Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
Martin Thomson <martin.thomson@gmail.com> Thu, 10 May 2018 02:16 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8D6129C70 for <tls@ietfa.amsl.com>; Wed, 9 May 2018 19:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKuECBjwXYEy for <tls@ietfa.amsl.com>; Wed, 9 May 2018 19:16:01 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B06512708C for <tls@ietf.org>; Wed, 9 May 2018 19:16:01 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id g7-v6so610067otj.11 for <tls@ietf.org>; Wed, 09 May 2018 19:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jupn8MVKKhEn85mkCriEMNCWZj6nVZg+sv6GlaJ5Taw=; b=oqg5RzQEuKh7CrZOGg9D2AZPdbrq81/tHBi1CzMjBnSsWJnbspp8fZ4LaaYG5Qiihi gom2fBVwIoA8svik09V/KSfnrjzC3rzJ+Udgti80NmXa/7SuJSSoGM4yZy6BSzERAAQT VdTHJjDKaJLzB+rOmamrzk2hgbwIsKIOkpkuyNfbewByrqJ2AxfqqjnZrmvmRQD/8089 aJVoytyeAq6LxgmQvNMmNZcDoOIrdhvkneoxSrCS1mpFecHPusDnx1DxHFjgCcIu4cbw qP2UJn8TtUlMTPIGt8ygzgpUyTqZ50rRT5i58n5HRpYThhPYF59XFnHu3c1f8kLjvnOq Bi7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jupn8MVKKhEn85mkCriEMNCWZj6nVZg+sv6GlaJ5Taw=; b=mk6esDkhmKoE8bcvrQYTJ6Ip1yFKKxRVA+SiGvMxvJPv6UZMMHQ0AeNg2Uae3q7gQV C1M0+0PrNLsVr0qz5ZVoNVnKSgNNy3hxglNjNDPTiGEiWPmsyaJXzvDzAXuf9l8XPCbJ kMtu5ocubUapTnZh8+30KipLc7Px3M9z5JhhiJORdPmcldtqZGs5MkvtcOMmYN79h6tN ol9B6uv1CEAsF44YO1Y6fGrvaS34AcRVMGSDY2cElbCzieJzE059zzCJv+7bS1KeDyH7 KLSmxkQMv0XdehImwMoHtNGzzXrvkPk9cQTXFJoFC3Z3AqvGmHHNdf9oP8mFctVglp0k 17Ng==
X-Gm-Message-State: ALQs6tC2nap3WKs05L13HWejPNFNITgnKNLZZBn1FMQTU+SQSC7nBn+F 8AFWxwwEszcLJlx8+BPSbRKrRVnvZxyOgNu0VcA=
X-Google-Smtp-Source: AB8JxZqcGvXKB/8E0V2tjWVKlK9uD0HMlIF5G0h8Lye2YYREx3cRBOiK7okRg4n91YYd8U3Rv6EeNZxWhLiQNuZsEQA=
X-Received: by 2002:a9d:354a:: with SMTP id l10-v6mr7741757ote.15.1525918560831; Wed, 09 May 2018 19:16:00 -0700 (PDT)
MIME-Version: 1.0
References: <4E347898-C787-468C-8514-30564D059378@sn3rd.com> <96B30D45-BAA9-4798-B222-F7890157A434@nerd.ninja> <20180504214834.GS5742@akamai.com> <50E87E1B-A2DE-4E0A-B851-B83D2AA9320D@nerd.ninja> <CABcZeBPp_ibhmKJfLvqGMJj4sz6u4bC1-2ncJZ3zbGVCyEHCPw@mail.gmail.com> <EFDFA96E-ED01-42AC-BA8A-7844974FDFF9@nerd.ninja> <726B4BF1-79AA-494E-9852-DC3682E80E3A@nerd.ninja> <CABkgnnWmGYZ8V1a0TJs3eCcDA=sxgyCT0MPUfQdLOR-jVf1kfg@mail.gmail.com> <B62611A2-D9F0-4752-AA90-46974EA47517@nerd.ninja> <CABkgnnV1hp7ueCSPJ9aM0a9B2KN-Uawd_UWwCRaZr=zRZgTRUg@mail.gmail.com> <CABcZeBMXrXxEjB=2FVRtN+Gs5jhkpNETp2RtDb2G7V5ZhemgmA@mail.gmail.com>
In-Reply-To: <CABcZeBMXrXxEjB=2FVRtN+Gs5jhkpNETp2RtDb2G7V5ZhemgmA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 10 May 2018 02:15:50 +0000
Message-ID: <CABkgnnXyqzDn4cVmZA87O4+RsoLEQXP5R+BcDMsuGaLQHQme_w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: r@nerd.ninja, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nEtP5Mq7c0DAIScmFEF1FxfGY3w>
Subject: Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 02:16:06 -0000
I'm not that concerned about this, though I will concede that it's worth pointing out. Failing to validate a secondary certificate for a server shouldn't be cause for terminating an otherwise usable connection. The same goes for clients that authenticate using this. As long as users of exported authenticators are aware of this, then they can design for it. If those users wanted confirmation, then we could provide a confirmation-of-mechanism-viability in the application layer. That could just be by including a value derived from the exporter in the negotiation. In h2, we could do as much as 4 octets of confirmation for cheap, and maybe we should. https://github.com/httpwg/http-extensions/issues/617 On Wed, May 9, 2018 at 11:28 PM Eric Rescorla <ekr@rtfm.com> wrote: > Regardless of where it goes in the document, I think there's a real deployment > consideration here: if you run this mechanism through a conventional MITM > proxy, what will happen will be that the secondary cert auth will appear to just > fail with a bogus signature. If clients respond to that by terminating the connection, > then we're going to be in pretty bad shape [0]. So I think we either need: > 1. To negotiate this with an extension > 2. To tell people not to treat signature failures as a hard failure. > 3. To have some way to indicate that there was a MITM on-path (e.g., have the > application level mechanism include some separate value that's tied to > the channel that lets the endpoints detect when its two separate channels). > -Ekr > [0] Note that this also applies to post-handshake authentication, but that's negotiated > with an extension, so S 9.3 applies. > On Wed, May 9, 2018 at 12:39 AM, Martin Thomson <martin.thomson@gmail.com> wrote: >> This isn't really a security consideration though, it's a truism. A MitM >> can break things that depend on end-to-end integrity of the connection. >> On Wed, May 9, 2018 at 11:25 AM Roelof duToit <r@nerd.ninja> wrote: >> > If the use of the mechanism is not negotiated on the TLS level then I >> would appreciate it if the “Security Considerations” section of the draft >> could be amended to include a paragraph that warns potential implementors >> that protocol-agnostic middleboxes will break the mechanism without any >> clear failure indicators. >> > > On May 8, 2018, at 8:13 PM, Martin Thomson <martin.thomson@gmail.com> >> wrote: >> > > >> > > On Wed, May 9, 2018 at 2:20 AM Roelof duToit <r@nerd.ninja> wrote: >> > > >> > >> I understand that there is not really anything to negotiate per se, but >> > > would it not be prudent to add a TLS extension to negotiate support for >> > > exported-authenticator in the TLS layer prior to using it in the >> > > application layer? >> > > >> > > We don't signal the potential need for exporters. I see no reason to >> > > signal this either. Any signaling necessary really belongs at the >> higher >> > > layer.
- [TLS] WGLC for draft-ietf-tls-exported-authentica… Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Nick Sullivan
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Nikos Mavrogiannopoulos
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Tim Hollebeek
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Benjamin Kaduk
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Mike Bishop
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Roelof duToit
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Nick Sullivan
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Nick Sullivan
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-exported-authen… Nick Sullivan