Re: [TLS] Keyshare extension spec
Dave Garrett <davemgarrett@gmail.com> Sat, 12 December 2015 03:26 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587DA1ACDF5 for <tls@ietfa.amsl.com>; Fri, 11 Dec 2015 19:26:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i0vVF5DBTC7 for <tls@ietfa.amsl.com>; Fri, 11 Dec 2015 19:26:50 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5771ACDEB for <tls@ietf.org>; Fri, 11 Dec 2015 19:26:50 -0800 (PST)
Received: by qkht125 with SMTP id t125so67267884qkh.3 for <tls@ietf.org>; Fri, 11 Dec 2015 19:26:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=+oW06U62FC8PL6O2reqfGLdXODfWiqo28OiZkl9D7EE=; b=DeQFLIhHqW9ipIytmUnORteXkKUMw1hmHpvLXu6KxaumUR9NiyTfRXkCkB3TUr4deA 76EE6DXKT4F//xR+L69SC6QXdwEBZvvTbFa31ln0MkyLFmjERvwo3Up9CprDuXtR72RS 4+9HAJdcb3u2VURcPLYNkLcook1eT2YD6U+5Q3yA00UAYQDsHkpN2NPusd22z9LzdbAD F+fJFUiQ5/w/u3H0bCRD4Ys5z+55YJkWra62J3FMiKWFyTbdFJKzAKu0dmK7PPt/CtVR Czn4rCWv7mCj9tvd8DhG8/Bo73x0Iewqw37LDAZkE0/dMMseedWxF3FdX0ucBFmyiO9S sotA==
X-Received: by 10.55.79.207 with SMTP id d198mr26495421qkb.49.1449890809776; Fri, 11 Dec 2015 19:26:49 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id k9sm9464312qgd.21.2015.12.11.19.26.48 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 11 Dec 2015 19:26:48 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Date: Fri, 11 Dec 2015 22:26:46 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <DM2PR0301MB065556F2C5E0449C207C0BD0A8EB0@DM2PR0301MB0655.namprd03.prod.outlook.com>
In-Reply-To: <DM2PR0301MB065556F2C5E0449C207C0BD0A8EB0@DM2PR0301MB0655.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201512112226.47268.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/k3mJZnvxf4A3z4LEfZFmq01V3ew>
Cc: tls@ietf.org
Subject: Re: [TLS] Keyshare extension spec
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 03:26:52 -0000
On Friday, December 11, 2015 08:13:05 pm Christian Huitema wrote: > I am looking at the specification of the key share extension, section 6.3.2.3 of the 1.3 draft. I think that the behavior is somewhat underspecified. The spec says: > > ...Clients MAY omit this extension from the ClientHello, and in response to this, servers MUST send a HelloRetryRequest requesting use of one of the groups the client offered support for in its "supported_groups" extension. If no common supported group is available, the server MUST produce a fatal "handshake_failure" alert. There's some cruft in the current draft leftover from ekr and I waffling back/forth on whether to omit or send an empty extension when requesting server selection. (was pointed out on this list by someone else a couple weeks ago) We eventually decided on empty. I have a PR pending review that fixes the merge mistakes and clarifies some bits. https://github.com/tlswg/tls13-spec/pull/349/files > I am concerned with the hypothetical case in which the client sends a list of groups in the "named group" extension but only sends keys for a subset of these groups in the "key share" extension. For example, a client might propose secp256r1 and secp384r1 in the named group extension, leading the server to select secp256r1, but only provide a key for secp384r1 in the key share extension. The server has two options: > > * produce a fatal handshake failure alert, because no common supported group is available, > * or, send a HelloRetryRequest requesting use of one of the groups the client offered support for, secp256r1 in the example. > > Which is the correct interpretation? Is one of these behaviors preferred, or are both available? The latter: HelloRetryRequest is the required response. (See also the PR noted above.) The retry mechanism essentially allows key shares to be provided on-demand. Servers selecting a group that is supported, but not provided, request it via the HelloRetryRequest. > Also, what is supposed to happen if the client sends an empty Key Share extension? With the pending changes this is the explicit HelloRetryRequest request case. Lack of the extension when offering suites requiring it a fatal "missing_extension" alert. (switching to supplying an empty extension when requesting a retry makes this simpler) > Or, if its listed key share extensions list keys for groups that are not indicated in the "named group" extension? I have a "MUST NOT" for doing that in the pending PR. In order to be thorough, I've just amended it with a specific fatal alert to throw. Though other mechanisms should catch an attempt to inject a bogus key share, implementations not checking for and erroring on unsupported keys here sounds like a recipe for badness. Dave
- [TLS] Keyshare extension spec Christian Huitema
- Re: [TLS] Keyshare extension spec Dave Garrett