[TLS] AD review of draft-ietf-tls-exported-authenticator-13

Roman Danyliw <rdd@cert.org> Fri, 02 October 2020 16:50 UTC

Return-Path: <rdd@cert.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52373A118C for <tls@ietfa.amsl.com>; Fri, 2 Oct 2020 09:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqYVphKfQHpc for <tls@ietfa.amsl.com>; Fri, 2 Oct 2020 09:50:10 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B1A43A11EC for <tls@ietf.org>; Fri, 2 Oct 2020 09:50:09 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 092Go8IP031765 for <tls@ietf.org>; Fri, 2 Oct 2020 12:50:08 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 092Go8IP031765
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1601657408; bh=DFM9BUBV5jf0fb3tZxhMBC0BOxjRgdBHxyEjYePCzX8=; h=From:To:Subject:Date:From; b=UU5075DgOd1x2rOLh4DvdMeNCtIJcBrfeQnbl1RDh+zt+DgTCURGN5HbWt0tCJck+ K4rXDnuXLoGaf/KH81pu1/cwTfzc96+rGxi1/rsA6rt90TDNYWAlHXxnijq/0qxwM5 an9aErdayK8dpbBIdGft5MUWQFtvtjX8RfI2csGk=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 092Go47C027399 for <tls@ietf.org>; Fri, 2 Oct 2020 12:50:04 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 2 Oct 2020 12:50:04 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Fri, 2 Oct 2020 12:50:04 -0400
From: Roman Danyliw <rdd@cert.org>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: AD review of draft-ietf-tls-exported-authenticator-13
Thread-Index: AdaY21G9H9pWbGwkTCiEpqCBTCyDiQ==
Date: Fri, 2 Oct 2020 16:50:02 +0000
Message-ID: <9747477ee4724e939d17d7a44a9368ae@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.177]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zX0aay5kCNDJkpMEImtFupOYPLQ>
Subject: [TLS] AD review of draft-ietf-tls-exported-authenticator-13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 16:50:13 -0000

Hi!

I've assumed the role of responsible AD on this document.  As such, I performed an AD review of draft-ietf-tls-exported-authenticator-13.  This document has seen a few WG LCs and reviews.  Thanks for working out the details for this feedback.    I have a few questions and suggestions for process and editorial clarity described below.  Given that, I'm going to advance this document to IETF LC and the feedback below can be discussed/addressed concurrently.

** Section 1.  Editorial. Provide a reference to TLS 1.3 when it is first mentioned.

OLD
Post-handshake authentication is defined in TLS 1.3

NEW
Post-handshake authentication is defined in Section 4.6.2 of TLS 1.3 [TLS13]

** Section 1.  Editorial. Provide references to for (D)TLS 1.2

OLD
TLS (or DTLS) version 1.2 or later are REQUIRED

NEW
TLS (or DTLS) version 1.2 [RFC5246][RFC6347] or later are REQUIRED.

** Section 5.  
   The
   application layer protocol used to send the authenticator SHOULD use
   TLS or a protocol with comparable security properties as its
   underlying transport

I saw the additional text added here after the LC on -09 (and the discussion that this can't be MUST-use-TLS because of use cases like QUIC).  However, what is the envisioned flexibility by using SHOULD (instead of MUST) given the addition of the "or a protocol with comparable security properties"?  When would I want to use a protocol with reduced security properties?

** Section 5.1.  Editorial.

These values are derived
   using an exporter as described in [RFC5705] (for TLS 1.2) or Sec. 7.5
   of [TLS13] (for TLS 1.3).

-- Please provide the relevant section in RFC5705 (just like was done for [TLS13])

-- s/Sec. 7.5/Section 7.5/

** Section 5.2.2.  Editorial. Per "The definition for TLS 1.3 is:" begs the question of what that format might be for TLS 1.2.  Can you please make it clearer that the format is the same.

** Section 5.2.2.  

Otherwise, the signature algorithm used
   should be chosen from the "signature_algorithms" sent by the peer in
   the ClientHello of the TLS handshake.  

-- Editorial.  For clarity, s/ Otherwise, the signature algorithm used .../Otherwise, with spontaneous server authentication, the signature algorithm used .../

-- Would it make sense to make this "should" and normative "SHOULD"?

** Section 5.2.4.
   When validating an
   authenticator, a constant-time comparison SHOULD be used.

What's the concern here?  IMO, this guidance seems better in Section 7.4

** Section 7.*.  As Section 7 states that 7.* is informative:
-- Section 7.3. Downgrade the single normative "RECOMMENDED" to be "recommended".

-- Section 7.4. Downgrade the single normative "SHOULD" to be "should"

** Section 8.1.  Why shouldn't this document also be added to the "Reference" column to explain the addition of "CR" to the "TLS 1.3" column?

** Section 8.2.  With these additions to "Exporter Labels" registry, please describe the values of the other fields:
-- How should the "DTLS-OK" and "Recommended" columns be set?

-- The obvious text that this document should be the "Reference"

Regards,
Roman