Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates

Mounira Msahli <mounira.msahli@telecom-paristech.fr> Wed, 26 September 2018 15:57 UTC

Return-Path: <msahli@enst.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03CF130EBA for <tls@ietfa.amsl.com>; Wed, 26 Sep 2018 08:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telecom-paristech.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fBGGYM6qvw6T for <tls@ietfa.amsl.com>; Wed, 26 Sep 2018 08:57:32 -0700 (PDT)
Received: from zproxy120.enst.fr (zproxy120.enst.fr [137.194.2.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD042130E19 for <tls@ietf.org>; Wed, 26 Sep 2018 08:57:31 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by zproxy120.enst.fr (Postfix) with ESMTP id 33D0880EB4; Wed, 26 Sep 2018 17:57:30 +0200 (CEST)
Received: from zproxy120.enst.fr ([IPv6:::1]) by localhost (zproxy120.enst.fr [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id Uaft6cQYyq0F; Wed, 26 Sep 2018 17:57:28 +0200 (CEST)
Received: from localhost (localhost [IPv6:::1]) by zproxy120.enst.fr (Postfix) with ESMTP id 7B6C280F2A; Wed, 26 Sep 2018 17:57:28 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 zproxy120.enst.fr 7B6C280F2A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telecom-paristech.fr; s=A6AEC2EE-1106-11E5-B10E-D103FDDA8F2E; t=1537977448; bh=T8L4rt64X8N6vWqIkF5bhMiveu+rdFxEhAxLpgCYBrU=; h=Date:From:To:Message-ID:MIME-Version; b=buufo+laenGFPERI+EJrhmuQML1Yi13tNsHrwc4Wx/ocEoT7PyhWbSdvTsbhGqEVM EzRK8yx8dBhDRidr+o0WfjA2GtSH5sSBytYdLahBuxqyXNZaP5LehKWtD3RtV35Ans VvJEcJvckYxOflAmeqoU4lhBR2OR0dOzpFrPGUrg=
X-Virus-Scanned: amavisd-new at zproxy120.enst.fr
Received: from zproxy120.enst.fr ([IPv6:::1]) by localhost (zproxy120.enst.fr [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id N3eCiWn_jkoU; Wed, 26 Sep 2018 17:57:28 +0200 (CEST)
Received: from zmail112.enst.fr (zmail112.enst.fr [137.194.2.205]) by zproxy120.enst.fr (Postfix) with ESMTP id 33A9080EB4; Wed, 26 Sep 2018 17:57:28 +0200 (CEST)
Date: Wed, 26 Sep 2018 17:57:28 +0200 (CEST)
From: Mounira Msahli <mounira.msahli@telecom-paristech.fr>
To: Hubert Kario <hkario@redhat.com>
Cc: tls <tls@ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>
Message-ID: <1379020500.16565707.1537977448089.JavaMail.zimbra@enst.fr>
In-Reply-To: <6170599.o3dyPvx8Gh@pintsize.usersys.redhat.com>
References: <1231917830.3727154.1535119783361.JavaMail.zimbra@enst.fr> <20180827163405.GA19628@LK-Perkele-VII> <235113009.594519.1535390674699.JavaMail.zimbra@enst.fr> <6170599.o3dyPvx8Gh@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_16565705_131781195.1537977448087"
X-Originating-IP: [2a01:cb04:8ec:c300:993b:6ba0:170:30fa]
X-Mailer: Zimbra 8.8.9_GA_3019 (ZimbraWebClient - GC67 (Win)/8.8.9_GA_3019)
Thread-Topic: TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates
Thread-Index: oBNJBy55d6CSMqEh7GJ3IVM07bQiAQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zG9-pWlP3B9utk-5NFCUpzpN2D0>
Subject: Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 15:57:36 -0000

Hi all, 

Please find attached a new version of the draft. We took account of pevious TLS group comments. 
William, editor of 1609.2, proposes to add the section certificate verify (section 4.3 in the draft). 
It concerns the addition of IEEE 1609.2 signature for the the Certificate verify. 

We are soliciting your feedbacks. 

Regards 
Mounira

----- Mail original -----
De: "Hubert Kario" <hkario@redhat.com>
À: "tls" <tls@ietf.org>
Cc: "Mounira Msahli" <mounira.msahli@telecom-paristech.fr>fr>, "Ilari Liusvaara" <ilariliusvaara@welho.com>
Envoyé: Lundi 27 Août 2018 19:39:12
Objet: Re: [TLS] TLS 1.3 Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates

On Monday, 27 August 2018 19:24:34 CEST Mounira Msahli wrote: 
> One could abbrevate the handshake traces to just show the relevant 
> parts (which could also cut some clutter)? I think the relevant 
> messages always occur in the same order (clienthello, serverhello/ 
> encryptedextensions, certificate, certificate). 

the draft doesn't change the order of messages, doesn't add new messages and 
doesn't change the place in which the relevant extensions are placed – so, 
what is the utility of duplicating the message flow from the TLS RFCs? 

e.g. RFC 8449 and RFC 7685 don't, and they did define new extensions 

> The table in section 4.2. Extensions of [RFC 8446] (TLS 1.3) indicates the 
> messages where a given extension may 
> appear: 
> | client_certificate_type [RFC7250] | CH, EE | 
> | 
> | server_certificate_type [RFC7250] | CH, EE | 
> 
> But in RFC 7250 (TLS 1.2), the same extensions could appear in CH and SH. 

correct, this RFC 8446 table applies only to connections that negotiated TLS 
1.3 

-- 
Regards, 
Hubert Kario 
Senior Quality Engineer, QE BaseOS Security team 
Web: www.cz.redhat.com 
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic