IETF Logo Mail Archive

Re: [TLS] AD Review of draft-ietf-tls-tls13

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 15 May 2017 16:50 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 569751294B7 for <tls@ietfa.amsl.com>; Mon, 15 May 2017 09:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xf11k0rzJFEy for <tls@ietfa.amsl.com>; Mon, 15 May 2017 09:50:56 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 339AD128954 for <tls@ietf.org>; Mon, 15 May 2017 09:47:38 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id x64so43403122pgd.3 for <tls@ietf.org>; Mon, 15 May 2017 09:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5n7XUCgIpu2DfWTkLj/2n9qcASiVVfR3We8Mt6kFRvs=; b=eTMXNt4/UFuiv92hxlTz6yXhtlXmnUcqlbCMci3CCcCL3Zwf7vBfWSAyi/09mumIO9 MJEgyBUC3+EKZHZ1AcYWt6SsNxcFZ6dmmbNH0PVTnxT4Ymwx4ZTUEIzld26Ic+7MfLET PQiwEm+RAyVky82AZzTFPAfvERE8xvZztc4ekCOse9sTEz+x/cqp8BDJeNg339VHk5JW UF3TAu5zx0V6gLkkgmlHOPgJ/DP7dxPs+cRaWy+t5Yeu2EO966mHTX5WSniE7FTTPLwc OVKrz1phWyY43vyCDUphk7gZSLBjCksMy2+0z4zuGjcw44/2iYPwikuNpIgxZu/K81I9 eReQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5n7XUCgIpu2DfWTkLj/2n9qcASiVVfR3We8Mt6kFRvs=; b=dOKXx/tiOvzqGAOnl0hVK0l9cc0AGtUgF8bUZac+vqMR+KQTR6wVk8wGH5bWwF4pWN mBdh+qc4X9N2OG/AYZk2Z539v7W90u9xQJmc/jF/VlhUs0igKMd4upO3tDF64UCTzGvE s0Xuv3IiacBiY6UzhQSTD4U/V1GQjCxbJk3dR/Mzk8UWd0XaLVRuzXv4DQY6nYycR1/i 4M+KSBj8JTUF5Vr5Iyu/FrpG0JHuxXcnW3z1UwIKtbumz6nwy/z+DGPPSB0i+fopBrgG Kl4VCm/yp2wavE1PwdJVSdcWuDV6E0XKbTVSvzh6WUxtScmJ4fLOi/Qh1pLlQXPPJU+A 09rQ==
X-Gm-Message-State: AODbwcBc6ZF0OLkb/H2UQGI28vnb0V1n3ZaT7BU/G7oCk6WdJCHT0MvJ lU0EDCUgVudyfdAGimXg+hWZhJE/uw==
X-Received: by 10.84.241.132 with SMTP id b4mr9831729pll.107.1494866857616; Mon, 15 May 2017 09:47:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.186.135 with HTTP; Mon, 15 May 2017 09:46:56 -0700 (PDT)
In-Reply-To: <CABcZeBMMQ8kNWUA4Y6ssMw7h54fPbBxrLbgZtxSkYc7-fzypSA@mail.gmail.com>
References: <CAHbuEH4PXU5569RYJ1uPcriQruCewmRrXUU3MVBZ+GtpyceiAw@mail.gmail.com> <CABcZeBMMQ8kNWUA4Y6ssMw7h54fPbBxrLbgZtxSkYc7-fzypSA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Mon, 15 May 2017 12:46:56 -0400
Message-ID: <CAHbuEH540KqHrj7BparyasoSuZrH71od6oLvn04o9UqzKvz9iw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lpPwYHh1IkxXYRMRO4NK6TAEK-Y>
Subject: Re: [TLS] AD Review of draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 16:50:59 -0000

Hi Eric,

Thanks for your response.  Sorry for the delay, I'v been traveling.
The responses sound good, I do have a clarification and will respond
inline.

On Sat, May 13, 2017 at 2:09 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> Hi Kathleen,
>
> Thanks for your review.
>
>
>> 1. Since this is going for IETF last call soon and there has been
>> review of the draft (workshop, but is clearly ongoing from the list
>> discussions), should the first sentence of the Introductions be
>> removed?
>>
>>    DISCLAIMER: This is a WIP draft of TLS 1.3 and has not yet seen
>>    significant security analysis.
>
> Yeah, we'll remove this.
>
>
>> 2. Section 4.2.9 - There should be some mention or pointer to the
>> security considerations and recommendations on replay attacks for
>> 0-RTT from this section.  I don't see any mention of discouraging
>> 0-RTT from being a default and think that would be good for
>> applications that use TLS expecting replay protection.  I know the WG
>> agreed to keeping 0-RTT, but I think it's very important to make the
>> issues clear and not have this come up as a default in any
>> implementation/deployment for unsuspecting users.  Part of this will
>> get down to implementation specifics and configuration options, but
>> offering some guidance is important. This document will be read by
>> many, not just developers.
>>
>> Since clients have to initiate 0-RTT, the user has to have some idea
>> that replay attacks are possible and accept that risk.  If this were
>> used in web applications, then all servers that don't want to see
>> replay attacks (banking, etc.), would have to have explicitly reject
>> this usage.  As such, there needs to be very strong guidance to this
>> point. Would it be that browsers configure this as a default or
>> something users would have to turn on or just leave it as an option
>> (with warnings) for a client to enable?  Would servers have clear
>> information in configuration files (or setup) about the implications
>> of this option for those that don't read the RFC and are not aware of
>> this problem?
>>
>> Most of this discussion belongs directly in the security consideration
>> section, but there has to be mention of it with a reference from
>> section 4.2.9.  It's not just an API consideration, this is for
>> developers, implementers, and users of the protocol. Many other
>> protocols use TLS beside HTTP and do so with the expectation of replay
>> protection.
>>
>> While Appendix C1 is helpful, I don't think it's enough.  It's
>> disappointing to see a protocol with a replay attack written as a
>> prominent feature of TLS 1.3 and little discouragement from use.
>
> I agree this should figure more prominently. I'm working on a PR
> for this now which addresses at least some of these points, so
> I'll hold off on responding to this for now and maybe we can
> revisit once that PR has been completed.
>

Thank you.
>
>> 3. Section 4.2.
>>
>>    "In general, detailed certificate validation procedures are out of
>>    scope for TLS (see [RFC5280]).  This section provides TLS-specific
>>    requirements."
>>
>> I don't see an explanation of why it is out-of-scope.  The reference
>> is just to RFC5280, which seems odd.  I would expect the reference to
>> be to something that explains why it is out-of-scope.
>
> In general, TLS's policy (dating back to TLS 1.0) has been that the
> job of TLS is to carry the certificates and other authentication
> material but to leave it up to other parts of the system to
> interpret them. It's been a long time since that decision was made,
> but from my perspective, there are a number of major reasons:
>
> 1. Most of PKI processing (path construction, etc.) is generic and
>    not specific to TLS. What is specific to TLS is:
>
>    * How to indicate what your PKI capabilities are
>      (see, e.g, S 4.2.4 and 4.3.2)
>    * How to stuff the PKI material into the protocol
>      (principally S 4.4.2)
>    * How to determine whether a given certificate is suitable for
>      use in TLS 4.4.4.2 and 4.3.2.1).
>
>    So we want to outsource the generic PKI part
>
>
> 2. It matches the software architecture that people often use,
>    which is to have a TLS stack but separate PKI validation. For
>    instance, Firefox uses NSS for TLS but moz::pkix for
>    validation. Similarly, Chrome uses BoringSSL for TLS
>    but the system PKI libraries for validation.
>
>
> In this case, I think that this text was more intended to
> say "and go read 5280 to learn how to do this". To that end,
> I suggest we say"
>
>
>     "In general detailed certificate validation procedures are out of
>     scope for TLS. [RFC5280] provides general procedures for
>     certificate validation. This section provides TLS-specific
>     requirements."
>

This reads much better, thank you.  However, shouldn't it say TLS1.3
since TLS 1.2 referenced RFC3280 and subsequently in RFC7525 includes
use of RFC5280 as a best practice.  It may be true for TLS 1.0 and
1.1, but it changed for TLS 1.2/

>
>> RFC7525 has use of RFC5280 as a best practice for server identity
>> verification and revocation checks for TLS 1.2.  Is this just for TLS
>> 1.3?  Why?
>
> I think that these requirements apply equally to TLS 1.3, it's
> just that 7525 is older.

I think this was poor phrasing on my part for the point.  and is
hopefully clarified in my response above.  RFC7525 came after TLS 1.2
and updated it's guidance recommending 5280.

>
>
>> RFC3280 is cited for revocation in the TLS 1.2 RFC.  I think a little
>> explanation here would be helpful since this seems to be a departure
>> (or reference to the changes section).
>
> This is part of our generalized attempt to update to point to
> the latest RFCs in our references. I'll add something to the
> references section.
> https://github.com/tlswg/tls13-spec/issues/1015
>
>
>> If RFC5280 remains out-of-scope, this section should fully describe
>> the certificate validation process for TLS 1.3. I think you need to
>> list out everything that should be checked as opposed to just
>> including one example:
>>
>>    "Also, if some aspect of the certificate chain was
>>    unacceptable (e.g., it was not signed by a known, trusted CA), the
>>    server MAY at its discretion either continue the handshake
>>    (considering the client unauthenticated) or abort the handshake."
>
> In general, I think we'd prefer to avoid providing a catalog of
> all the ways that things can go wrong, because there are a lot.
> The point of the text here is just supposed to be that servers
> don't have to fail if they ask for client auth but they are then
> sad about what the client provides. That's actually generally kind
> of true, but it's more obvious with client auth because in many
> cases the server has many ways of authenticating the client and
> can fall back if it doesn't like the cert.

>From list discussions, the underspecification seems to be causing some
interoperability problems.  Maybe a response to the list discussion
with this point will result in something to improve this section and
clarity for developers.  I'll look in the next update.  Thank you.

>
>
>> 4. Section 6.2 Error Alerts
>>
>> In addition to sending the error, I don't see any mention of the error
>> being logged on the server side, shouldn't that be specified?  Logging
>> errors (at least in debug modes when needed) provides valuable
>> troubleshooting information and many applications don't do an adequate
>> job of logging, so I think it's important to call that out here as a
>> recommendation.
>
> I agree. I think it would be useful to say something about this. I've
> filed https://github.com/tlswg/tls13-spec/issues/1014 to track this.

Thank you, this is very helpful.

Best regards,
Kathleen

>
> -Ekr
>
>
> On Fri, May 12, 2017 at 7:07 PM, Kathleen Moriarty
> <kathleen.moriarty.ietf@gmail.com> wrote:
>>
>> Hello,
>>
>> Thank you all for your work on TLS 1.3.  The list has still been
>> active on a few topics, so I want to see how that all settles out in
>> addition to the questions I have on the draft below.
>>
>> Introduction:
>>
>> 1. Since this is going for IETF last call soon and there has been
>> review of the draft (workshop, but is clearly ongoing from the list
>> discussions), should the first sentence of the Introductions be
>> removed?
>>
>>    DISCLAIMER: This is a WIP draft of TLS 1.3 and has not yet seen
>>    significant security analysis.
>>
>> 2. Section 4.2.9 - There should be some mention or pointer to the
>> security considerations and recommendations on replay attacks for
>> 0-RTT from this section.  I don't see any mention of discouraging
>> 0-RTT from being a default and think that would be good for
>> applications that use TLS expecting replay protection.  I know the WG
>> agreed to keeping 0-RTT, but I think it's very important to make the
>> issues clear and not have this come up as a default in any
>> implementation/deployment for unsuspecting users.  Part of this will
>> get down to implementation specifics and configuration options, but
>> offering some guidance is important. This document will be read by
>> many, not just developers.
>>
>> Since clients have to initiate 0-RTT, the user has to have some idea
>> that replay attacks are possible and accept that risk.  If this were
>> used in web applications, then all servers that don't want to see
>> replay attacks (banking, etc.), would have to have explicitly reject
>> this usage.  As such, there needs to be very strong guidance to this
>> point. Would it be that browsers configure this as a default or
>> something users would have to turn on or just leave it as an option
>> (with warnings) for a client to enable?  Would servers have clear
>> information in configuration files (or setup) about the implications
>> of this option for those that don't read the RFC and are not aware of
>> this problem?
>>
>> Most of this discussion belongs directly in the security consideration
>> section, but there has to be mention of it with a reference from
>> section 4.2.9.  It's not just an API consideration, this is for
>> developers, implementers, and users of the protocol. Many other
>> protocols use TLS beside HTTP and do so with the expectation of replay
>> protection.
>>
>> While Appendix C1 is helpful, I don't think it's enough.  It's
>> disappointing to see a protocol with a replay attack written as a
>> prominent feature of TLS 1.3 and little discouragement from use.
>>
>>
>> 3. Section 4.2.
>>
>>    "In general, detailed certificate validation procedures are out of
>>    scope for TLS (see [RFC5280]).  This section provides TLS-specific
>>    requirements."
>>
>> I don't see an explanation of why it is out-of-scope.  The reference
>> is just to RFC5280, which seems odd.  I would expect the reference to
>> be to something that explains why it is out-of-scope.
>>
>> RFC7525 has use of RFC5280 as a best practice for server identity
>> verification and revocation checks for TLS 1.2.  Is this just for TLS
>> 1.3?  Why?
>> RFC3280 is cited for revocation in the TLS 1.2 RFC.  I think a little
>> explanation here would be helpful since this seems to be a departure
>> (or reference to the changes section).
>>
>> If RFC5280 remains out-of-scope, this section should fully describe
>> the certificate validation process for TLS 1.3. I think you need to
>> list out everything that should be checked as opposed to just
>> including one example:
>>
>>    "Also, if some aspect of the certificate chain was
>>    unacceptable (e.g., it was not signed by a known, trusted CA), the
>>    server MAY at its discretion either continue the handshake
>>    (considering the client unauthenticated) or abort the handshake."
>>
>>
>> 4. Section 6.2 Error Alerts
>>
>> In addition to sending the error, I don't see any mention of the error
>> being logged on the server side, shouldn't that be specified?  Logging
>> errors (at least in debug modes when needed) provides valuable
>> troubleshooting information and many applications don't do an adequate
>> job of logging, so I think it's important to call that out here as a
>> recommendation.
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email