Re: [TLS] Adoption call for TLS Flag - Request mTLS

Mohit Sethi <mohit@iki.fi> Wed, 03 April 2024 05:23 UTC

Return-Path: <mohit@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67EAC14F6B8 for <tls@ietfa.amsl.com>; Tue, 2 Apr 2024 22:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1F_QaQesZP1 for <tls@ietfa.amsl.com>; Tue, 2 Apr 2024 22:23:30 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6DFC14F5E7 for <tls@ietf.org>; Tue, 2 Apr 2024 22:23:29 -0700 (PDT)
Received: from [192.168.0.113] (unknown [122.177.106.15]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mohit) by meesny.iki.fi (Postfix) with ESMTPSA id 4V8Y7K4R8LzyNS; Wed, 3 Apr 2024 08:23:25 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1712121806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KNEwHLBid51FV69HW4uJc6uoDVGlrOfu2tknX/jQnZg=; b=bssg4jkZTLDJgwUNnyqV1jNxLVI7gN90BHBg/TVT+2rZktfSPTxIPVL8njR7vh9Grul8H4 kzy+2pCUQzdOd1o65R4ODuIzgbuPYP//NTRxIYJFM6P1DxZ2yb3XLIqZqqHVwayi/ZFylv HLpH/jYqf9sZgSqxYEiw1szDutANe54=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1712121806; a=rsa-sha256; cv=none; b=R4rXDu+7WOurUOdFq8JkWjCfiIt/aKtz7Uzy9FUqlfYZUHGvMYhzHWk5AlKjkTfb08kLUz yilnLMpVsarxsfswhHk+v67f4H7nrDazQRetphbsdDWKGF3wV13oYpuF55VwAaUzMtvelx icVpxii0vSe8WLLNZx+PFnlCPZiKsks=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=mohit smtp.mailfrom=mohit@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1712121806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KNEwHLBid51FV69HW4uJc6uoDVGlrOfu2tknX/jQnZg=; b=E+PSwgg1jj8TyDgZTpRmQq2Qg+cdxUUej53mtsHrb3zI18o4oeQuL7ppo/A6Z8EyvRyq5j /WrkdLVDLE0X7LZfz8NoHfyQu/4yo8Hy/LPu2NNwsV+ViflBOfP7wKgfqR1RtzmuUSvg15 NfuvwB2lRo8+RB0Zl2LEj4OleSg667w=
Message-ID: <1c42a223-8abc-472a-bb8d-a7827f5b0f06@iki.fi>
Date: Wed, 03 Apr 2024 10:53:18 +0530
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
References: <8957179A-14D2-4947-B196-B68988B0E3CA@sn3rd.com>
From: Mohit Sethi <mohit@iki.fi>
In-Reply-To: <8957179A-14D2-4947-B196-B68988B0E3CA@sn3rd.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pRq_RRCXiTdl0xODHJK2o_sZyU0>
Subject: Re: [TLS] Adoption call for TLS Flag - Request mTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 05:23:35 -0000

Please see my earlier comment regarding this draft: 
https://mailarchive.ietf.org/arch/msg/tls/g3tImSVXO8AEmPH1UlwRB1c1TLs/

In summary: the functionality of this draft is already achievable by 
using the client_certificate_type extension defined in RFC 7250: 
https://datatracker.ietf.org/doc/html/rfc7250 with certificate type 
value = 0: 
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3.

The table in section 4.2 of RFC8446 even mentions that the extension can 
be included in the ClientHello: 
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2, thereby 
ensuring that the server sends a CertificateRequest message in response 
to the ClientHello received.

OpenSSL already implements this extension since it was needed for 
support raw public keys (RPKs).

As stated earlier: if it is indeed the case that the 
client_certificate_type extension is suitable for the use-case, then 
perhaps it is preferable to not have a separate flag. Otherwise, it 
would make the state machine at the server more complicated (for 
example: handling a ClientHello with both the mTLS flag and the 
client_certificate_type extension.

Therefore, like Ekr, I am mildly negative on adopting this document but 
for different reasons.

--Mohit

On 4/3/24 00:52, Sean Turner wrote:
> At the IETF 119 TLS session there was some interest in the mTLS Flag I-D (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-jhoyla-req-mtls-flag%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C42877de6d3d64135e49e08dc534a463b%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638476825681199391%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ERzWFcuBlAfobNyGCcgKDhCl9wex9LOQ%2F3yPYC7idfU%3D&reserved=0) also, see previous list discussions at [0]. This message is to judge consensus on whether there is sufficient support to adopt this I-D.  If you support adoption and are willing to review and contribute text, please send a message to the list.  If you do not support adoption of this I-D, please send a message to the list and indicate why.  This call will close on 16 April 2024.
>
> Thanks,
> Deirdre, Joe, and Sean
>
> [0] https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftls%2F9e2S95H9YgtHp5HhqdlNqmQP0_w%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C42877de6d3d64135e49e08dc534a463b%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638476825681208049%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=eEU6ZPJ5cmfqLHQuM3UYXrFKCJuKaaJVc8Ssk5erRjk%3D&reserved=0
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C42877de6d3d64135e49e08dc534a463b%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638476825681214744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2B9CGIKB31GI9RMQG62I1rTnbHaDPfSynvlmwrkPn%2FpQ%3D&reserved=0