Re: [TLS] draft-sullivan-tls-exported-authenticator-01
Watson Ladd <watsonbladd@gmail.com> Mon, 24 April 2017 17:13 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 325CF1318AB for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 10:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8DIYUAiFs4D for <tls@ietfa.amsl.com>; Mon, 24 Apr 2017 10:13:30 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70961205F1 for <tls@ietf.org>; Mon, 24 Apr 2017 10:13:29 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id v14so11634067pfd.2 for <tls@ietf.org>; Mon, 24 Apr 2017 10:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BBrRlToKvfOoYt5K6Wjo+tJ25LyVNbvIXNoRelWoLRY=; b=IHg8DfdzaSQ+dmSduODdi7/WjlF5XS0JDjoz3LIY7mb3q34zaQ2zoA0K5p6s/yj2Kl +/kJ4YKOuhQXY8VL9UNT/OOchapQ99WN60rcXtUgJtey9Gn3sU/qRYP29yD8Xz+tF3Xa OvUwRjKm5aFUg5k0285IUH4TOQD1780AVu4ZwXSVqceBgM/0Y3or71EhTPXAIxjWtJYY X5zqFltcVin8e/zgeZsVLzgeV2/nPTh9iocfJVeSqpNiie8/f7pd3pEv0z+OGtU5UVlX n0vSbr85O2H8dJu2sc7+6PeMQf6qZtNl04Jfxa7al2zfMPU+K8blsbCGV+vBlO1J316e 9juQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BBrRlToKvfOoYt5K6Wjo+tJ25LyVNbvIXNoRelWoLRY=; b=bERnwtboJqOOFT4eBTL1D9rbkfcZ/apIV47fgxXIX1xPh4CoYj0KAgNbCgT23ULkPw Edc26Wi4cKF+/1oIJhFNsIak1/IQyLxbvpqOETWdVY+T6KEjnDmSkOvUTmL+wGdDmLO3 QrAnFf+692s+VbOA/Ty0L0U9cl50DDJNQ0mdTW8orRdF+rpxXmq0joqrObL0pdDEPi8I mUZyomqn3Fpc8T+SPT9maL5VzoY7GuZmkeTyPLPWViNUHNY18cuwfdnbElBCfGBf4/GP Ln2ki9u1CRv3lFf3lnd3XFkefcS/jqm3NVsSr9YSfnx3/BZx0SnjvjlAqwNCJw0a8Cbz amNQ==
X-Gm-Message-State: AN3rC/5kpufa/x8UVmPt5sbSxl39G4BCWixf9WbCCNXpe03rGcijQeOS m92hsu0alc22kf3hEbzrEuzBoOhnPQ==
X-Received: by 10.84.210.72 with SMTP id z66mr33299279plh.191.1493054009476; Mon, 24 Apr 2017 10:13:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.163.12 with HTTP; Mon, 24 Apr 2017 10:13:27 -0700 (PDT)
In-Reply-To: <b7862e95-85ee-047f-dfae-f1b59792e2c7@gmx.net>
References: <55e7544b-808a-5e0e-f66e-3a6f4a79e218@gmx.net> <20170421105213.GB20822@LK-Perkele-V2.elisa-laajakaista.fi> <b7862e95-85ee-047f-dfae-f1b59792e2c7@gmx.net>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 24 Apr 2017 10:13:27 -0700
Message-ID: <CACsn0cncitF9xitmuDfCyCqy98VZo+hehFN5+PDENJb7VnuKWQ@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ytLhodF2288UiWeWU3sIDhQ9H10>
Subject: Re: [TLS] draft-sullivan-tls-exported-authenticator-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 17:13:34 -0000
On Mon, Apr 24, 2017 at 8:42 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi Ilari, > > thanks for your feedback. Remarks inline: > > On 04/21/2017 12:52 PM, Ilari Liusvaara wrote: >> On Fri, Apr 21, 2017 at 10:44:01AM +0200, Hannes Tschofenig wrote: >>> I have read draft-sullivan-tls-exported-authenticator-01 and have a few >>> questions. I haven't followed this work previously but have been >>> wondering whether this functionality would be useful for "me". >>> >>> The described functionality sounds like post-handshake authentication >>> from TLS 1.3 (although it does not use that term throughout the >>> document). I would have thought that this functionality is a replacement >>> to the TLS 1.2 renegotiation but then there is also the TLS 1.3 content >>> in there which raises the question about how this relates to the >>> post-handshake authentication functionality. >> >> There are two things that can't be accomplished with PHA: >> >> - Authenticating the server for more identities. >> - Transmitting application context with the certificate. >> >> TLS 1.2 renegotiation also is incapable of either of those. > > > In what situations would I want those features? The draft is rather > brief on the motivational side. Part of the reason TLS client certificate UX sucks is the absence of hints as to which certificates are offered. It's a lot easier to add that to HTTP then to TLS. It also fixes bugs where authentication state doesn't line up nicely with HTTP request state. The other application is to servers which want to indicate they have certificates for other sites, so as to enable connection reuse for a latency and performance win. > > >> >>> What does the following sentence mean and what is the use case for it? >>> >>> " >>> This proof of authentication can >>> be exported and transmitted out of band from one party to be >>> validated by the other party. >>> " >>> Who are the parties? >> >> Most probably TLS client and server. > > Maybe the draft should say that. > > Ciao > Hannes > >> >> >> -Ilari >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- Re: [TLS] draft-sullivan-tls-exported-authenticat… Ilari Liusvaara
- [TLS] draft-sullivan-tls-exported-authenticator-01 Hannes Tschofenig
- Re: [TLS] draft-sullivan-tls-exported-authenticat… Ilari Liusvaara
- Re: [TLS] draft-sullivan-tls-exported-authenticat… Watson Ladd
- Re: [TLS] draft-sullivan-tls-exported-authenticat… Hannes Tschofenig