IETF Logo Mail Archive

Re: [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Sam Whited <sam@samwhited.com> Mon, 04 October 2021 00:32 UTC

Return-Path: <sam@samwhited.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C54D63A0DBC for <tls@ietfa.amsl.com>; Sun, 3 Oct 2021 17:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=HkbWg+p8; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=j599bnfa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6tWTtS-wC0az for <tls@ietfa.amsl.com>; Sun, 3 Oct 2021 17:32:10 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BA823A0DBF for <tls@ietf.org>; Sun, 3 Oct 2021 17:32:09 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id D6E193200A47; Sun, 3 Oct 2021 20:32:05 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Sun, 03 Oct 2021 20:32:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm1; bh=T1 KcVyfHVpKs3026WQ5gVIBC/n6vRs90umr9CXIyFtU=; b=HkbWg+p8bAD2AeFTaf 4e6ghYIRhLo+2HyUW8QoX9UZzwJYmjFR4+wcemkWaVi6RXKtvRR3gjnFtBmVF3hc n92bMF1BO0op8b7BRayqbFjv9kIGS9GhmnSNaRHElpSxnZmReCtSi+NDze+V23ZY x7F9UXuTHxrYYzbTnssBFMNXwYj4VJ4xC2/w5eK5OiFjylfhssVpuwRUE2lgrkL0 aa1e9aXhV8yNO58VzSgmk0rR9L0DVQ9ONB/XvvBlNdAi9wtNx0xWrHG18uVWTCp0 56uyvOEmIDq9Db7vP89NEgQ6ZmSdsc39xmgBy+5Hj+s/7NOmwscsWq4Q/4pTLEDX 5BNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=T1KcVyfHVpKs3026WQ5gVIBC/n6vRs90umr9CXIyF tU=; b=j599bnfaGv0osHUGn4xsY0vcxKidWp7CoLDRPkTMLCEnZCFOptzgKJnIe m07cvT2gfuZV0v04b+gfcrr3OBZ6menpaxqwwqjME7e2uUbLWS66y7BUHzzpDcuq htE3MNSzq/3JtCTiTMfnzIpfPtPEPJ3+7qM7bPqn1oALyWgyVAhTFDVGRtPaKh1J wM+MxxW4T9P9CXHdFvquxnW5mgjbr3wHqsVFl81be2rKXwymVKlcLMjjXK0NvzPc 2SuJLG803nIw50bUvtk68iOaZwISC6B+L76XHVKdH9gd6GaHdkNHm8uNL84ENa26 82FRNvgIoS30rxq+Dq+HSg23oWTRw==
X-ME-Sender: <xms:hUtaYTWxUylfZLhuox1VTa9G5mWweB21RxYmakzl1wDnGx1QQhllgw> <xme:hUtaYbktqmRFxihXQ1DKKlYhoHpdmEDUaBf_pz3YghWjKVBCYzWevNaGJEplh9QPY 7-fAHP6_YzLUtLLBw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudeluddgfeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg htthgvrhhnpedvffeuvdduhfefvdeiheeukeffhfekjeevgffggedtlefhhffhieevkedu vefhjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hsrghmsehsrghmfihhihhtvggurdgtohhm
X-ME-Proxy: <xmx:hUtaYfYFdk3UhfTiRs71F64A69L0tC-qjE2RuscuS4D7AFdsoJJg8A> <xmx:hUtaYeX5RhxIexD7_QarI7eSlxG82WfNxe_LCbz4BsAKOLNICSF6Rw> <xmx:hUtaYdnoGwDxHlbZTWrHtKgajJODdxEsaWlDbkum9HLky_YahS0i8w> <xmx:hUtaYcurxRjijotcWUHqv1ZQH5A6GqaKrnYrjquHomfu8722O68DLg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1E0B12180075; Sun, 3 Oct 2021 20:32:05 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1322-g921842b88a-fm-20210929.001-g921842b8
Mime-Version: 1.0
Message-Id: <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com>
In-Reply-To: <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com>
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com>
Date: Sun, 03 Oct 2021 20:31:44 -0400
From: Sam Whited <sam@samwhited.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Rob Sayre <sayrer@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lOE5qwfW9wPe7lX7w7SzYVXHuSo>
Subject: Re: [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2021 00:32:16 -0000

8446 currently contains:

> However, it is also possible to bind such connections to an external
> authentication mechanism via out-of-band validation of the server's
> public key, trust on first use, or a mechanism such as channel
> bindings (though the channel bindings described in [RFC5929] are not
> defined for TLS 1.3).

If I were part of the TLS group I'd want to see discussion of the the
parenthetical at the end being  replaced with something like:

"such as the bindings defined in <future RFC number>".

Then the parenthetical could be moved to the security considerations
section or similar (right now it's quite hard to find).

At the risk of veering into 8446 feedback, I have gotten a lot of push
back when I mentioned that the RFC5929 channel bindings weren't defined
for TLS 1.3 in the past, normally something along the lines of "that's
just one random throw-away sentence in the middle of the document, why
should I not implement this?"

That being said, I haven't really thought about this and don't know
whether this would be appropriate or not, I'm just trying to respond to
your query with some initial thoughts. None of this should be taken as
what I've been pushing for in the rest of this thread.

—Sam

On Sun, Oct 3, 2021, at 15:02, Eric Rescorla wrote:
> Sorry to be difficult, but as I said, I'd prefer to focus not on the
> question of the header of this document but rather on what we wish
> 8446 said. To that end, what text do you think should go in 8446-bis?

v2.23.0 | Report a Bug | By Email