IETF Logo Mail Archive

Re: [Uta] Opportunistic encryption and authentication agility

Keith Moore <moore@network-heretics.com> Sat, 22 March 2014 02:52 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECA11A043A for <uta@ietfa.amsl.com>; Fri, 21 Mar 2014 19:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yn-9Y4fDm2RC for <uta@ietfa.amsl.com>; Fri, 21 Mar 2014 19:52:08 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by ietfa.amsl.com (Postfix) with ESMTP id D6A4F1A033B for <uta@ietf.org>; Fri, 21 Mar 2014 19:52:07 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 3FE5421112 for <uta@ietf.org>; Fri, 21 Mar 2014 22:51:58 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Fri, 21 Mar 2014 22:51:58 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=NneBJoJsaJksYgyn/lfB6u WW7Lw=; b=BlZP/KtOvoUnKm0Cy+xIAH9W/+vLt84VBIxHteS3eayZt4AlemwrA4 HmT4im7hAtpp31WCgjhladFgu1FnoYCbI5Mn5CwxaMkfSND0JfwR0Do/HEvPL0WD zjyFEP3wY69VxyN9KWb9cO6x25HSGNtVctxRc9mml9eiWYQO/MY4U=
X-Sasl-enc: p1Snz3wgrK3+0zJ1LONpo+fe/ylTk8ppjnAC1KM9JvWt 1395456717
Received: from [192.168.1.4] (unknown [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id 4D6E4C0000C; Fri, 21 Mar 2014 22:51:56 -0400 (EDT)
Message-ID: <532CFAB0.4070301@network-heretics.com>
Date: Fri, 21 Mar 2014 22:51:28 -0400
From: Keith Moore <moore@network-heretics.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>, "uta@ietf.org" <uta@ietf.org>
References: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com>
In-Reply-To: <CAGZ8ZG0rBxiE2dGZXhpvhKiyJOu=6Bn8sQ2seJ9_KvgPjmaaRg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/GS4Jzolum6j_fCOuZsr9ABPLKoo
Subject: Re: [Uta] Opportunistic encryption and authentication agility
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 02:52:10 -0000

On 03/21/2014 09:37 PM, Trevor Perrin wrote:
> A point I haven't seen in the recent debate:
>
> Whether a TLS connection is "opportunistic" or "authenticated" depends
> not just on the wire protocol but on the client's capabilities.
>
> A client who possesses an HPKP or TACK pin, or is capable of querying
> DANE or Convergence, might be able to authenticate a connection which
> to a different client would be opportunistic.
>
> So when we talk about OE at the protocol level, I think we're really
> talking about whether to allow agility of authentication methods, or
> mandate a specific method.
Partly.   And again, I expect that the mandate will be different for 
different protocols.

Note that as far as I can tell, it will still be possible to implement a 
client that supports only OE; it just doesn't bother verifying the cert 
/ DNSSEC + TLSA record / pinned key / whatever.    Whether that client 
will conform to the recommendations that this group produces, is a 
different question.   But offhand I don't know of a way to keep such 
clients from working (though for new protocols, it might be nice if 
there were one).

Similarly, even if we require TLS for some protocols, it will still be 
possible for a server to supply a self-signed cert with no additional 
validation; then it becomes up to the client to decide what to do with 
that.   We can make recommendations (or "mandates"), but we can't force 
clients to behave in any particular way.     And of course there will be 
some protocols for which it's impractical to require TLS in the near 
term, or maybe ever; e.g. cleartext operation for SMTP mail relaying is 
so well-entrenched that it might be harder to transition to all-TLS SMTP 
than it has been to transition to all-IPv6.

So our task is to make recommendations that server operators and client 
implementors want to implement, but which still improve security in the 
near term - and (perhaps more importantly) which also leave room for 
security to get better in the future.   To me this says that to endorse 
bare OE for any particular application should be an absolute last 
resort.   There should always be _some_ way for clients to learn which 
servers can be expected to support authenticated encryption, even if 
that varies from one application/protocol to the next.

Another subtlety:  There can be a difference between what we "mandate" 
for client and server implementations, versus what we "mandate" for 
services.   Example:   If a web site that does nothing but supply free 
information to unauthenticated parties doesn't want to support 
authenticated encryption, maybe that's just fine.   We might still want 
to "mandate" authenticated encryption for web sites that provide access 
to sensitive information, or for which user authentication is otherwise 
necessary.   But independent of the requirement for services, web client 
implementations could still be required (maybe as a SHOULD) to support 
authenticated encryption (using server certs, TLSA, pinning, or whatever 
set of methods were deemed appropriate to mandate).

> In the case of HTTPS, the Web PKI has been mandated.  A small site
> that doesn't want to pay the costs of Web PKI but would be willing to
> deploy cheaper methods (pinning; DNSSEC/DANE) cannot do so.

Who has mandated the "Web PKI" as the only way to verify a server 
cert?   Is this carved in stone?

> If opportunistic TLS was allowed, then we would have the ability to
> deploy new auth methods without having to forever support whatever was
> in vogue when the initial standard came out.
>
> I think that argues in favor of opportunistic TLS, for HTTP and other protocols.

I don't get it.  If the UTA WG can recommend that web clients permit OE, 
why can't it just as easily recommend that web clients treat OE (from a 
UI perspective) as no better than cleartext, but support pinning and/or 
DANE TLSA as alternative ways to verify a server cert to provide some 
indication to the user that the connection is secure?

Keith

v2.23.0 | Report a Bug | By Email