IETF Logo Mail Archive

Re: [TLS] RFC 5878 - why?

Yoav Nir <ynir@checkpoint.com> Wed, 18 September 2013 03:55 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F8411E828B for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 20:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.283
X-Spam-Level:
X-Spam-Status: No, score=-10.283 tagged_above=-999 required=5 tests=[AWL=0.316, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzmtZWcFfV+1 for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 20:55:12 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 6591E11E82DA for <tls@ietf.org>; Tue, 17 Sep 2013 20:55:11 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r8I3t5ro014799; Wed, 18 Sep 2013 06:55:05 +0300
X-CheckPoint: {52392418-33-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.30]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Wed, 18 Sep 2013 06:55:04 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Trevor Perrin <trevp@trevp.net>
Thread-Topic: [TLS] RFC 5878 - why?
Thread-Index: AQHOs1y8abmHM3OiDk6g9BgUFzOgq5nJTD8AgAAFJACAAAVLgIAAhnKAgABja4CAADTrgIAAN0eA
Date: Wed, 18 Sep 2013 03:55:04 +0000
Message-ID: <0866AA3B-DB43-44C6-95BC-03DCC2C0ADA7@checkpoint.com>
References: <CAGZ8ZG3cNi3FSb879yumEt5etXWCoy1LOcxFAgNzrp9zeriJdA@mail.gmail.com> <0f476a6eb1e64519bb37001b02fddd4c@BLUPR03MB166.namprd03.prod.outlook.com> <CAGZ8ZG3R2-Egermz5Vefu18mD2KAvXOXcG++HJut_rLKapeH4Q@mail.gmail.com> <072c2f95d4fe4031bdc1a114a9b810ce@BLUPR03MB166.namprd03.prod.outlook.com> <CAGZ8ZG38x-BEOncUqL3vO9_c15jQU=s-Bkh3cjLvWtdSb8MCCw@mail.gmail.com> <159a1a51405047e185633d089b110bfa@BLUPR03MB166.namprd03.prod.outlook.com> <CAGZ8ZG2i8jefSMXvqrqseCY3_P3Rqp=WN2a_gRt7K__8Gq20Cg@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2i8jefSMXvqrqseCY3_P3Rqp=WN2a_gRt7K__8Gq20Cg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.153]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0D8993ECC6988440B19992F9713F3EA3@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RFC 5878 - why?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2013 03:55:18 -0000

On Sep 18, 2013, at 3:37 AM, Trevor Perrin <trevp@trevp.net> wrote:

> On Tue, Sep 17, 2013 at 2:27 PM, Marsh Ray <maray@microsoft.com> wrote:
>>> From: Trevor Perrin [mailto:trevp@trevp.net]
>>> Sent: Tuesday, September 17, 2013 8:32 AM
>>> 
>>> 5878 itself is quite ugly, and riddled with errors and design flaws.
>>> Which is why I'm bringing this up.
>> 
>> Now, now, be nice.
> 
> Did you see the errata?
> 
> * It's a weird extension structure, instead of having the standard
> 2-byte type / 2-byte length fields, like TLS Extensions and 4680
> SupplementalDataEntry, each AuthorizationDataEntry has a (too-small)
> 1-byte type field, and no length field.
> 
> * Without the length fields it's not generically parseable (Ben
> suggests fixing that in the errata, but that breaks compatibility with
> the 5878 URLandHash structure).
> 
> * The structure definitions in section 3 are wrong.
> 
> * The submitted errata also argue that the length field for
> authz_data_list should be removed.  While I agree its redundant,
> that's another compatibility-breaking change, so I'm not sure about
> that.
> 
> So I'm asking:  Is there a legitimate reason for the community to
> spend time fixing this RFC, implementing it in TLS libraries (it's not
> currently present in any libraries, I believe), and adapting new
> standards to use it?
> 
> If not, can we mark it as "obsoleted" or similar?
> 
> Projects like TACK, CT, and OpenSSL have wasted a lot of time
> evaluating 5878 and doing trial implementations before backing away
> from it.  I worry that people (like DTCP) [1] are going to keep making
> that mistake, as on the surface this seems like the
> "officially-condoned", IETF way to exchange new data through TLS.

RFC 5878 is an experimental RFC. If you've looked at its history, it was approved by the IESG in 2006, and an IPR issue surfaced, so approval was withdrawn, and the draft lay dormant for 3 years. If during those three years anyone had come up with some other draft describing an authorization extension, I think that would have been approved instead. But nobody did. 

I took that to mean that there was very little interest in passing authorization information in the TLS handshake. So after three years, the IESG agreed to publish it anyway, and as the errata show, it received very little review.

In any case, it's an experimental RFC and if the DTCP want to send information (whether authorization-related or not) in an extension, they can use it or not use it as they see fit.

Yoav

v2.23.0 | Report a Bug | By Email