qzLz8ZFrkuwKtKn8cc8iSGKEmAGTlaK73VJm1e2+z8+vGBfzbJT0m/eETEGWD/BXoLgjyNqnu38PZINFz+6l/Wx+
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0842;
x-microsoft-antispam-prvs: <CY1PR0301MB0842F6E20E2622B6167C9E778CE40@CY1PR0301MB0842.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0842; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0842;
x-forefront-prvs: 00540983E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(199003)(189002)(3660700001)(10400500002)(81156014)(8990500004)(16236675004)(106116001)(105586002)(2900100001)(19617315012)(2950100001)(87936001)(15975445007)(99286002)(19580395003)(19580405001)(77096005)(10090500001)(7906003)(10290500002)(33656002)(11100500001)(5005710100001)(106356001)(86362001)(68736007)(586003)(7736002)(7696003)(8936002)(7846002)(81166006)(19300405004)(5660300001)(9686002)(74316002)(5001770100001)(50986999)(8676002)(9326002)(76576001)(54356999)(2501003)(19609705001)(76176999)(2906002)(3280700002)(189998001)(86612001)(101416001)(92566002)(19625215002)(5002640100001)(97736004)(107886002)(790700001)(102836003)(6116002)(122556002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0842; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842BB37B3E8BA8DA5A5FE328CE40CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2016 21:44:55.3310 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0842
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jQWRj1kZ7frqXlqRlCZURUKt6-o>
Subject: Re: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2016 21:45:02 -0000

Hi Eric,

MS TLS stack uses the user_mapping extension (to map TLS clients to Windows domain users). We do not implement client/server_authz.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: Saturday, September 3, 2016 12:54 PM
To: tls@ietf.org
Subject: [TLS] PR #624: Remove Supplemental Auth from TLS 1.3

https://github.com/tlswg/tls13-spec/pull/624

We currently have code points assigned for

 user_mapping [RFC4681]
 client_authz [RFC5878]
 server_authz [RFC5878]

These aren't well-specified for use in TLS 1.3 and my sense is that they
are barely used. Any objections to just banning them? If not, I'll merge this
PR end of next week.

-Ekr