Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)
Hubert Kario <hkario@redhat.com> Fri, 24 July 2015 15:22 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E2F1B30D9 for <tls@ietfa.amsl.com>; Fri, 24 Jul 2015 08:22:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPDilaMOA9ie for <tls@ietfa.amsl.com>; Fri, 24 Jul 2015 08:22:16 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E9E1B30D5 for <tls@ietf.org>; Fri, 24 Jul 2015 08:22:16 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 15EC032B0C8; Fri, 24 Jul 2015 15:22:16 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-111.brq.redhat.com [10.34.0.111]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t6OFMDWb027447 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 24 Jul 2015 11:22:14 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 24 Jul 2015 17:22:08 +0200
Message-ID: <3965440.JCWWbo1jAa@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.0.8-200.fc21.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <20150716150937.GA30989@LK-Perkele-VII>
References: <20150715141523.GA13669@LK-Perkele-VII> <CABcZeBO0PCB43Mtkd9FL6nt4o4sRaWk3roZTz66rbdRzF7wSAA@mail.gmail.com> <20150716150937.GA30989@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2769599.1PVPNEMR14"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uUqaiOQNiPap50Uzi883Utb_umQ>
Subject: Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 15:22:18 -0000
On Thursday 16 July 2015 18:09:38 Ilari Liusvaara wrote: > > > > 6.3.1.2. (Server Hello) > > > > > > Well, at least it wouldn't be backward compatiblity hazard to remove > > > session_id_len, since it comes after server version. > > > > I'm sold. > > However, that would change ServerHello parsing. > > Thinking about it, if one decides to be careful with message parsing, one > needs to assign all new/modified TLS 1.3 handshake messages new IDs. > > Currently there is only one offending message type w.r.t. that: 14, which > is server_configuration in 1.3 and server_hello_done in 1.2. > > Some other messages share IDs, but I think those are compatible (even > CertificateVerify, as it is just one digital signature in both). Server Key Exchange for DHE, ADH, SRP, etc. not to mention TLS1.1 vs TLS1.2 it's not uncommon to have different parsers for "same" message type > > > Also, the record protection used for early handshake messages should be > > > indicated. > > > > Can you expand on that? > > How does the client know what record protection algorithms are valid > for 0RTT transmission for that server? And how does the client know that the algorithms came from the server. We should have a "client MUST wait for the full handshake to finish before recording this information" or we will have a very nice cipher downgrade. Just having it signed is likely not a good idea, as they may depend on ciphersuites advertised by client. > > > Also, with regards to complications of DSA, just dump it? :-) > > > > I'm fine with that if the chairs declare consensus on it. > > As datapoint, either the scan that was used as basis of that curve > pruning doesn't support DSA, or there are no servers that even have > DSA certs. > > I think I heard some time back that there are only 4 (or some other very > small number) valid DSA SSL certs in the entiere public Internet. that scan uses Mozilla trust roots and reports only trusted servers (to weed out unmaintained ones out), Microsoft list is a bit bigger -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Let's review: draft-ietf-tls-tls13-07 (abri… Ilari Liusvaara
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Dave Garrett
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Eric Rescorla
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Ilari Liusvaara
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Hubert Kario