IETF Logo Mail Archive

Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 14 April 2017 11:44 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ABBF12EB72 for <tls@ietfa.amsl.com>; Fri, 14 Apr 2017 04:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDi36z2aHmBK for <tls@ietfa.amsl.com>; Fri, 14 Apr 2017 04:44:29 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5FE12EB71 for <tls@ietf.org>; Fri, 14 Apr 2017 04:44:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id C98082343C; Fri, 14 Apr 2017 14:44:26 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id n5TOtw--Vqku; Fri, 14 Apr 2017 14:44:26 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7EC73C4; Fri, 14 Apr 2017 14:44:26 +0300 (EEST)
Date: Fri, 14 Apr 2017 14:44:25 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170414114425.GA3649@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAOgPGoCvpjoexe0u2bT+P5eO75L2UbAtmCOx_1x+WxWvv8ktPA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAOgPGoCvpjoexe0u2bT+P5eO75L2UbAtmCOx_1x+WxWvv8ktPA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tqRhz-Wlq897lFkEpSTSBTTQz28>
Subject: Re: [TLS] Call for adoption of draft-sullivan-tls-exported-authenticator
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 11:44:31 -0000

On Thu, Apr 13, 2017 at 09:29:27PM -0700, Joseph Salowey wrote:
> Hey Folks,
> 
> At the IETF 98 meeting in Chicago there was support in the room to adopt
> draft-sullivan-tls-exported-authenticator [0]. We are looking for feedback
> on adopting this draft form the list. Please respond if you support the
> draft and are willing to review it. If you object to its adoption, please
> let us know why. Please respond to the list by 20170501
> 

Looking at the draft and reviewing it:

- Section 1:

The section should also say a bit why not to use post-handshake
authentication. Which is not available at all for server, won't
work properly with multiplexed connections, etc...

- Section 2:

Probable typo: "encryped" (in last line of first paragraph on page 3).

- Section 2:

I think there should be "(for TLS 1.3)" after reference to the TLS 1.3
draft in definition of handshake context. Otherwise it will read oddly
after draft reference gets replaced by reference to the RFC.

- Section 2:

I think the finished MAC key length should always follow the PRF hash.
TLS 1.2 with EMS requires well-defined PRF hash anyway, and some cipher-
suites have SHA-1 as HMAC hash.

- Section 2

I think giving random number as example of request context is bad,
and one should instead give some sequence number (with possible gaps)
as example.

These things do not have to be random, and generating sequence
numbers in connection context is much easier than random numbers.

- Section 2:

The spec should be clear if message headers are included or not (the
hashes seem injective either way).

If message headers are included, perhaps wrap the context into
synthethic hash message like with first CH when retrying handshake in
TLS 1.3. One could even reuse the message type (#254).

- Section 4:

Nitpick: The framework is usually called SIGMA, not SIGMAC (reference). 

- Section 4:

The last two security considerations look pretty hard to understand,
and overly long.

As I understand it, those paragraphs mean something like:

----------------------
Authenticators are independent and unidirectional, and as consequence:

 * It is difficult to formally prove an endpoint is jointly
   authoritative over multiple certificates instead of individually
   authoritative over each.

 * There is no feedback on if authenticator was processed, at what
   point of connection it was processed nor if it was accepted. Any
   such feedback needs to be implemented at application layer.if
   required.
----------------------

(As note, the TLS-built-in authentication fails most of the second
part as well, for various reasons.


- Section 4:

Perhaps add consideration that this SHOULD be implemented inside TLS
library (or at least as an library), even if it is possible to implement
outside it.


-Ilari

v2.23.0 | Report a Bug | By Email