Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00

Mohit Sethi M <mohit.m.sethi@ericsson.com> Mon, 06 July 2020 10:10 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A48D3A12D6; Mon, 6 Jul 2020 03:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltrB3BGEbm47; Mon, 6 Jul 2020 03:10:23 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80053.outbound.protection.outlook.com [40.107.8.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42AC23A12D7; Mon, 6 Jul 2020 03:10:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XsCgeGMBT7kM9zt5cumFXmjlvSjkfaRY0CLGS56txjRmvUY3jy0N9ZbxUEsGW/R/fNO1p/DJz37XLmUslTIm8ZosTbKasdJxUFuZu/htSHNPnz0B/uT4xei36E0NqZnvI3b3CS3LFosK487bnwrtQKHwaQ8QkfAUUALbRWKWb6FtKtncKQFWhxaQAVPSG+EiEtEDl6ShRYZZYf7JFBId4VgMDNzeizPiJMmw6yvpydUcqAGPFJNRw2cmj2Fzjj+Ikpeuxby23KKZAfY9kWEu9oVExsR4+sim1BVsyvq3qK7l03DZpfAuTUQNDIOMrZBWuWM2OUKFxiOZzQ0O5EZ0Lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlH4rPFsf8F3OXieXok1kU7Xo8cLJFHCzoOC3z+cMGY=; b=ct9LQBmIhbBsY5ymTdixAA7TBfwI5wjbLM8PkLXxJ/ibhFWnH1QF5Uf70N2UQPigfvQZS7x30Kip2dQGIOGGgZQEAfYQqhDuZDtvhjHr6ayy1dV/uGXcRn8+g6xIeXGPeg/3d4hhNZbO1bhaKoNn+oLJuk2XYJrVyoHYRveGwNgdPR8gCjPtgkxv15BO1myhq6AVBMMIPY4bZRW/Mra4HMY/KHy9BHG1LaqIIOcFsBIkYKtYlFeX50sDv0jyvXWWcXWAclBaczWL4Tsj8tQv6HW/GBuQfP++2xq4IXakKLReSsqdMC18DauNgcSoytHnU5DK6hlZlWoY6MaU4X9ikw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlH4rPFsf8F3OXieXok1kU7Xo8cLJFHCzoOC3z+cMGY=; b=af8qsZC/sB8FTh3XqqLyLu642J4gaxynRAPjHmPmRrI45vr3HQs7dAjnE3EoQUZWRVoxHSfJ5pkjvKXr6u+hAoo0F/MIVtsTxydhodiWog1gjyDPzRlaWG3yXl+PntXjgcZMhMXi/R9u38Ee0X9V9JoI+T1/2BQ6XwfGBs65kEg=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR07MB4156.eurprd07.prod.outlook.com (2603:10a6:7:9b::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.8; Mon, 6 Jul 2020 10:10:19 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::d6e:6298:19a7:7c99]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::d6e:6298:19a7:7c99%5]) with mapi id 15.20.3174.019; Mon, 6 Jul 2020 10:10:19 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-tls-external-psk-guidance@ietf.org" <draft-ietf-tls-external-psk-guidance@ietf.org>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: Review of draft-ietf-tls-external-psk-guidance-00
Thread-Index: AQHWU32mq0e1idfoLE2Dgf3tNNTFWQ==
Date: Mon, 6 Jul 2020 10:10:19 +0000
Message-ID: <ab10fa75-f30e-d0e2-2c29-6ec0f51bb4da@ericsson.com>
References: <045601d64fea$e0d7f800$a287e800$@augustcellars.com>
In-Reply-To: <045601d64fea$e0d7f800$a287e800$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:140:10de:c8af:53f7:f0d6:ed49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bcb719eb-a0fe-44dc-95ae-08d82194c985
x-ms-traffictypediagnostic: HE1PR07MB4156:
x-microsoft-antispam-prvs: <HE1PR07MB4156C91C3FC54329F2FE153BD0690@HE1PR07MB4156.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: R09JhqmV194Kqw4mB0Rwm0R6ONV3h/+uKlPm1/EJLrRsvoURdcCwQ8LOaRLCjrfKEO/E3RKhHGcEic8MvzDoP4i45qKrFzDKD8XGVVND6+kHIF2D/2sFcKKikGmNoivxAffer5pj5/Z04im0ea8Oxwb3izGwEcDsAP2x/jxwsNOeHKnVwq83LP2V1/Y5JOLc7+bSF4R11CtXFjGHCHuOK/+S5Dyr6P4SAngImEHPParPyfCJWUspdu7BWDto0O0xRiaTVBCD/ymTZOIcDjRFD+1ZRDIzhs8fHbSTHHY1hl48kB1wWgL+erujjRAaD9CipQ87mWR8gUX5/BveegE71t29vtMTGCH/2Qun5KJvR/Q0oSlXZ+PAz6/DlUsKVHKR
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(376002)(39860400002)(366004)(396003)(186003)(6512007)(31686004)(66446008)(31696002)(66556008)(64756008)(76116006)(86362001)(110136005)(53546011)(6506007)(316002)(66476007)(5660300002)(66946007)(83380400001)(2616005)(8936002)(2906002)(8676002)(71200400001)(6486002)(478600001)(4326008)(36756003)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tSuRnExCv8130IXW2oOQ85bseMRzZNe7/UWjh55WgINRgA3zmYa4KGbSLLdBwwiyeBuuhwN1qvk+nUO0804myJbC6qpioKNxDHVMGuvTFGQQ2umb9crvL/TWsH/96YRLZXAdESbGHSIKQ2l7dgceER6rEYs8jdS5DY3Rs7h2SgKxC6fcghwHKoheRoNXhyQg9s0m9DXtZZ2xu65YlNsjaEfVOSL73IikFSlREwUUc2FT41Wg5bI2UJFgd7AdLoAshqJI8YvLYsm840vmzC70SIXzA+vvc6818dbicVFnsiUqdGaHdqfLtfgLOUGGKtU0YSQqHkvTDcy+tCIOKbYVb5W7nqA5+9B+EHunyjZcxh66VBtck0mDE4IuAHoh3eY9qBJVR21xc1yrepdjb/iVki2MVoGgEcVix3G8+looXy4V4iCLv7XvSX1i+yAFuGd9widfoVqh0mNeyIBb4meerdjgL47KonTu865wpMD5StZZrf9DSluTLmgG4gozYLEGcnPDsLnXlNMr1U+3WHrBLBHi/mLIxHWcXOPiBUi64bAoH+EmWXBiAgBvjqzJfe+I
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D9BDFA76FF3C434E89E367273925A418@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3386.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bcb719eb-a0fe-44dc-95ae-08d82194c985
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2020 10:10:19.1507 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VrNlt32f6r6iPmBlDwuR0gEp0NtvQEeEYin5ecV82f3QhdWBh/18VOOWnX0LBYVoRnp1Dt6BQGF26nB7s4Y3/1D2+98BvBm9rF+4w05r4+Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4156
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xj-6T2nerdHG3VQaqLF32blBjb0>
Subject: Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 10:10:26 -0000

Hi Jim,

Thanks for the review. A clarifying question in-line.

On 7/2/20 12:02 AM, Jim Schaad wrote:
> * In section 4 there is a statement that switching the roles of servers
> which use PSKs will lead to weakening of security properties.  As this is a
> common scenario today in situations where you are doing server-to-server
> communication, it would be useful to discuss just how and how much this
> weakening occurs.  This was a complete surprise to me and I don't know if it
> was supposed to be one.  Are there mitigations that can be made?
>
> * In section 7, The first sentence does not read, also It seems a bit
> difficult to have a MUST in there when most of the items below are SHOULDs.
> That seems to be a dissonance.
>
> * Section 7.1.1 - The idea of having domain name suffixes on PSKs seems to
> me to be a bad idea as this would seem to lower privacy levels.

I think you are referring to the PSK identity and not to the PSK.

As you know, the Network Access Identifiers (NAIs) used in EAP typically 
need the domain name suffix for roaming, federation, etc.

I would like to understand the nature of the resulting privacy loss. Is 
it that a passive attacker can now easily determine the server which 
issued the PSK identity (and the server where it will eventually be used)?

--Mohit

>
> * Section 7.1.2 - There seem to me to be three different places where
> collisions will occur.  The importer function could get a collision, there
> could be collisions with pre-TLS 1.2 external identifiers and there could be
> collision with resumption keys.  There has been a huge discussion about this
> in the EMU group and I don't find the text here to be sensible in term of
> whether this is or is not a problem.
>
> * Section 7.1.2 - One of the things that I kept meaning to get to and just
> haven't done so yet, is dealing with the question of can the TLS Key binders
> in the handshake to distinguish between multiple keys that happen to have
> the same identity.  Perhaps you should look to see if this does work and if
> it is safe.
>
> Jim
>
>