Re: [TLS] PR#28: Converting cTLS to QUIC-style varints

Nick Harper <nharper@google.com> Tue, 06 October 2020 23:18 UTC

Return-Path: <nharper@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1323A1536 for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 16:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INaoTVCWDxqn for <tls@ietfa.amsl.com>; Tue, 6 Oct 2020 16:18:51 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C71193A1533 for <tls@ietf.org>; Tue, 6 Oct 2020 16:18:51 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id m13so488858otl.9 for <tls@ietf.org>; Tue, 06 Oct 2020 16:18:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qEDEcPvuEtN3+QmERrX9dkEneGq9SbO/cmSchtxKVWE=; b=A9sYF2RPiLlPF0ytt2Hw2OzrbNVz09xGcHCcuasHpSvw4eIRbSlOilu3eJ5CjSdqOl 1qZSeO5q37Cmc81A92rPXnzZn8oYCKzldMVrk5K8h8PX0ClxU3K0707cchXkOjH32wef qZhVxf4wbIyFq0Z2ZqnSnBt2/EYM/OXSSlezcn1UOWblJogBWYpajQCDmuk519v7/Dtx ODlfbSVpdmEKOtNgmK8zfjjtpxKH4fNlzTzEZG/P2zC4GlCKMlKROxb9MsZGzR4lQk+M GDu5ZB2BBqW4RUjVGKRv9FucsIaMjwkvamv2ml/2Qo/eVJBKgwSEYzFD49fbJMsARiaA S6XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qEDEcPvuEtN3+QmERrX9dkEneGq9SbO/cmSchtxKVWE=; b=pGIf0vUiZvlIavT/m9U+V01P3XuE+5Wy7AvR2UldY903dX+fdoRDNxjcKNCp4qnp1J lrZrLuKUjR9/q9H8S5591qdpKHTIb/7BBJcvllqvNG81yCv9P0vCBKzizjmldFp0Tqw6 m6BUvUWhq5lf3yoXz2vvApIRZwVqZQuITqZMmE0zEGezDNI8JA2NMT8vj/O9Pc2cdN3A 58GtF0bmzzMbTc6wzpf9nVGRbahbKTQHPcHAB8dmPTUy7WsJWDu7A0bi6nSBvWV5pONC gPFZdMmd4PgOQolPFIoqBSpEt8gHmmwmCmi+zT7OCjrk+rviJ5ASTqdKDFm2J0I5u4S8 oU8g==
X-Gm-Message-State: AOAM532r9SZ4vwi2MkZ/DAjHO5z5XM/Hpr/Qp3kxfnx85GHWNpUfcGHw /r+TrbL5pN1zs2IYFiObvEhsw+tcxTQURmAG71jcqQ==
X-Google-Smtp-Source: ABdhPJxRfEfTKsyEc3REceQfnQk6uDEqvsKdrpGSLNDlemPBQFxWJ0hqSt78ktfx2FS6eJRzP2i+LZmujaT6NJVpmpM=
X-Received: by 2002:a05:6830:2012:: with SMTP id e18mr212970otp.54.1602026330780; Tue, 06 Oct 2020 16:18:50 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBPNFhGoLhgqeR9ObwyU68BYq=hXG1PhXcqNsNDNFGGyaw@mail.gmail.com> <CAOYVs2rEDtgJFVpiQkcaaYG2LAyW1hB5Cou4kUoG2_dkxMFTww@mail.gmail.com> <CABcZeBP3BUDEeiV2T-kxYTmC841XE_BrXhPHSoRqfdH0hHd-6w@mail.gmail.com> <BBA456AB-EC42-47DD-A3E3-5FC0E9E7A534@akamai.com> <53DD7D0D-D325-4246-86F2-C409875134FB@ll.mit.edu> <8e8ca76e-37ce-ce10-ae42-ea26d87c35fc@pobox.com> <9CED80DA-FAE7-4C7F-9687-3B61B63587E9@akamai.com> <a49d4b8c-cf49-51df-0c6b-332a4459f318@pobox.com> <b8f4597c-37de-0092-6179-c6bf275c20f9@huitema.net> <96616ddd-263c-badb-64ee-20c03a8c1dda@pobox.com>
In-Reply-To: <96616ddd-263c-badb-64ee-20c03a8c1dda@pobox.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 6 Oct 2020 16:18:39 -0700
Message-ID: <CACdeXi+wA1FeUAsrZUFN9cOG6ZA7M5Cb4c-hgV_9Kh4haFfb7Q@mail.gmail.com>
To: "Michael D'Errico" <mike-list@pobox.com>
Cc: TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e572c05b108d20f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qFg3EBzyBBW7MIPPXb2WPNmDAq8>
Subject: Re: [TLS] PR#28: Converting cTLS to QUIC-style varints
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 23:18:54 -0000

On Tue, Oct 6, 2020 at 11:37 AM Michael D'Errico <mike-list@pobox.com>
wrote:

> I think we are in agreement.
>
> On 10/6/20 13:12, Christian Huitema wrote:
> > * Receiver side: receive the message, parser with generic ASN.1 decoder,
> > process the message using the "parsed" representation, re-encode with
> > DER, check the signature.
>
> I recall that at least one root certificate had a
> SEQUENCE encoded using BER-but-not-DER (?)  Yeah if
> your software re-encoded that, it would no longer
> be the same sequence of bytes.
>
> > Experience showed that this workflow is very problematic, because the
> > parse/reencode process may introduce subtle changes and the signature
> > will fail.  One may argue that these changes are due to implementation
> > bugs, but fact it that this is a rich environment for growing bugs.
> > Based on experience, the receiver side is better done as:
> >
> > * Receiver side: receive the message, save it, parse and process, and
> > when it is time to verify the signature go back to the original message
> > and check the signature.
>
> This is how I did X.509 verification, though I was
> late to the game and the advice was already there
> to accept a BER-encoded certificate.  Not sure if
> I would have done the DER re-encoding bit if that
> was the current advice at the time since it seems
> like the wrong thing to do, but maybe I would have.
>
> > If we do that, then there is no reason to mandate minimal length
> > encoding. And TLS already does that. For example, we do not reorder
> > extensions according to some canonical rules before placing them in the
> > transcript.
>
> I was disappointed to see that the TLS 1.3 spec now
> has a requirement to put one of the ClientHello
> extensions in a specific place (last in the list).
>
> We discussed this at length during the development
> of either TLS 1.2 or one of the extensions (maybe
> renegotiation-info?) and we ultimately came to what
> I believe was the correct decision never to require
> any ordering of the extensions.  Sad to see the
> group capitulated to whomever said it would make
> their software easier to write (which I doubt).
>

Hopefully https://tools.ietf.org/html/rfc8446#section-4.2.11.2 makes it
clear why the pre_shared_key extension must be at the end of the list.

>
> Mike
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>