Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 18 April 2017 16:33 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F5B129444 for <tls@ietfa.amsl.com>; Tue, 18 Apr 2017 09:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t56HH-w_hcV2 for <tls@ietfa.amsl.com>; Tue, 18 Apr 2017 09:33:31 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 2E85E128E19 for <tls@ietf.org>; Tue, 18 Apr 2017 09:33:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 39B9B23375; Tue, 18 Apr 2017 19:33:29 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id c838Rqi4uweR; Tue, 18 Apr 2017 19:33:28 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id D184F2313; Tue, 18 Apr 2017 19:33:28 +0300 (EEST)
Date: Tue, 18 Apr 2017 19:33:27 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Victor Vasiliev <vasilvv@google.com>
Cc: Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170418163327.GA12513@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAOgPGoCvpjoexe0u2bT+P5eO75L2UbAtmCOx_1x+WxWvv8ktPA@mail.gmail.com> <CAAZdMacfsaMK+=ZNgm--_ejyW_fEgquDDiCFxsq+uiL9KiBLHg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAAZdMacfsaMK+=ZNgm--_ejyW_fEgquDDiCFxsq+uiL9KiBLHg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/raFDEKg-R5j-BbHcxgbo6repRYc>
Subject: Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 16:33:33 -0000
On Tue, Apr 18, 2017 at 11:29:31AM -0400, Victor Vasiliev wrote: > I've read the draft, and I support its adoption. I believe that the > mechanism > is sound for its stated use. > > The second issue I have is with the question of when does authentication > succeed. In TLS, by the time any party can send application data, normally > (with exception of server-to-client data in client auth case) both parties > know that the other side has authenticated them. I don't think that is actually true for client authentication (even in- handshake). > Here, a new identity is introduced while application data can be already > in flight, and it's not clear to me when the sender of the exported > authenticator can act assuming the peer has accepted its new identity. > My current understanding is that this issue is deferred to the application > layer, but it would be nice to discuss those considerations explicitly. IMO, the application layer is the only layer that actually knows the relevant state. > The last question I have is how does this interact with the state of TLS > connection. Does accepting a new identity mean that the entire connection > now has that identity too? Does this mean that the session tickets issued > after the library receives the authenticator are valid for the new > identity? Does it make the tickets sent previously on that connection valid > for the new identity? I believe this is up to the application. (And even in case of TLS authentication, I think some of these are "implementation-dependent". > Also, what is the distinction between "jointly authoritative for A and B" > and "individually authoritative for A and individually authoritative for > B"? Pretty much the whole paragraph mentioning that reads like some mumbo- jumbo to me (not a good sign). -Ilari
- [TLS] Call for adoption of draft-sullivan-tls-exp… Joseph Salowey
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Patrick McManus
- Re: [TLS] Call for adoption of draft-sullivan-tls… Benjamin Kaduk
- Re: [TLS] Call for adoption of draft-sullivan-tls… Andrei Popov
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nico Williams
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Victor Vasiliev
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Nick Sullivan
- Re: [TLS] Call for adoption of draft-sullivan-tls… Ilari Liusvaara
- Re: [TLS] Call for adoption of draft-sullivan-tls… Joseph Salowey