IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

Martin Thomson <martin.thomson@gmail.com> Thu, 10 May 2018 02:16 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8D6129C70 for <tls@ietfa.amsl.com>; Wed, 9 May 2018 19:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKuECBjwXYEy for <tls@ietfa.amsl.com>; Wed, 9 May 2018 19:16:01 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B06512708C for <tls@ietf.org>; Wed, 9 May 2018 19:16:01 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id g7-v6so610067otj.11 for <tls@ietf.org>; Wed, 09 May 2018 19:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jupn8MVKKhEn85mkCriEMNCWZj6nVZg+sv6GlaJ5Taw=; b=oqg5RzQEuKh7CrZOGg9D2AZPdbrq81/tHBi1CzMjBnSsWJnbspp8fZ4LaaYG5Qiihi gom2fBVwIoA8svik09V/KSfnrjzC3rzJ+Udgti80NmXa/7SuJSSoGM4yZy6BSzERAAQT VdTHJjDKaJLzB+rOmamrzk2hgbwIsKIOkpkuyNfbewByrqJ2AxfqqjnZrmvmRQD/8089 aJVoytyeAq6LxgmQvNMmNZcDoOIrdhvkneoxSrCS1mpFecHPusDnx1DxHFjgCcIu4cbw qP2UJn8TtUlMTPIGt8ygzgpUyTqZ50rRT5i58n5HRpYThhPYF59XFnHu3c1f8kLjvnOq Bi7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jupn8MVKKhEn85mkCriEMNCWZj6nVZg+sv6GlaJ5Taw=; b=mk6esDkhmKoE8bcvrQYTJ6Ip1yFKKxRVA+SiGvMxvJPv6UZMMHQ0AeNg2Uae3q7gQV C1M0+0PrNLsVr0qz5ZVoNVnKSgNNy3hxglNjNDPTiGEiWPmsyaJXzvDzAXuf9l8XPCbJ kMtu5ocubUapTnZh8+30KipLc7Px3M9z5JhhiJORdPmcldtqZGs5MkvtcOMmYN79h6tN ol9B6uv1CEAsF44YO1Y6fGrvaS34AcRVMGSDY2cElbCzieJzE059zzCJv+7bS1KeDyH7 KLSmxkQMv0XdehImwMoHtNGzzXrvkPk9cQTXFJoFC3Z3AqvGmHHNdf9oP8mFctVglp0k 17Ng==
X-Gm-Message-State: ALQs6tC2nap3WKs05L13HWejPNFNITgnKNLZZBn1FMQTU+SQSC7nBn+F 8AFWxwwEszcLJlx8+BPSbRKrRVnvZxyOgNu0VcA=
X-Google-Smtp-Source: AB8JxZqcGvXKB/8E0V2tjWVKlK9uD0HMlIF5G0h8Lye2YYREx3cRBOiK7okRg4n91YYd8U3Rv6EeNZxWhLiQNuZsEQA=
X-Received: by 2002:a9d:354a:: with SMTP id l10-v6mr7741757ote.15.1525918560831; Wed, 09 May 2018 19:16:00 -0700 (PDT)
MIME-Version: 1.0
References: <4E347898-C787-468C-8514-30564D059378@sn3rd.com> <96B30D45-BAA9-4798-B222-F7890157A434@nerd.ninja> <20180504214834.GS5742@akamai.com> <50E87E1B-A2DE-4E0A-B851-B83D2AA9320D@nerd.ninja> <CABcZeBPp_ibhmKJfLvqGMJj4sz6u4bC1-2ncJZ3zbGVCyEHCPw@mail.gmail.com> <EFDFA96E-ED01-42AC-BA8A-7844974FDFF9@nerd.ninja> <726B4BF1-79AA-494E-9852-DC3682E80E3A@nerd.ninja> <CABkgnnWmGYZ8V1a0TJs3eCcDA=sxgyCT0MPUfQdLOR-jVf1kfg@mail.gmail.com> <B62611A2-D9F0-4752-AA90-46974EA47517@nerd.ninja> <CABkgnnV1hp7ueCSPJ9aM0a9B2KN-Uawd_UWwCRaZr=zRZgTRUg@mail.gmail.com> <CABcZeBMXrXxEjB=2FVRtN+Gs5jhkpNETp2RtDb2G7V5ZhemgmA@mail.gmail.com>
In-Reply-To: <CABcZeBMXrXxEjB=2FVRtN+Gs5jhkpNETp2RtDb2G7V5ZhemgmA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 10 May 2018 02:15:50 +0000
Message-ID: <CABkgnnXyqzDn4cVmZA87O4+RsoLEQXP5R+BcDMsuGaLQHQme_w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: r@nerd.ninja, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nEtP5Mq7c0DAIScmFEF1FxfGY3w>
Subject: Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 02:16:06 -0000

I'm not that concerned about this, though I will concede that it's worth
pointing out.

Failing to validate a secondary certificate for a server shouldn't be cause
for terminating an otherwise usable connection.  The same goes for clients
that authenticate using this.  As long as users of exported authenticators
are aware of this, then they can design for it.

If those users wanted confirmation, then we could provide a
confirmation-of-mechanism-viability in the application layer.  That could
just be by including a value derived from the exporter in the negotiation.

In h2, we could do as much as 4 octets of confirmation for cheap, and maybe
we should.
https://github.com/httpwg/http-extensions/issues/617
On Wed, May 9, 2018 at 11:28 PM Eric Rescorla <ekr@rtfm.com> wrote:

> Regardless of where it goes in the document, I think there's a real
deployment
> consideration here: if you run this mechanism through a conventional MITM
> proxy, what will happen will be that the secondary cert auth will appear
to just
> fail with a bogus signature. If clients respond to that by terminating
the connection,
> then we're going to be in pretty bad shape [0]. So I think we either need:

> 1. To negotiate this with an extension
> 2. To tell people not to treat signature failures as a hard failure.
> 3. To have some way to indicate that there was a MITM on-path (e.g., have
the
>      application level mechanism include some separate value that's tied to
>      the channel that lets the endpoints detect when its two separate
channels).

> -Ekr


> [0] Note that this also applies to post-handshake authentication, but
that's negotiated
> with an extension, so S 9.3 applies.


> On Wed, May 9, 2018 at 12:39 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

>> This isn't really a security consideration though, it's a truism.  A MitM
>> can break things that depend on end-to-end integrity of the connection.
>> On Wed, May 9, 2018 at 11:25 AM Roelof duToit <r@nerd.ninja> wrote:

>> > If the use of the mechanism is not negotiated on the TLS level then I
>> would appreciate it if the “Security Considerations” section of the draft
>> could be amended to include a paragraph that warns potential implementors
>> that protocol-agnostic middleboxes will break the mechanism without any
>> clear failure indicators.

>> > > On May 8, 2018, at 8:13 PM, Martin Thomson <martin.thomson@gmail.com>
>> wrote:
>> > >
>> > > On Wed, May 9, 2018 at 2:20 AM Roelof duToit <r@nerd.ninja> wrote:
>> > >
>> > >> I understand that there is not really anything to negotiate per se,
but
>> > > would it not be prudent to add a TLS extension to negotiate support
for
>> > > exported-authenticator in the TLS layer prior to using it in the
>> > > application layer?
>> > >
>> > > We don't signal the potential need for exporters.  I see no reason to
>> > > signal this either.  Any signaling necessary really belongs at the
>> higher
>> > > layer.

v2.23.0 | Report a Bug | By Email