Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-tls13-26: (with COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Wed, 07 March 2018 18:38 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42ABE1289B0 for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 10:38:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rppfO2FKAhbE for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 10:38:47 -0800 (PST)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA33E12895E for <tls@ietf.org>; Wed, 7 Mar 2018 10:38:46 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=hrhOYzqjqz4cY+XLXhGU/bN5z4XBkEX9ukI5Q2ZE4MrV+2AAJna7U/axHJbwY37dYlzk617swbpt1XXD1swDyyPzIdS70b0p5OH/49u+2XUtNmO9G3nbB9HYQ7S6H9AAqNCCAaVTs3cKllcaPfLtFW5PZJYT49GK/90z9fi/DN0=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 17756 invoked from network); 7 Mar 2018 19:32:02 +0100
Received: from i577bce46.versanet.de (HELO ?192.168.133.28?) (87.123.206.70) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 7 Mar 2018 19:32:02 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <CABcZeBML9yhXvzA53QxVNk0-3pis=8pF9LYzYXqTmUvCaVRisQ@mail.gmail.com>
Date: Wed, 07 Mar 2018 19:32:01 +0100
Cc: "<tls@ietf.org>" <tls@ietf.org>, draft-ietf-tls-tls13@ietf.org, The IESG <iesg@ietf.org>, Sean Turner <sean@sn3rd.com>, tls-chairs <tls-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7556C17C-A6F5-4FCD-8FB6-DFC85D1C1E92@kuehlewind.net>
References: <152044072045.17779.18123788753031746068.idtracker@ietfa.amsl.com> <CABcZeBML9yhXvzA53QxVNk0-3pis=8pF9LYzYXqTmUvCaVRisQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-PPP-Message-ID: <20180307183202.17747.72388@lvps83-169-45-111.dedicated.hosteurope.de>
X-PPP-Vhost: kuehlewind.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/klMqCHBkZ02FSbZXYBbYc4WTF4Y>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-tls13-26: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 18:38:48 -0000

Hi,

see below

> Am 07.03.2018 um 19:05 schrieb Eric Rescorla <ekr@rtfm.com>:
> 
> > 1) I'm a bit uncertain if obsoleting is the right approach as many
> > other protocols usually do not obsolete older versions. However, I
> > understand that this has been the approach TLS has previously taken
> > and is supported by the way the document is written.
> 
> Well:
> https://www.ietf.org/iesg/statement/designating-rfcs-as-historic.html
> says:
> A document is obsolete when there is a newer version that replaces it.
> 
> I believe that that's the relationship between TLS 1.3 and TLS 1.2.

I looked at this and was wondering if this is meant to rather mean newer version of the same document than actual protocol version.

I found this in RFC2223 (which is obsoleted by 7322 which however doesn’t give a definition):

"Obsoletes

      To be used to refer to an earlier document that is replaced by
      this document.  This document contains either revised information,
      or else all of the same information plus some new information,
      however extensive or brief that new information is; i.e., this
      document can be used alone, without reference to the older
      document.“

Anyway, as I said I know why you did this; it still seem wired to me.

> 
> 
> > Still, I find it
> > especially confusing that also two TLS1.2 extensions are deprecated
> > which are not needed with TLS1.3 anymore but still probably valid to
> > be used with TLS1.2, right?
> 
> Which extensions are you referring to.

RFC5077 and RFC6961 (maybe extension is not the wrong term for the first one)
> 
> 
> > I would recommend for this version to at
> > least already note in the abstract or very early in the intro that it
> > changes the versioning mechanism itself, and thereby basically
> > declares the TLS handshake as an invariant for all future versions and
> > extensibility is only provided using extensions anymore.
> 
> It's true that we are deprecating the version mechanism, but that
> does not mean that it is the only extension mechanism.

Which others do you have?

> 
> 
> 
> > 2) Can you provide further explanation (potentially in the draft) why
> > the Pre-Shared Key Exchange Modes are provided in an extra/separate
> > extension?
> 
> I'm sorry, I'm not following this. As opposed to what?

You could implicitly make assumptions depending on which extension are present or you can add one field to the pre_shared_key extension to indicate the mode. I’m always careful is something says „if this think is present, that must also be present“ as it can be an source of error that could have been avoided.

> 
> 
> > 3) I know previous versions of TLS didn't say that much either, but I
> > find it a bit wired that there are NO requirements for the underlaying
> > transport in this document. Previous version this at least said in the
> > intro that a reliable transport (like TCP) is assumed, but even this
> > minimal information seems to have gotten lost in this
> > document. However, I would usually also expect to seen some minimal
> > text about connection handling, e.g. is it okay to transparently try
> > to reestablish the connection by the underlying transport protocol if
> > it broke for some reason? Or it is okay to use the same TCP connection
> > to first send other data and then start the TLS handshake?
> 
> This is pretty explicitly outside the scope of TLS. It's just the job
> of the underlying transport to simulate a reliable stream. I can add
> some text that that's expected.

If that is the only requirement, it would still be good to spell that out.
> 
> 
> > 4) Regarding the registration policies: I assume the intend of
> > changing them is to make it easier to specify and use new
> > extensions/mechanism. However, I am wondering why the policies have
> > been changed to "Specification Required" and not "IETF consensus" or
> > RFC Required"?
> 
> The changes aren't in this document, but the WG feeling was that
> both of those were creating bad incentives for people to publish
> RFCs just to get a code point. The "Recommended" flag was intended
> to address that need instead.

Hm, I think I would actually prefer to see things documented in RFCs instead of just having some spec somewhere. Not sure if an RFC on the ISE stream is that much more effort than writing a spec somewhere else but then at least the IESG would get to see it for a conflict review...

> 
> 
> > 5) I find it a bit strange that basically the whole working group is
> > listed as contributors. My understanding was that Contributors are
> > people that have contributed a "significant" amount of text, while
> > everybody else who e.g. brought ideas in during mailing list
> > discussion would be acknowledged only.
> 
> I don't think we have any IETF-wide standard here, but traditionally
> we have adopted a pretty generous attitude towards acknowledgements
> of this type. Given that electrons are basically free, I don't see a real
> problem here.

I just would have expected to see all these names in an acknowledgment section and not in an contributor section. 

RFC7322 again says:

"4.11.  Contributors Section



   This optional section acknowledges those who have made significant
   contributions to the document.“


Mirja



> 
> -Ekr
> 
> 
> On Wed, Mar 7, 2018 at 8:38 AM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
> Mirja Kühlewind has entered the following ballot position for
> draft-ietf-tls-tls13-26: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 1) I'm a bit uncertain if obsoleting is the right approach as many other
> protocols usually do not obsolete older versions. However, I understand that
> this has been the approach TLS has previously taken and is supported by the way
> the document is written. Still, I find it especially confusing that also two
> TLS1.2 extensions are deprecated which are not needed with TLS1.3 anymore but
> still probably valid to be used with TLS1.2, right? I would recommend for this
> version to at least already note in the abstract or very early in the intro
> that it changes the versioning mechanism itself, and thereby basically declares
> the TLS handshake as an invariant for all future versions and extensibility is
> only provided using extensions anymore.
> 
> 2) Can you provide further explanation (potentially in the draft) why the
> Pre-Shared Key Exchange Modes are provided in an extra/separate extension?
> 
> 3) I know previous versions of TLS didn't say that much either, but I find it a
> bit wired that there are NO requirements for the underlaying transport in this
> document. Previous version this at least said in the intro that a reliable
> transport (like TCP) is assumed, but even this minimal information seems to
> have gotten lost in this document. However, I would usually also expect to seen
> some minimal text about connection handling, e.g. is it okay to transparently
> try to reestablish the connection by the underlying transport protocol if it
> broke for some reason? Or it is okay to use the same TCP connection to first
> send other data and then start the TLS handshake?
> 
> 4) Regarding the registration policies: I assume the intend of changing them is
> to make it easier to specify and use new extensions/mechanism. However, I am
> wondering why the policies have been changed to "Specification Required" and
> not "IETF consensus" or RFC Required"?
> 
> 5) I find it a bit strange that basically the whole working group is listed as
> contributors. My understanding was that Contributors are people that have
> contributed a "significant" amount of text, while everybody else who e.g.
> brought ideas in during mailing list discussion would be acknowledged only.
> 
> 
>