Re: [TLS] RFC 5878 - why?

Russ Housley <housley@vigilsec.com> Tue, 24 September 2013 14:05 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977AA11E8120 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 07:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlTGJSubROB9 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 07:04:54 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 14D3A21F915C for <tls@ietf.org>; Tue, 24 Sep 2013 07:04:54 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 9062AF241AC; Tue, 24 Sep 2013 10:05:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id YhViJA9QV5Hk; Tue, 24 Sep 2013 10:04:02 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-145-152.washdc.fios.verizon.net [96.255.145.152]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id CF126F241AE; Tue, 24 Sep 2013 10:05:34 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAGZ8ZG3cNi3FSb879yumEt5etXWCoy1LOcxFAgNzrp9zeriJdA@mail.gmail.com>
Date: Tue, 24 Sep 2013 10:04:49 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <DAF72B34-5780-430F-8FD8-7109111C773B@vigilsec.com>
References: <CAGZ8ZG3cNi3FSb879yumEt5etXWCoy1LOcxFAgNzrp9zeriJdA@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
X-Mailer: Apple Mail (2.1085)
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] RFC 5878 - why?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 14:05:00 -0000

> Hi,
> 
> Does anyone know of a reason to use RFC 5878?  Extension data can
> already be sent in TLS handshakes:
> 
> Client -> Server : ClientHello Extension
> Client <- Server : ServerHello Extension
> Client -> Server : SupplementalData (RFC 4680)
> 
> 
> 5878 just adds another extension structure inside existing ones:
> 
> Client -> Server : ClientHello Extension signalling AuthorizationData
> Client <- Server : ServerHello Extension signalling AuthorizationData,
>                            SupplementalData containing AuthorizationData
> Client -> Server : SupplementalData containing AuthorizationData
> 
> 
> Seems like a bunch of added parsing for nothing?  What is this for?
> 
> 
> Trevor

As far as I know, my co-author is the only one that implemented the specification.  It worked.  However, he has changed jobs, and I do not think he is working on it any more.

Over the years, we have answered several queries from other people that were looking for an authorization mechanism.  I do not know if they used this approach or not.

As to the complexity, you should take a look at the TLS mail list discussion about TLS User Mapping Extension, which became RFC 4681.  Both user mapping and authorization were forced into the SupplementalData structure.  Both had more straightforward approaches in the beginning.

Russ