Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft posted
Adam Langley <agl@google.com> Thu, 18 February 2010 16:29 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C46E628C215 for <tls@core3.amsl.com>; Thu, 18 Feb 2010 08:29:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.644
X-Spam-Level:
X-Spam-Status: No, score=-104.644 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqmF1xdZNKxW for <tls@core3.amsl.com>; Thu, 18 Feb 2010 08:29:46 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id BBBE828B56A for <tls@ietf.org>; Thu, 18 Feb 2010 08:29:45 -0800 (PST)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id o1IGVQp8026370 for <tls@ietf.org>; Thu, 18 Feb 2010 16:31:27 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1266510687; bh=MojB0dh4QYD6SMRJGfGhNi8Lj6w=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=FiXfFbufGFS0WMq5QoNdZkuljlaK1QJkYaAUVjbHsxHmRX3KoouUosAhnSA7U/krS 3OlRo4TqSrSnFM3m3OUVw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=gYQ+AHO2cXkU381n4anttNYK9zZf2rZhCf/5R/MQkTGqfuy3clFA+4A5Fq/gJF0Yk 8mv5PPLy1Xrz2cnIIrKTg==
Received: from pzk29 (pzk29.prod.google.com [10.243.19.157]) by wpaz17.hot.corp.google.com with ESMTP id o1IGVOkT028596 for <tls@ietf.org>; Thu, 18 Feb 2010 08:31:25 -0800
Received: by pzk29 with SMTP id 29so875184pzk.17 for <tls@ietf.org>; Thu, 18 Feb 2010 08:31:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.4.12 with SMTP id 12mr6545539wfd.138.1266510684012; Thu, 18 Feb 2010 08:31:24 -0800 (PST)
In-Reply-To: <C7A30236.85DC%stefan@aaa-sec.com>
References: <C7A2FC2B.85D4%stefan@aaa-sec.com> <C7A30236.85DC%stefan@aaa-sec.com>
Date: Thu, 18 Feb 2010 11:31:23 -0500
Message-ID: <a84d7bc61002180831n412afe3aubffd4708a02b1dd3@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2010 16:29:47 -0000
On Thu, Feb 18, 2010 at 8:41 AM, Stefan Santesson <stefan@aaa-sec.com> wrote: > I think this is NOW ready for WGLC Wan-Teh Chang and I went over this draft yesterday and we sketched up some changes to the draft that we think might be a good idea. In outline: 1) The extension is symmetrical, so the server can now predict values from the client. 2) Both sides can list the types of objects for which they support caching. 3) Both sides can list the hash types which they support. 4) Substitution of cached values now involves new handshake message types. 5) Made it clearer that each substitution is optional and independent. I don't feel particularly strongly about any of these points and would much rather see the current draft than nothing at all. 1) makes the extension symmetrical and it seems like there might be something in the future that the server would like to predict from the client. At the moment we suggest that the server might want to support predicting the client's certificate. Often a CertificateRequest handshake is a renegotiation and a higher level knows what certificate the client should be presenting. 2) was a suggestion from Martin Rex and 3) is a follow on from that. 4) results from the fact that I don't think the current draft is clear enough about how the substitution occurs. Making new handshake types means that everything is very explicit and I prefer that. However, I can't think of anything technically wrong with just memcmp()ing for the hash values in the existing handshake messages, if it was precisely specified. Cheers AGL 3. Cached Information Extension A new extension type (cached_information(TBD)) is defined and used in both the client hello and server hello messages. The extension type is specified as follows. enum { cached_information(TBD), (65535) } ExtensionType; The "extension_data" field of this extension, when included in the client hello, SHALL contain "CachedInformation" according to the following structure: enum { server_certificate_chain(1), client_certificate_chain(2), trusted_cas(3), (255) } CachedInformationType; struct { HashAlgorithm hash; opaque hash_value<1..255>; } CachedInformationHash; struct { CachedInformationType type; CachedInformationHash hashes<1..2^16-1>; } CachedObject; struct { CachedInformationType supported_types<0..255>; HashAlgorithm supported_hash_algorithms<0..255>; CachedObject cached_info<0..2^16-1>; } CachedInformation; Hash algorithm identifiers are provided by the RFC 5246 [RFC5246] HashAlgorithm registry. Compliant implementations MUST support sha1(2) as HashAlgorithm. When CachedInformationType identifies server_certificate_chain or client_certificate_chain, then hash_value MUST include at least one hash value calculated over the certificate_list element of a Certificate message. When CachedInformationType identifies trusted_cas, then hash_value MUST include at least one hash value calculated over the certificate_authorities element of a server side CertificateRequest message. Implementations MUST NOT include hashes for multiple objects in the same CachedObject structure. If more than one hash is present in the CachedObject structure, they MUST be hashes over the same information object using different hash algorithms. Implementations SHOULD NOT emit duplicate CachedInformationHashs (i.e. the same hash twice). Implementations SHOULD NOT emit duplicate CachedObjects (i.e. the same object twice). supported_types enumerates the set of objects that the peer might wish to cache. This is advisory and may guide the peer when deciding whether to cache a given piece of information. A host may still choose to substitute a cached object even if supported_types suggests that it is not able to. There SHOULD NOT be any duplicates in the vector. supported_hash_algorithms enumerates the set of hash functions that the host supports. Peers may use this to avoid sending hashes using an algorithm that is not supported. This is advisory only, thus a host MAY substitute a hash value even if supported_hash_algorithms suggests that it is not able to. There SHOULD NOT be any duplicates in the vector. Other specifications MAY define more CachedInformationType types. 4. Message flow Clients MAY include an extension of type "cached_information" in the (extended) client hello. Clients MAY need the ability to cache different values depending on other information in the Client Hello that modify what values the server uses, in particular the Server Name Indication [RFC4366] value. Servers that receive an extended client hello containing a "cached_information" extension, MAY indicate that they support caching of information objects by including an extension of type "cached_information" in their (extended) server hello. The server's extension may predict values from the client, specifically the client's Certificate message, if any. Following a successful exchange of "cached_information" extensions, implementations may choose to substitute handshake messages as follows: A Certificate message MAY be replaced with a CertificateHash(TBD) message: struct { HashAlgorithm hash; opaque hash_value<1..255>; } CertificateHash; A CertificateRequest message MAY be replaced with a CertificateRequestHash(TBD) message: struct { ClientCertificateType certificate_types<1..2^8-1>; SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>; HashAlgorithm hash; opaque hash_value<1..255>; } CertificateRequestHash; In each case, the hash and hash_value fields MUST come from the peer's list, as provided in its "cached_information" extension. The handshake protocol will proceed using the cached data as if no handshake message substitution had occured. The Finished message will however be calculated over the actual data exchanged in the handshake protocol. 5. Examples Consider the following handshake message that the server would typically transmit: 0b # Handshake message type 11 (Certificate) 00 00 10 # Handshake message length 16 00 00 0d # certificate_list length 00 00 04 # ASN1.Cert length 01 02 03 04 # certificate 1 bytes 00 00 03 # ASN1.Cert length 05 06 07 # certificate 2 bytes In order to predict this message, a client could send the following cached_info extension value: 00 00 19 # cached_info length 01 # type (server_certificate_chain) 00 16 # hashes length 02 # hash type (SHA1) 14 # hash length (20 bytes) 8c 4b 89 c9 1c 6d 70 ef 07 53 bf c7 97 c1 ff e6 93 f0 6b 0c Where the SHA1 value is the hash of the following bytes: 00 00 04 01 02 03 04 00 00 03 05 06 07 If the client correctly predicted the certificate data, and the server chose to substitute its Certificate message, then it would emit the following CertificateHash: xx # Handshake message type TDB (CertificateHash) 00 00 16 # Handshake message length 22 02 # hash type (SHA1) 14 # hash length (20 bytes) 8c 4b 89 c9 1c 6d 70 ef 07 53 bf c7 97 c1 ff e6 93 f0 6b 0c 6. Security Considerations Hash algorithms used in this specification are required to have reasonable random properties in order to provide reasonably unique identifiers. No serious security threat requires selected hash algorithms to have strong collision resistance. 7. Acknowledgements This is substantially the work of S. Santesson (3xA Security). However, since he has not reviewed this deriviative version he is not listed as an author in case that mistakenly suggests his endorsement. 8. IANA Considerations 1. Create an entry, cached_information(TBD), in the existing registry for ExtensionType (defined in RFC 5246 [RFC5246]). 2. Create entries for CertificateHash(TBD) and CertificateRequestHash(TBD), in th existing registry for HandshakeType (defined in RFC 5246 [RFC5246]. 3. Establish a registry for TLS CachedInformationType values. The first entries in the registry are server_certificate_chain(1), client_certificate_chain(2) and trusted_cas(3). TLS CachedInformationType values in the inclusive range 0-63 (decimal) are assigned via RFC 5226 [RFC5226] Standards Action. Values from the inclusive range 64-223 (decimal) are assigned via RFC 5226 Specification Required. Values from the inclusive range 224-255 (decimal) are reserved for RFC 5226 Private Use. 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, April 2006. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] Android's cut-through mode & "RequestTi… Brian Smith
- [TLS] Stream multiplexing extension RE: SPDY / Ne… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] TLS Performance (was Re: draft-ietf-tls-cac… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- [TLS] RFC 5077 (was Re: draft-ietf-tls-cached-inf… Michael D'Errico
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Wan-Teh Chang
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-cach… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Yoav Nir
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Donald Eastlake
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico