Re: [Uta] [art] Artart last call review of draft-ietf-uta-rfc7525bis-09
Rob Sayre <sayrer@gmail.com> Sun, 14 August 2022 22:34 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC9E4C157B36; Sun, 14 Aug 2022 15:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggJmjgDWZ9zT; Sun, 14 Aug 2022 15:34:49 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CEE1C14F6EC; Sun, 14 Aug 2022 15:34:49 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id fy5so10854410ejc.3; Sun, 14 Aug 2022 15:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=KSOXCXqCaBk31AL+DNmpn47tHKgbYhsixaEEgel9oxg=; b=mtgSRtLJ7MsQNsGQuHABxPXZtsTAACxRDJxTWAV4QOIsCuqpAaifI8Wv4EIozVlkeE OxrFCw2MKgxKAwqhXiUxP0xUG5BS13OnEwxSScQGKmAv+eXPSa2OF2hWc3kjCuMx8ECY Lki4Os4Tk5R87xWTUdWHgdeHXtrdd6A8p+05iMtNqZMByc/iEmDaBwIOexR2DsZk0z3Z 39Ul0xSi4rM/Gw7RmdOek1+G6nnZEWrMtBt8r+5YNitLkmsBZL83NqDOHwIukfpXVmOl JJ78E5gSPUQ8jXuqh0Nw9fOD40iUki1KVqedehFfJzsEs+8qtP8+3PPWFWkkR7MCH09H qT2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=KSOXCXqCaBk31AL+DNmpn47tHKgbYhsixaEEgel9oxg=; b=BMiJIWL4r5N/Q4wAO8LF2cAa9YpiDhf8cyu7sooDDB48nCt6Z0p/ZqmA/CZYl6fKLo rvOcI3XpJ4iOMXIQkLeFAvPmlBFA5IOZYEdhQPtD4AooDZ4pbDOECvdQRfgmT3wrnhgg joMUFuVjZUYui52o8BAuzPvJ8k693bJlKKugtwi2ySqs7xQCczaUuGJyDRzEEY8wRzwR k3+gkDTvrgjT164P7RlBf8RCE5Jwn8MgrR8JUJoLuBayX3gLv6kROktErE8+lXpo/Myh rgvqDHVwkKG3IdqzuCHQSepuBaGmRaNrMpCbcXgT06DTfsB5e/mzRs27uVjnHDsttlkO B5AQ==
X-Gm-Message-State: ACgBeo0ixvNN1hpg+uDXQHH6RFV2qATMvRF51a1heDTb1WrNKth4Fn5V 9UJ2tU3bZUemMpjHNk2i32NZs4+gJef7NtMD62EanGNO2oY=
X-Google-Smtp-Source: AA6agR7E8/SrYrnRYKjfd8lqseidoLmhyCjRJckU/RhvnqC9wGpNeehc6KEhMLVt0chK54X75qXvVk867EA4LNvqDpM=
X-Received: by 2002:a17:907:7f0b:b0:731:b81a:1912 with SMTP id qf11-20020a1709077f0b00b00731b81a1912mr8832350ejc.8.1660516487337; Sun, 14 Aug 2022 15:34:47 -0700 (PDT)
MIME-Version: 1.0
References: <165728991008.45773.10659091812976572509@ietfa.amsl.com> <4c7fcbfe-5055-d33d-e1d1-27e85592551a@stpeter.im> <A0DD6035-C9D1-4FEC-A5E7-7D95FFC55602@iii.ca> <9c9922a8-93b5-611f-6433-dbac122dcc4f@stpeter.im> <e7b17bbe-0b6b-2a54-2100-b220a9afa92e@stpeter.im> <B186BFAC-6584-4395-837E-C8F09FE6AEC7@iii.ca> <e36b7842-9ebc-2fbd-54be-9a8a1fe05771@stpeter.im> <92ad78a4-5e28-31e8-aa25-b41cb0692ff3@stpeter.im> <SY4PR01MB625185A08074FECE804E5BABEE9C9@SY4PR01MB6251.ausprd01.prod.outlook.com> <da5b62f6-9c38-0ec7-e566-d80edd4d570b@stpeter.im> <ME3PR01MB6242EA89B1857FCD1C028B83EE9F9@ME3PR01MB6242.ausprd01.prod.outlook.com> <LO0P123MB66012454FB82E2F43834E912A9699@LO0P123MB6601.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO0P123MB66012454FB82E2F43834E912A9699@LO0P123MB6601.GBRP123.PROD.OUTLOOK.COM>
From: Rob Sayre <sayrer@gmail.com>
Date: Sun, 14 Aug 2022 15:34:36 -0700
Message-ID: <CAChr6SwfTc17oq+CvOR8=d1Maiae-qHzQHhcScU3sap+nV+S8w@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Peter Saint-Andre <stpeter@stpeter.im>, Cullen Jennings <fluffy@iii.ca>, "draft-ietf-uta-rfc7525bis.all@ietf.org" <draft-ietf-uta-rfc7525bis.all@ietf.org>, "art@ietf.org" <art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005f1d1405e63b1fce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/D32Y4ASUD6HQhLF4mzmTQVstnMU>
Subject: Re: [Uta] [art] Artart last call review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2022 22:34:53 -0000
Hi all, I would like to state up front that I am not disputing the sentence "Implementations MUST support TLS 1.2 [RFC5246]." If that's consensus, I guess I'm just in the rough, and at least the text covering implementations is much more encouraging than I expected. But the document is still not consistent, because the rationale says "when the recommendations in this document are followed [...] the use of TLS 1.2 is as safe as the use of TLS 1.3." But the document also states many valid reasons for going TLS 1.3-only, not least of which is attack surface. I think the document might be better if it said "Implementations SHOULD support TLS 1.2, [for all of the reasons in the rationale below]". It seems to be almost the textbook example of when SHOULD as defined in RFC2119 is appropriate (almost never, imho). There are so many details to track in supporting both versions that I just can't see using MUST here. For example, something close to this TLS 1.3 extension came up at the last TLS WG meeting: https://www.rfc-editor.org/rfc/rfc8446.html#section-4.2.6 But this was in the context of assuming TLS 1.2, and that's a different protocol, whatever you think of the tradeoffs. So, I've said my piece here, and will leave it to the authors. thanks, Rob On Sun, Aug 14, 2022 at 1:27 PM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > Hi Peter, > > Thank you for your comments and sorry for the delayed response. > > The abstract of the Racoon paper mentions TLS-DH(E) five times, so clearly > the authors believe it applies to both TLS-DH and DHE. I think the > disconnect is that Racoon is about public key reuse which you would > characterize as static-ephemeral, but to most users this is just normal DHE > with a very common (though dangerous) optimization. > > Section 4.1 now includes references to both Sec. 7.3 and 7.4 (see editor's > draft [1]). > > I agree we should add a SHOULD NOT for TLS-ECDH, referencing [Jager2015], > "Practical invalid curve attacks on TLS-ECDH". See pull request [2]. > > The internal implementation of ECC algorithms is out of scope of the BCP, > which focuses on the use of algorithms within TLS. In other words, the > target audience for the BCP is TLS administrators more than the people who > write the internals of crypto libraries. This is why we never mentioned > [Brumley11] in RFC 7457 and I don't think we should add it here. > > Thanks, > Yaron > > [1] https://www.sheffer.org/I-D/draft-ietf-uta-rfc7525bis.html > [2] https://github.com/yaronf/I-D/pull/480 > > > On 04/08/2022, 13:00, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote: > > Peter Saint-Andre <stpeter@stpeter.im> writes: > > >Given that we already discuss these matters in Section 7.4, I don't > see the > >need for additional text. > > The issue that I pointed out is in section 4.1, "General Guidelines", > while > what you're referring to is buried in the security considerations > right at the > end. What's in 4.1 at the moment is wrong (Raccoon is > static-ephemeral DH, > not ephemeral-ephemeral DH), so I think it needs to be changed. 4.1 > refers to > 7.3 but not 7.4, so anyone reading the doc who doesn't read into every > corner, > including the parts buried after the IANA considerations at the end, > will get > an incorrect idea of what the issues are. > > Also what 4.1 is in effect saying is "implementations MUST use ECC > algorithms" > (via SHOULD NOT RSA (key transport), SHOULD NOT DH, SHOULD NOT DHE), > and that > includes TLS_ECDH_*, not just TLS_ECDHE_* (section 4.1 says, about > *_DH_*, > "These cipher suites, which have assigned values prefixed by > 'TLS_DH_*', have > several drawbacks, especially the fact that they do not support forward > secrecy", but omits any mention of the equivalent *_ECDH_* which is no > better). > > Since the ECC algorithms are notoriously vulnerable to nonce issues as > well as > various others (e.g. forgetting to perform validity checks on received > values), it's just moving the insecurity from one algorithm over to > another. > There's no mention in the security considerations of any issues with > replacing > DHE with ECC algorithms, it's just "badly implemented DH is insecure" > but no > mention that badly-implemented ECC is also insecure. For example > Brumley et > al's attack on ECDHE takes advantage of the same not-really-ephemeral > nature > that Raccoon uses against DHE, but it's never mentioned. Anyone > reading the > draft would be forgiven for thinking that all you need to do to > magically make > all security problems go away is switch to ECC (and GCM, the other > universal > solution to all problems, despite it also having led to endless > vulnerabilities around nonce reuse). > > Peter. > > _______________________________________________ > art mailing list > art@ietf.org > https://www.ietf.org/mailman/listinfo/art >
- [Uta] Artart last call review of draft-ietf-uta-r… Cullen Jennings via Datatracker
- Re: [Uta] Artart last call review of draft-ietf-u… Thomas Fossati
- Re: [Uta] Artart last call review of draft-ietf-u… Peter Saint-Andre
- Re: [Uta] [Last-Call] Artart last call review of … Cullen Jennings
- Re: [Uta] [Last-Call] Artart last call review of … Thomas Fossati
- Re: [Uta] Artart last call review of draft-ietf-u… Peter Saint-Andre
- Re: [Uta] [Last-Call] Artart last call review of … Viktor Dukhovni
- Re: [Uta] [Last-Call] Artart last call review of … Rob Sayre
- Re: [Uta] [Last-Call] Artart last call review of … Benjamin Kaduk
- Re: [Uta] [Last-Call] Artart last call review of … Rob Sayre
- Re: [Uta] [Last-Call] Artart last call review of … Rob Sayre
- Re: [Uta] [art] [Last-Call] Artart last call revi… Anjam Saqib
- Re: [Uta] [art] [Last-Call] Artart last call revi… Anjam Saqib
- Re: [Uta] [Last-Call] Artart last call review of … Peter Saint-Andre
- Re: [Uta] [Last-Call] Artart last call review of … Rob Sayre
- Re: [Uta] [SPAM] Artart last call review of draft… Cullen Jennings
- Re: [Uta] Artart last call review of draft-ietf-u… Peter Saint-Andre
- Re: [Uta] Artart last call review of draft-ietf-u… Peter Saint-Andre
- Re: [Uta] [Last-Call] Artart last call review of … Rob Sayre
- Re: [Uta] [Last-Call] Artart last call review of … Stephen Farrell
- Re: [Uta] [EXTERNAL] Re: Artart last call review … Andrei Popov
- Re: [Uta] [art] Artart last call review of draft-… Cullen Jennings
- Re: [Uta] [art] Artart last call review of draft-… Peter Saint-Andre
- Re: [Uta] [Last-Call] [art] Artart last call revi… Benjamin Kaduk
- Re: [Uta] [art] Artart last call review of draft-… Peter Saint-Andre
- Re: [Uta] [art] Artart last call review of draft-… Peter Gutmann
- Re: [Uta] [art] Artart last call review of draft-… Peter Saint-Andre
- Re: [Uta] [art] Artart last call review of draft-… Peter Gutmann
- Re: [Uta] [art] Artart last call review of draft-… Yaron Sheffer
- Re: [Uta] [art] Artart last call review of draft-… Rob Sayre