Re: [TLS] Deprecating tls-unique for TLS 1.3
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 04 November 2015 07:06 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595911AD277 for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 23:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1VmTVayqagX for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 23:06:21 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [217.34.220.150]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0591AD259 for <tls@ietf.org>; Tue, 3 Nov 2015 23:06:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1446620770; d=isode.com; s=selector; i=@isode.com; bh=b2O4PC8HS1lB0cQr6UesvGBvH3CztfsBH8jRImrIV34=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ciUIiR+ZXoWtbGt5s8YIerkkUtMop53PE6w0InlOH0WInvKAmY0xE5oqdRTr5y76ubVq/H fC3ec1pXs2U8U/TMThaRe7thTszrLcp6nS9v7W+DltBejDylSqp3NaCbY7psaOaV2vypAH k9TogWqW6K5sE1elybG38RlGnU88ey0=;
Received: from [133.93.32.122] (dhcp-32-122.meeting.ietf94.jp [133.93.32.122]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VjmuVwArT4E2@waldorf.isode.com>; Wed, 4 Nov 2015 07:06:06 +0000
To: Martin Thomson <martin.thomson@gmail.com>
References: <F7D995DF-98C9-4093-AA6A-8EA251E7274C@isode.com> <CABcZeBMbQyePbr8TQe8SuT5dLDcOoS8Ni6BjnBpKFtwqboMk1g@mail.gmail.com> <5639A8D8.1060400@isode.com> <CABkgnnXatS440EJJCijzjjt2WArWGUhpXXzWxZnyOFkT62xuNw@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <5639AE45.2030909@isode.com>
Date: Wed, 04 Nov 2015 16:05:41 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
In-Reply-To: <CABkgnnXatS440EJJCijzjjt2WArWGUhpXXzWxZnyOFkT62xuNw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-transfer-encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vMUgwMGehaOq26l3TSCrJkHYFk8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating tls-unique for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 07:06:23 -0000
On 04/11/2015 15:48, Martin Thomson wrote: > What is wrong with getTlsUnique2() or getBetterTlsUnique() ? That would be fine, but see below. > It's not a drop-in replacement, If it is not a drop in replacement, it should have a different name. Channel bindings are referenced by names in various protocols (and some implementations can support more than one channel binding type), in particular in SASL SCRAM and SASL GS2. > but it indicates that the app understands the > change. Otherwise, we might have to signal this in TLS 1.2 proper. > 1.3 can just be fixed. My point are: 1) "tls-unique" is defined in TLS version-independent way, so it is currently defined for TLS 1.3 (as long as TLS 1.3 still uses Finished messages). 2) It would be much better to implement a single recommended TLS channel binding that works for both TLS 1.2 and TLS 1.3 3) We can't redefine how tls-unique works for TLS 1.2 without breaking existing implementations (I can explain this in more details, if needed). All of these made me think that defining a new channel binding that works for both TLS 1.2 and TLS 1.3 would be a better option. > On 4 November 2015 at 15:42, Alexey Melnikov <alexey.melnikov@isode.com> wrote: >> On 04/11/2015 11:13, Eric Rescorla wrote: >>> Can you expand on this a bit? Perhaps propose some text. >> >> So, tls-unique is defined in RFC 5929 as: >> >> Description: The first TLS Finished message sent (note: the Finished >> struct, not the TLS record layer message containing it) in the most >> recent TLS handshake of the TLS connection being bound to (note: TLS >> connection, not session, so that the channel binding is specific to >> each connection regardless of whether session resumption is used). >> If TLS renegotiation takes place before the channel binding >> operation, then the first TLS Finished message sent of the latest/ >> inner-most TLS connection is used. Note that for full TLS >> handshakes, the first Finished message is sent by the client, while >> for abbreviated TLS handshakes (session resumption), the first >> Finished message is sent by the server. >> >> This is currently independent of the version of TLS used. This is also >> broken for TLS 1.2 due to the triple handshake vulnerability. >> >> I don't think we can just redefine this for TLS 1.3 and expect this to >> work, because APIs for getting this information out of TLS libraries are >> going to be different if Exporters are used. >> Also, if "tls-unique" is redefined, an old implementation of >> "tls-unique" would be unable to talk to a new implementation. For >> example if one end is IMAP client using SCRAM or GS2 against IMAP server >> implementing the same. >> >> I think there is desire to fix this for both TLS 1.2 and 1.3. I think >> the best way would be to take Simon's draft-josefsson-sasl-tls-cb-03 >> (Channel Bindings for TLS based on the PRF) and update it for TLS 1.3. I >> think conceptually what Simon did is very similar to what was proposed >> in the TLS meeting today. >> >> >>> -Ekr >>> >>> >>> On Wed, Nov 4, 2015 at 11:12 AM, Alexey Melnikov >>> <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com>> wrote: >>> >>> Just to clarify, I think it is fine to define TLS 1.3 replacement >>> for tls-unique using Exporters. But I suggest for interoperability >>> this should be defined as a new channel binding with a new name, as >>> opposed to just redefining tls-unique. >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Eric Rescorla
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Yoav Nir
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Karthikeyan Bhargavan
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Andrei Popov