IETF Logo Mail Archive

Re: [TLS] Proposals for draft-ietf-tls-subcerts-02

"Patton,Christopher J" <cjpatton@ufl.edu> Thu, 26 July 2018 18:01 UTC

Return-Path: <cjpatton@ufl.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B86130E83 for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 11:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhhckROr_QkH for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 11:01:23 -0700 (PDT)
Received: from smtp.ufl.edu (smtp-prod04.osg.ufl.edu [128.227.74.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70E4B130E06 for <tls@ietf.org>; Thu, 26 Jul 2018 11:01:22 -0700 (PDT)
X-UFL-GatorLink-Authenticated: authenticated as (<>) with from 10.36.133.35
Received: from exmbxprd04.ad.ufl.edu ([10.36.133.35]) by smtp.ufl.edu (8.14.4/8.14.4/3.0.0) with ESMTP id w6QI1Ij2021517 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 26 Jul 2018 14:01:19 -0400
Received: from exmbxprd21.ad.ufl.edu (128.227.145.166) by exmbxprd04.ad.ufl.edu (10.36.133.35) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 26 Jul 2018 14:01:18 -0400
Received: from exmbxprd23.ad.ufl.edu (128.227.145.167) by exmbxprd21.ad.ufl.edu (128.227.145.166) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 26 Jul 2018 14:01:18 -0400
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (207.46.163.53) by exmbxprd23.ad.ufl.edu (128.227.145.167) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Frontend Transport; Thu, 26 Jul 2018 14:01:18 -0400
Received: from MWHPR22MB0461.namprd22.prod.outlook.com (10.173.55.7) by MWHPR22MB0127.namprd22.prod.outlook.com (10.168.249.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.21; Thu, 26 Jul 2018 18:01:15 +0000
Received: from MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::9416:941e:7bdf:c7f]) by MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::9416:941e:7bdf:c7f%7]) with mapi id 15.20.0995.014; Thu, 26 Jul 2018 18:01:15 +0000
From: "Patton,Christopher J" <cjpatton@ufl.edu>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Proposals for draft-ietf-tls-subcerts-02
Thread-Index: AQHUI4J2izOpwygh4UiboxDIYgPCqaSe0ZmAgAAEZ4CAAvdKBw==
Date: Thu, 26 Jul 2018 18:01:15 +0000
Message-ID: <MWHPR22MB0461FC1102E9F077185AD97FC62B0@MWHPR22MB0461.namprd22.prod.outlook.com>
References: <MWHPR22MB046162AC2C43A3A56FB1A8C4C6550@MWHPR22MB0461.namprd22.prod.outlook.com> <20180724202423.GA28235@LK-Perkele-VII>, <C3194247-EF67-4A59-AB83-260918ECF74D@ll.mit.edu>
In-Reply-To: <C3194247-EF67-4A59-AB83-260918ECF74D@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2606:4700:ff01:8210:e59c:725d:ec6e:3ce1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR22MB0127; 6:n1WfCb1bZezi5kGZkMMtWUmKssKEpo/DlQO532o3V6zROHAIa3Iqan2ZgYcBdhP7uRpHb+N4EIm9CTzrFnBGOoQ3vINgSkFNfIu771rsgllmjcpskWqT42q9n8YA5VRzR3dNV6lv6eu7tcU4iV6P8b5K1zq49tBlZ4qK3nk7WoFRO8VyU4AHZs9pyFDBehiyURKvqOfOXhdYOyYQTa1LEUdTA6BO4z3CkydANALzYgWFtBeLotsMyvZHklF7Ym7qjSuqYiUnAwyR6SCWkYXioEHqqn4Zqbx+hpgTTQ+1WBhn9V2CTzPxQRRo02gXkOdp6Nku7C8PwqhtvlTr84tvvHm11cd8vRZccilvRHyqWHi+s9mAFof76kUJwghOJ0KLT7YFnWAls+GOrwTj8x+Pa8QgzDmBLtnpW2xIJNTI8I3+MJzPScevCOmzARk4pAoyMksqg14mBoKZ6q3+E6i+jg==; 5:HvsNMEtKxUW134soDeJBjXmQSu2TVtFDTNHTsS4Yu+3X57YdJ7lvAcxQ1gpqYzeopS3Np4isd54irRmPEJK37MxYtDdC88jDROuMEbxNsTHaLJXJim0QIvh5wIavwBYcztvAzIk77n1ceSqN3r4WtSP7HMVMlzEWjmaXURIEIaM=; 7:EKU6XtsCPctYkpcUt6OLKs2LxjxMUJHRdxM6hMuhw1zpiVB9XWm50HpwReG5Sqp1aQnQ/kJNPqrdN7Qn4SgUruxqyuT77tMjP468SpwAu4BPqzieEfcAyRfJqSff4bZ3OAhvSLyeeuu0ptXg1zm0JJAd8Y0qQqC0ETsbYw/+yreZLBgL3gbbnPHmRmBuF0ZBDHRHuvN5bbuDwA/JMHHhPThebo5B9qf1ek+tTUKkD57Sg//IKk71VVlF7kR4FQ/S
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a48899dc-9aa8-4133-59ab-08d5f321c7c7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600073)(711020)(2017052603328)(7153060)(7193020); SRVR:MWHPR22MB0127;
x-ms-traffictypediagnostic: MWHPR22MB0127:
x-microsoft-antispam-prvs: <MWHPR22MB0127F2CB4385755390CDC436C62B0@MWHPR22MB0127.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(240460790083961);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(149027)(150027)(6041310)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:MWHPR22MB0127; BCL:0; PCL:0; RULEID:; SRVR:MWHPR22MB0127;
x-forefront-prvs: 07459438AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(376002)(396003)(136003)(366004)(189003)(199004)(53754006)(966005)(5250100002)(4326008)(2900100001)(606006)(75432002)(6306002)(105586002)(25786009)(236005)(110136005)(53936002)(97736004)(81156014)(14971765001)(561944003)(2171002)(99286004)(14454004)(6246003)(478600001)(229853002)(106356001)(186003)(256004)(33656002)(53546011)(5660300001)(11346002)(6606003)(46003)(446003)(786003)(316002)(6436002)(102836004)(7736002)(2906002)(88552002)(486006)(8936002)(7696005)(74316002)(86362001)(54896002)(19627405001)(8676002)(55016002)(9686003)(81166006)(6116002)(68736007)(6506007)(476003)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR22MB0127; H:MWHPR22MB0461.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ufl.edu does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Appd8KKAIxmRsImN8apsXwkGbDARktMfV4fFbxfAbwFnS3uSEU7N6j7XLW8akNdw7Kp7+jOQ5B4BvRhfibFEVqNFXuBuX+h+ud6+fgkHU+Pv/4Fn7Vao5jyaEbgJEqChgXQBiTk3b8NqWDa3PckVqjHud+G1rZUR3NNtigYbhaq/Fs5s8ecP4w/NCo2BebDdQiOz22i2pWFH1k9dUo9ZHRaFg6gC/0CIFj+zZvS4BhZV2MiYezfNZ5HBMtCpcAFO3Dh60Ule7X3SheWPqyWDc2RhClok5vFtxL9vGds+RB76T60t7h1AB9/u/b2LK9wVYD+8uQTJvLCTcLcCDQqp38l1R9SNFJ79d7RADqehuFI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR22MB0461FC1102E9F077185AD97FC62B0MWHPR22MB0461namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a48899dc-9aa8-4133-59ab-08d5f321c7c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2018 18:01:15.1221 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4da0f8-4a31-4d76-ace6-0a62331e1b84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR22MB0127
X-OriginatorOrg: ufl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-26_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807260185
X-UFL-Spam-Level: *
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uiFruoDqPjuBBhJrYQKGbEQfaSg>
Subject: Re: [TLS] Proposals for draft-ietf-tls-subcerts-02
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 18:01:27 -0000

Thanks all for the feedback! In light of your observations, we've revised the changes proposed for draft-02: https://github.com/tlswg/tls-subcerts/pull/13.


The changes for draft-02 are as follows:

  *   Drop support for TLS 1.2.
  *   Add the protocol version and credential signature algorithm to the Credential structure.
  *   Specify undefined behavior in a few cases: when the client receives a DC without indicated support; when the client indicates the extension in an invalid protocol version; and when DCs are sent as extensions to certificates other than the end-entity certificate.


Any additional feedback is welcome.


Thanks,

Christopher Patton


________________________________
From: Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Sent: Tuesday, July 24, 2018 4:40 PM
To: Ilari Liusvaara; Patton,Christopher J
Cc: tls@ietf.org
Subject: Re: [TLS] Proposals for draft-ietf-tls-subcerts-02

I object to re-interpreting/overloading the Critical flag. It has one and only one meaning: "If the parser does not understand the given attribute, it must abort parsing if this attribute is marked as Critical (or ignore this attribute and continue parsing if the Critical flag is not set)".


On 7/24/18, 16:25, "TLS on behalf of Ilari Liusvaara" <tls-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:

    On Tue, Jul 24, 2018 at 07:24:09PM +0000, Patton,Christopher J wrote:
    > Hi all,
    >
    >
    > I've taken the liberty of addressing the changes to the delegated credentials extension that were requested at IETF:
    >
    > https://github.com/tlswg/tls-subcerts/pull/13

    >
    >
    > The changes that would be adopted in draft-02 are as follows:
    >
    >   *   Drop support for TLS 1.2.
    >   *   Allow the critical bit of the X.509 extension to be set.
    >   *   Add the protocol version and credential signature algorithm
    >       to the Credential structure.
    >   *   Make the KeyUsage of the delegation certificate stricter.
    >   *   Specify undefined behavior in a few cases.
    >
    > It was suggested that we add optional "must-use-DC" semantics to the
    > certificate. The solution we came up with was to add a "strict" flag
    > to the extension that is set if (and only if) the extension is marked
    > critical. The idea is that if the "strict" flag is set and the server
    > doesn't offer a DC, then client must abort the handshake, In my opinion,
    > the complexity this adds to the protocol outweighs the potential benefits.
    >
    > Comments on the PR are welcome.

    This has the signifcant critical flag issue. It should at minimum be
    explicitly called out, as I do not know any precendent for this kind of
    behavior (check that some extension is critical yes, but not changing
    meaning of extension depending on critical flag).


    I watched the presentation and the resulting Q&A again. Short summary of
    relevant stuff:

    - The motivation in the slides is to reduce exposure of private keys to
      memory disclosure vulernabilities, without reducing performance.
    - The orignal proposal was to add a TLS Feature extension value. No
      discussion.
    - The drawback of "strict mode" would be causing issues with servers
      that can not effectively switch between certificates.
    - There is question about fallback. Paraphrased answer: LURK.


    TLS Feature extensions have some really unwnated properties here. They
    are never critical on client side, and they have OR-inheritance. You
    definitely do not want OR-inheritance here.

    Well, after this, the best usecase I can come up with strict flag is
    still dealing with LURK endpoints that can not do proof-of-possession
    or format checking[1].


    [1] TLS 1.2 and 1.3 servers should only ask for signatures and only
    over the following kinds of data:

    - <64 bytes> 03 00 17 41 04 <64 bytes>
    - <64 bytes> 03 00 18 61 04 <96 bytes>
    - <64 bytes> 03 00 19 85 04 <132 bytes> (rare, P-521)
    - <64 bytes> 03 00 1A 41 04 <64 bytes> (rare, brainpool)
    - <64 bytes> 03 00 1B 61 04 <96 bytes> (rare, brainpool)
    - <64 bytes> 03 00 1C 81 04 <128 bytes> (rare, brainpool)
    - <64 bytes> 03 00 1D 20 <32 bytes>
    - <64 bytes> 03 00 1E 38 <56 bytes> (rare, X448)
    - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <32 bytes>
    - <64 spaces> "TLS 1.3, server CertificateVerify" 00 <48 bytes>

    None of these covers delegated credential signatures, which would
    cause any attempt to ask for DC signature to fail if the format is
    checked..



    -Ilari


    _______________________________________________
    TLS mailing list
    TLS@ietf.org
    https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email