IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-rfc8446bis and draft-ietf-tls-rfc8447bis

Eric Rescorla <ekr@rtfm.com> Wed, 05 April 2023 19:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09CBDC1522D3 for <tls@ietfa.amsl.com>; Wed, 5 Apr 2023 12:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pJO_k83Hy_M for <tls@ietfa.amsl.com>; Wed, 5 Apr 2023 12:27:00 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E04C151B3B for <TLS@ietf.org>; Wed, 5 Apr 2023 12:27:00 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-5445009c26bso696449217b3.8 for <TLS@ietf.org>; Wed, 05 Apr 2023 12:27:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; t=1680722818; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CQABSBVmg2c47ZTowhFBiYYV+84E+grz9nAmfUvpGlo=; b=b25BAquWBqP1/tLKcjO7A0L69y9UhKrl5MbW7nENh0E4AEjaoHFvw7wyG/t/WuJarv T+k2eg86K/QwZIwrmMBsFkvLXwV6pt55IC8IvwTVpZjnakLUPogI9xsfSC9b+mhocCFv Mdzrd7y/61cSNEY3oCaVyazVQiXU5boIJHos4YVVqhKYErTHKo5pVtU2QfVaiHqcXK9P B7zJbu+YZxaccFJQYwaKX6dcwZB/SdmM/E1tXmkG987kDzhLsxEK0E/wHgf1Frtrxuj9 NuLeOZ7nPmqVNps5XGCr8PdiWV5RVEy6OJDhrHk97Y1EdMx2zwc54bqEIeoCCX6q2Pa3 TeCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680722818; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CQABSBVmg2c47ZTowhFBiYYV+84E+grz9nAmfUvpGlo=; b=V5hyaZfsig6/1iAxCEkKNZHudEiKnxY4/LIy7ZFkIof2u4iG2E9jo88f/uFnv3rAi+ hZnJkNcktfMsWbojtRiO88qfaI1fngPM/ikw0XHRk2T32xQ+f4HJXZCDO95zO95ZuG3q a4BCY8l4cVJ46z3muVFidnI8l6TaIXJDOEz2cbo/NxkQCK+qQ+fMfxxkfgmwjCxFJoBW X9cJ7brsAiZxJeD/Md3X/8AcarxBCF4uQhWLVyXQUAoSFaV8U4w6YiJW+fSmpecrTbkw 2wUctJ/dee9ca6TfkquSRcxG6XRmDiV35kInp5pxOpjX5LxsZzzXu+ulO1qGoM49XqfB 6koQ==
X-Gm-Message-State: AAQBX9eKF/GcHFrBdOLvUmsRUeW+ETDRnICIzwNmJqBR7y5AJeVr624U 4uMDO6I2Fk45KDEYzVGMp+jlae69//6uxsZWmzxVrjpZzL+iBjEF
X-Google-Smtp-Source: AKy350Yu2NyA/77pGmTPJYAOMq+B2Kno24QPG/ioAUEvMU+MCXbLQuw6WUfcomjfU6RlBZQstZUV1mavGwheC8JlVLU=
X-Received: by 2002:a81:ac1a:0:b0:54c:cd:f38d with SMTP id k26-20020a81ac1a000000b0054c00cdf38dmr872309ywh.10.1680722817721; Wed, 05 Apr 2023 12:26:57 -0700 (PDT)
MIME-Version: 1.0
References: <E7A22BA0-4EDD-4B0D-B5D1-6FA7AF466398@heapingbits.net> <5CBA62B3-CFD0-4062-B66D-AFA6F887128B@sn3rd.com> <d3ccffd1-2f92-f2e2-0e96-32ee6f5cd7b3@cs.tcd.ie> <CAChr6SwCeWMbPuuPCX7_=JiWe+6712tsXyva+eEB=GpCbQxX4w@mail.gmail.com>
In-Reply-To: <CAChr6SwCeWMbPuuPCX7_=JiWe+6712tsXyva+eEB=GpCbQxX4w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 05 Apr 2023 12:26:21 -0700
Message-ID: <CABcZeBMiZLfBbJSB48hL2Mot+6S1FVNpLH7HfLAJQRKfOqf2uA@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, TLS List <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084428905f89bc62a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mEM7LmJ3Uf9JvZV4DTu52nYXfXo>
Subject: Re: [TLS] WGLC for draft-ietf-tls-rfc8446bis and draft-ietf-tls-rfc8447bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 19:27:05 -0000

Thanks for your feedback. Most of these are editorial comments and
so I think they're my decision as editor about which ones to take
absent some instruction from the chairs.

On Tue, Apr 4, 2023 at 10:43 PM Rob Sayre <sayrer@gmail.com> wrote:

> Hi,
>
> I'm still not sure about the list/vector rename. Aside from that, here's
> what I found:
>
> > It tightens some requirements and contains
> > updated text in areas which were found to be unclear as well as other
> > editorial improvements.
>
> "It contains clarifications and tightened requirements." [let's assume
> some things were unclear and that editorial improvements are clarifications]
>

Not all editorial improvements are clarifications.


>
> > Forbid negotiating TLS 1.0 and 1.1 as they are now deprecated by
> [RFC8996].
>
> I know what's meant here, but deprecated does not mean forbidden. I think
> you want to say "NOT RECOMMENDED" in RFC 2119 words, and give a brief
> reason for that. [but keep reading]
>

This isn't normative text. However 8996 is entitled "Deprecating TLS 1.0
and TLS 1.1" so I think this
is fine.



> > The protocol does not provide any forward secrecy guarantees for this
> data.
> > The server's behavior determines what forward secrecy
> > guarantees, if any, apply (see Section 8.1). This behavior is
> > not communicated to the client as part of the protocol.
> > Therefore, absent out-of-band knowledge of the server's behavior,
> > the client should assume that this data is not forward secret.
>
> Here, you use the term "out-of-band", but the PSK text replaced
> "out-of-band" with "external[ly]". I can't tell whether this usage is
> intentional.
>

It is. The PSKs here are resumption PSKs. They're not external. The out of
band in
question is knowledge about the server behavior.



>
> > Because TLS 1.3 forbids renegotiation, if a server has negotiated TLS
> > 1.3 and receives a ClientHello at any other time, it MUST terminate
>
> "TLS 1.3 forbids renegotiation. If a server has negotiated TLS 1.3 and
> receives a ClientHello at any other time, it MUST terminate..."
>
> [No starting sentences with "Because"]
>

I believe this is editor discretion.


>
> > Note that [RFC8996] and Appendix E.5 forbid the negotation of TLS
> > versions below 1.2; implementations which do not follow that guidance
> > MUST behave as described above.
>
> I think this makes my "NOT RECOMMENDED" suggestion above correct. A
> forbidden "MUST NOT" wouldn't need this text.
>

I don't understand this argument. The point of this text is that people are
forbidden
to do previous versions by 8996, but we know some people won't so this is
backup guidance. I think this is fine.




>
> > Unless otherwise specified, trailing data is forbidden.
> > That is, senders MUST NOT include data after the structure in the
> > "extension_data" field.
>
> This doesn't seem like "MUST NOT", since it could be "otherwise
> specified". I think there needs to be a harsher choice made here, or just
> leave it out.
>

This is actually fairly standard language.



> > When processing an extension, receivers MUST
> > abort the handshake with a "decode_error" alert if there is data left
> > over after parsing the structure. This does not apply if the
> > receiver does not implement or is configured to ignore an extension.
>
> Again, doesn't seem like a "MUST". But the following text says "This does
> not apply", without clarifying what "this" is.
>

I don't follow your argument here either. It's a MUST for any extension you
understand.
Obviously, if you don't understand it, you can't comply with this. I'll
attempt to clarify.


> > After checking ServerHello.random to determine if the server
> > handshake message is a ServerHello or HelloRetryRequest, clients MUST
> > check for this extension prior to processing the rest of the
> > ServerHello.  This will require clients to parse the ServerHello in ...
>
> Another "this". Here, I think the text means "This requirement...", but
> usually a rewrite can fix these ambiguities.
>

I don't think this one is unclear.


> > In the absence of some other specification to the
> > contrary, servers which are authenticating with an external PSK MUST
> > NOT send the CertificateRequest message either in the main handshake
> > or request post-handshake authentication.  [RFC8773] provides an
> > extension to permit this, but has not received the level of analysis
> > as this specification.
>
> Another one of these "In the absence of..." paragraphs. Maybe these are
> intentional? They still sound really redundant to me.
>

They're intentional because we know there is actually such an RFC, but you
have to
actually use it.


> > With a 128-bit key as in AES-128, rekeying 2^64 times has a high
> > probability of key reuse within a given connection.  Note that even...
>
> It's almost always possible to drop "Note that..."
>

It is possible, but I prefer to leave it as-is.


> The rest of this paragraph is really heavy on em dashes, and needs to be
> rewritten. Some of them seem to be parentheticals, but I would try to
> rewrite it as short sentences.
>

I'll take a look.



> > Note that it is common practice in some protocols to use the same
>
> Another "Note that"
>

See above.


>
> > Note that purely deterministic ECC signatures such as deterministic
> ECDSA and EdDSA ...
>
> ...
>
> > If the resumption_master_secret has been
> > compromised, a resumption handshake with EC(DHE) gives protection
> > against passive attackers and a full handshake with EC(DHE) gives
> > protection against active attackers.
>
> Here, you mean "resumption_secret".
>

Thanks. Good catch.


>
> > Note: This specification does not currently permit the server to send
>
> The old text was better. No "Note:".
>
> The "currently" part seems like the wrong thing to write in an immutable
> document. Maybe "TLS 1.3 does not currently..."?
>

I don't think this is a problem.


>
> > In the absence of some other specification to the contrary,
> implementations...
>
> I must be missing the conversation on this stuff. How could anyone write a
> spec if every requirement was prefaced with "in the absence of some other
> specification to the contrary..."
>

The purpose of this text is to signpost that we know that there might be or
in fact is is such a specification, as opposed to other requirements which
we don't have any reason to think that about.


>
> > Amplifying existing information leaks caused by side effects like
> > caching.  An attacker...
>
> Not a complete sentence here. I think it's just a typo.
>

Thanks. Will fix.

-Ekr


>
> thanks,
> Rob
>
>
>
> On Tue, Apr 4, 2023 at 7:32 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>> Hiya,
>>
>> On 05/04/2023 02:47, Sean Turner wrote:
>> > A post IETF 116 bump to make sure folks get their reviews in. If you
>> > look at the diffs from RFC 8446 you can see not that much has
>> > changed. We will also take “I read it and it looks good” response.
>>
>> I looked at the diff between 8446bis-07 and 8446 and it seems
>> fine to me. My only comment is that C.4 says one "SHOULD NOT
>> reuse a key share" - I'd be happier if that was a "MUST NOT"
>> but understand if we stick with SHOULD NOT. If there were a
>> good reference showing that it's quite feasible to never
>> deliberately re-use a key share, even at scale, that'd be a fine
>> addition. (I don't have such a reference to offer,
>> sorry;-)
>>
>> Cheers,
>> S.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email