IETF Logo Mail Archive

[Unbearable] comments on draft-ietf-tokbind-tls13-0rtt-01

Benjamin Kaduk <kaduk@mit.edu> Wed, 29 March 2017 02:50 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 357AE1273E2 for <unbearable@ietfa.amsl.com>; Tue, 28 Mar 2017 19:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UXCcS35iEd4K for <unbearable@ietfa.amsl.com>; Tue, 28 Mar 2017 19:50:00 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71053127337 for <unbearable@ietf.org>; Tue, 28 Mar 2017 19:50:00 -0700 (PDT)
X-AuditID: 1209190d-59bff70000006fc8-a7-58db20d562e2
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 0A.1E.28616.5D02BD85; Tue, 28 Mar 2017 22:49:58 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v2T2nuan009286 for <unbearable@ietf.org>; Tue, 28 Mar 2017 22:49:56 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2T2nq1m027975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <unbearable@ietf.org>; Tue, 28 Mar 2017 22:49:55 -0400
Date: Tue, 28 Mar 2017 21:49:52 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: unbearable@ietf.org
Message-ID: <20170329024952.GS30306@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLIsWRmVeSWpSXmKPExsUixCmqrHtN4XaEwcVLshbnHi9kcmD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxuL+tawFv/gq3jSdYW9g7ODpYuTkkBAwkVh6fDV7FyMXh5BA G5PE/nVHmSCc04wShxb9ZYFw3jNJ3JjxnxmkhUVAVWLB5zmMIDabgIpEQ/dlsLiIgLjE/12r 2EFsYQFTiX9rN4PZvEArpn+bzQZhC0qcnPmEBcRmFtCSuPHvJdA2DiBbWmL5Pw6QsKiAskTD jAfMExh5ZyHpmIWkYxZCxwJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSmlmxjB oSTJu4Px312vQ4wCHIxKPLw78m5FCLEmlhVX5h5ilORgUhLlrTkAFOJLyk+pzEgszogvKs1J LT7EKMHBrCTC6yF2O0KINyWxsiq1KB8mJc3BoiTOK67RGCEkkJ5YkpqdmlqQWgSTleHgUJLg PSkP1ChYlJqeWpGWmVOCkGbi4AQZzgM0nFUBZHhxQWJucWY6RP4Uo6KUOG8OSLMASCKjNA+u FxTrEtn7a14xigO9IsxbAVLFA0wTcN2vgAYzAQ0Wt7kFMrgkESEl1cA42cE+/V+07jUBJZE8 BRUe183nDrCXm60IbH+5/IIEE7Osd4ako8aVnau32Gs1pkbEHZqzeembgCqV1mP6pWf62+db PpnIM6n+SMTcf+djDNjPpexVmHksk8szZm12m1xjU1tgdVGCyIczHSeUdXvffFg52awgUm2x c4lq2xEbw5PrlAKDA5RYijMSDbWYi4oTATyDcFvQAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/tbemUE7gSYZDSPQOpNlPx3T3yOQ>
Subject: [Unbearable] comments on draft-ietf-tokbind-tls13-0rtt-01
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 02:50:02 -0000

We appear to have a rather tight dependency between this document
and the core TLS 1.3 spec in section 2.2.1, where we require the
server to MUST NOT accept early data if the negotiated token binding
key parameter does not match teh parameter from the initial
connection, which is the same behavior as ALPN and SNI.  It seems
like this might require the formal "Updates: <TLS 1.3>" absent a
change to the TLS 1.3 document in the current state of the document,
since we only have a token_binding_replay_indication TLS extension,
which does not match up exactly with this requirement.  However, if
we went to a new TLS extension to indicate willingness to do 0-RTT
and token binding together (in addition to the existing early_data
and token binding extensions), that seems like it would not need the
formal "Updates:" marker.  (Ekr, can you check me on that?)

Given the semantics of early data with external PSKs, I find it
rather dangerous to allow token binding in such setups, and would
prefer that we forbid it rather than just saying that the token
binding parameters must be provisioned along with the PSK.  (Does
anyone have a use case in mind for this?)

I think the last sentence of the second paragraph of section 3
should probably be more explictily scoped to clarify that it is
attempting to support 0-RTT that is problematic; the software for
one.example.com can support 0-RTT but not use it for that domain, in
which case sharing the cert for h2 is fine.

I'm not sure that I believe the text in section 5.4 that claims that
when a peer implements complete replay protection, the other peer
does not need to implement such a mitigation; it seems to ignore the
possibility that the first peer could become compromised.

I made a note that there should probably be more consideration of
external PSKs in the second paragraph of section 5.1 and in section
5.5.

-Ben

v2.23.0 | Report a Bug | By Email