Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Issue
Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 11 July 2012 17:36 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E814511E8120 for <tls@ietfa.amsl.com>; Wed, 11 Jul 2012 10:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0dFnZfnMadI3 for <tls@ietfa.amsl.com>; Wed, 11 Jul 2012 10:36:17 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 27D7311E8107 for <tls@ietf.org>; Wed, 11 Jul 2012 10:36:04 -0700 (PDT)
Received: by eekd4 with SMTP id d4so523488eek.31 for <tls@ietf.org>; Wed, 11 Jul 2012 10:36:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; bh=/u+d99cfX1lEGIQiWKxNAHqTMnkcRXqW64NCMGpq9x8=; b=B25Zc7/Uq8cOuyTsmjXKffGik4RRKJtup1MbRmNvkJiNJCLpi6z8HOIiChAX9CoVGd +hxCD28/tBCkqlrEdFAqP0wS6zGRG41IOjkmG12fegEXY5sgNShdfqjKPpppLryPvGlu sg2DvVlPXWdgAfGlITH7VI1Mu8Z4BMFAwXdKv+IyMq5i+iaFrH633DQGLeJYsllA4AS1 t+dYDjQmtvXA4jWXTdZL7aHageas6mtS9D1Jsc0jP/mPuh/HUsqgUUgO/xNzWrM/A3M4 87Bg5ouR3vW4lgj7jQe6Ol4MAGOPEiYso55y9Urv55la3PcDW2+gGxV/A9MjD1uNxq2m h8lQ==
Received: by 10.14.98.204 with SMTP id v52mr11710913eef.199.1342028194554; Wed, 11 Jul 2012 10:36:34 -0700 (PDT)
Received: from [10.100.2.17] (d51A49E78.access.telenet.be. [81.164.158.120]) by mx.google.com with ESMTPS id s4sm7946116eef.2.2012.07.11.10.36.33 (version=SSLv3 cipher=OTHER); Wed, 11 Jul 2012 10:36:33 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4FFDB9B2.2000404@gnutls.org>
Date: Wed, 11 Jul 2012 19:36:50 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <1CA8C4CB-1FD8-4498-9988-41B6334F58FD@gmx.net> <4FFD98D4.1090000@gnutls.org> <4FB857C7-D595-4B07-AE55-E9E77095369E@gmx.net>
In-Reply-To: <4FB857C7-D595-4B07-AE55-E9E77095369E@gmx.net>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 17:36:18 -0000
On 07/11/2012 06:08 PM, Hannes Tschofenig wrote: >>> I would be great to get your feedback on an open issue that concerns the semantic of the exchange. I believe there are three use cases we would like to support with this work. Below, I provide high level message exchanges to explain those: >>> I) Server uses Raw Public Keys (client authentication happens at some other layer) >> If you don't need a client certificate or public key, you don't send a >> certificate request. > You mean: If the server does not want any client authentication then it does not send a certificate request. > If that's what you mean then I agree with you. > But in this scenario the server provides the raw public key. This is what I mean. I don't understand understand how providing the raw public key changes this fact. Did you explicitly specified in the draft-ietf-tls-oob-pubkey that no certificate request is expected? If not I would expect the TLS semantics to remain. >>> II) Client and Server use Raw Public Keys >>> (the smart object use case - CORE working group) >> Your draft already covers that case. > That's what I thought but Paul had a different understanding. > It is not quite clear what the semantic of the cert_type="RawPublicKey" in the client hello message is. Then the semantics should cleared up. What is the different understanding? As I understand this draft, if the extension is present, then _both_ server and client certificates are encoded in "raw" format. >> 2. >> You create a new extension that modifies the format of the certificate >> request to include an explicit certificate format. > Of course the existing certificate format cannot (and should not) be changed. > One could put an additional marker into the cert payload that makes it easy for the client and the server to differentiate the content of the payload. And would also be easier to mount attacks in the protocol. If you change the format of the certificates it should be clear in the handshake what certificate format is expected. regards, Nikos
- [TLS] draft-ietf-tls-oob-pubkey: The Open Issue Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Eric Rescorla
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Eric Rescorla
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Robert Cragie
- Re: [TLS] draft-ietf-tls-oob-pubkey: The Open Iss… Nikos Mavrogiannopoulos