IETF Logo Mail Archive

Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt

Hubert Kario <hkario@redhat.com> Tue, 04 September 2018 12:48 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F79F128766 for <tls@ietfa.amsl.com>; Tue, 4 Sep 2018 05:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdAmIZN00C8Z for <tls@ietfa.amsl.com>; Tue, 4 Sep 2018 05:47:03 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B641200D6 for <tls@ietf.org>; Tue, 4 Sep 2018 05:47:02 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44BC940216E5; Tue, 4 Sep 2018 12:47:01 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.250]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8462B2166BA1; Tue, 4 Sep 2018 12:47:00 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Date: Tue, 04 Sep 2018 14:46:53 +0200
Message-ID: <1625822.1ukSxQMHAj@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBNx=F87nuZFvaA2VdqMiRCTVosWKt+aaBLANyfYU6KRew@mail.gmail.com>
References: <153569768626.3253.16680905114240291331.idtracker@ietfa.amsl.com> <1980977.W4Fi656k57@pintsize.usersys.redhat.com> <CABcZeBNx=F87nuZFvaA2VdqMiRCTVosWKt+aaBLANyfYU6KRew@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1958071.MXNV9YCveb"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 04 Sep 2018 12:47:01 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 04 Sep 2018 12:47:01 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ybzW7rY-Mp9WxIFjfFjFbYTycPI>
Subject: Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 12:48:03 -0000

On Monday, 3 September 2018 21:26:06 CEST Eric Rescorla wrote:
> On Mon, Sep 3, 2018 at 12:19 PM, Hubert Kario <hkario@redhat.com> wrote:
> > On Monday, 3 September 2018 17:30:15 CEST Eric Rescorla wrote:
> > > On Mon, Sep 3, 2018 at 8:20 AM, Hubert Kario <hkario@redhat.com> wrote:
> > > > On Monday, 3 September 2018 17:15:24 CEST Eric Rescorla wrote:
> > > > > On Mon, Sep 3, 2018 at 7:28 AM, Hubert Kario <hkario@redhat.com>
> > 
> > wrote:
> > > > > > On Monday, 3 September 2018 16:01:22 CEST Eric Rescorla wrote:
> > > > > > > On Mon, Sep 3, 2018 at 4:18 AM, Hubert Kario <hkario@redhat.com>
> > > > > > 
> > > > > > > wrote:
> > > > > > not
> > > > > > abort connection, so I still think it will create less confusion
> > > > > > to
> > > > > > re-allow
> > > > > > them than to re-assign new codepoints
> > > > > 
> > > > > The issue is that it's not possible to distinguish a non-compliant
> > 
> > TLS
> > 
> > > > 1.3
> > > > 
> > > > > implementation which is inappropriately sending these code points
> > 
> > from
> > 
> > > > > one which actually supports Brainpool with TLS 1.3. Using new code
> > > > > points makes this clear.
> > > > 
> > > > and why having that distinction is that important?
> > > 
> > > Because otherwise you are risking interop problems:
> > > 
> > > 1. A stack which supports TLS 1.2 and TLS 1.3 but only supports
> > > Brainpool
> > > for TLS 1.2 (the only kind you can write at this point), and
> > 
> > inappropriately
> > 
> > > advertises the Brainpool curves in violation of the MUST above.
> > > 2. A stack which supports TLS 1.2 and TLS 1.3 and supports Brainpool for
> > > both (assuming that we adopt your proposal and reactivate these code
> > > points).
> > > 
> > > If stack 2 receives a CH from stack 1 and responds by selecting a
> > 
> > Brainpool
> > 
> > > curve, then there will be an interop issue when it sends an HRR [0]
> > > selecting
> > > the Brainpool curve.
> > > 
> > > -Ekr
> > > 
> > > [0] I'm assuming that the client doesn't offer a Brainpool KeyShare.
> > 
> > ah, yes, missed this case. That does taint all those codepoints for TLS
> > 1.3
> > 
> > but while the server may abort the connection upon receiving them in TLS
> > 1.3
> > CH (as it is violation of the MUST clause), I don't think it actually
> > should
> > abort it...
> > 
> > For one, and I think we can agree on that, is the server MUST ignore them
> > if
> > it doesn't support them in TLS 1.2.
> 
> I don't think I agree with this. Why would that be the case?

because when servers don't do it we have "TLS version intolerance", "TLS 
extension intolerance" and so on.

From RFC 5246:

   If the list contains cipher
   suites the server does not recognize, support, or wish to use, the
   server MUST ignore those cipher suites, and process the remaining
   ones as usual.

and:

   the rules specified in [TLSEXT]
   require servers to ignore extensions they do not understand.

Not to mention the most explicit statement on this topic, from RFC 8446:

   Future extensions or additions to the protocol may define new values.
   Implementations need to be able to parse and ignore unknown values
   unless the definition of the field states otherwise.

In general, if the servers weren't required to ignore values they don't 
recognise, we would never be able to extend the value lists (be it 
SupportedGroups, or SignatureSchemes/SignatureAlgorithms).

> > Given that TLS 1.3 server usually implement both TLS 1.2 and TLS 1.3,
> > having
> > code that does ignore them in TLS 1.2 and doesn't ignore them in TLS 1.3
> > is
> > only inviting bugs.
> 
> We already have other special case code that enforces such rules. For
> instance,
> compression:
> 
>       For every TLS 1.3 ClientHello, this vector
>       MUST contain exactly one byte, set to zero, which corresponds to
>       the "null" compression method in prior versions of TLS.  If a
>       TLS 1.3 ClientHello is received with any other value in this
>       field, the server MUST abort the handshake with an
>       "illegal_parameter" alert.  Note that TLS 1.3 servers might
>       receive TLS 1.2 or prior ClientHellos which contain other
>       compression methods and (if negotiating such a prior version) MUST
>       follow the procedures for the appropriate prior version of TLS.

the difference is that we we don't want people to use compression in TLS 1.2, 
while brainpool in TLS 1.2 is just not recommended, not provably dangerous 
even when implemented correctly

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email