Re: [TLS] Finished stuffing/PSK Binders

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 08 October 2016 14:16 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944AA1295C8 for <tls@ietfa.amsl.com>; Sat, 8 Oct 2016 07:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.896
X-Spam-Level:
X-Spam-Status: No, score=-4.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGyI_lSihkFE for <tls@ietfa.amsl.com>; Sat, 8 Oct 2016 07:16:33 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7AF1295C5 for <tls@ietf.org>; Sat, 8 Oct 2016 07:16:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 73B8E12F2D; Sat, 8 Oct 2016 17:16:31 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id gJ5f904MIyJu; Sat, 8 Oct 2016 17:16:30 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 0C3FB21C; Sat, 8 Oct 2016 17:16:30 +0300 (EEST)
Date: Sat, 8 Oct 2016 17:16:23 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20161008141623.GA11416@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBOJPz8DY92LE6531xbRYLU-Wvkqeb-vTX59gU5rYcp+Ww@mail.gmail.com> <20161007152628.GA9408@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO5HEJAm=QO2NjEWHAH_mKBUBoPn0=Zw5mtKmVz9SP=wQ@mail.gmail.com> <20161007170323.GA9856@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNp6wjxHBQ+io2Pcwd364=iiobKp-UHZZxOYZbmR7X7AQ@mail.gmail.com> <c405a571-3a49-e0bc-bd21-bae469334f9a@akamai.com> <CABcZeBNuZC3tjuFNSqiQba1yRrOEtYSgYCo5oECzvWDRVfd=Mw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBNuZC3tjuFNSqiQba1yRrOEtYSgYCo5oECzvWDRVfd=Mw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/swjhqBuTsuq21PHlxqymTaAzybw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Finished stuffing/PSK Binders
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2016 14:16:35 -0000

On Fri, Oct 07, 2016 at 01:41:48PM -0700, Eric Rescorla wrote:
> On Fri, Oct 7, 2016 at 1:39 PM, Benjamin Kaduk <bkaduk@akamai.com>; wrote:
> 
> > On 10/07/2016 12:08 PM, Eric Rescorla wrote:
> >
> >
> >
> > On Fri, Oct 7, 2016 at 10:03 AM, Ilari Liusvaara <ilariliusvaara@welho.com
> > > wrote:
> >
> >> On Fri, Oct 07, 2016 at 09:35:40AM -0700, Eric Rescorla wrote:
> >> > On Fri, Oct 7, 2016 at 8:26 AM, Ilari Liusvaara <
> >> ilariliusvaara@welho.com>;
> >> > wrote:
> >> >
> >> > > On Fri, Oct 07, 2016 at 08:01:43AM -0700, Eric Rescorla wrote:
> >> > > > 4. I've taken a suggestion from David Benjamin to move the
> >> negotiation
> >> > > > of the PSK key exchange parameters out of the PSK itself and into a
> >> > > > separate message. This cleans things up and also lets us drop the
> >> > > > currently non-useful auth_mode parameter.
> >> > >
> >> > > Eeh... From the text, it seems to currently require the kex modes
> >> > > extension if PSK extension is present. Which seems worse than useless
> >> > > if the meaning is to get rid of the kex mode parameter from PSK
> >> > > extension (since you will have the value anyway, but need to dig it
> >> > > from another extension... Blech).
> >> >
> >> > I guess this is a matter of taste, but what convinced me was that:
> >> >
> >> > 1. It put all the logic on the server side.
> >>
> >
> > I was going to ask whether this also includes the decision on whether to
> > send a Certificate to authenticate the server (even for PSK modes), but it
> > looks like this change is intentionally removing the ability to do PSK
> > keyex and auth with a certificate?
> >
> 
> Yes, while preserving the ability to add it later by adding a PskAuthMode
> extension parallel to this one.

But unlike the KexMode extension, the AuthMode one would not be
mandatory if PSK extension is included (the KexMode extension has no
sane defaults!).

And the semantics of authentication with PSK are much more subtle than
semantics of key exchange with PSK.


-Ilari