IETF Logo Mail Archive

Re: [Uta] Artart last call review of draft-ietf-uta-rfc7525bis-09

Peter Saint-Andre <stpeter@stpeter.im> Thu, 14 July 2022 19:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C97AFC16ECDF; Thu, 14 Jul 2022 12:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=DarzLbFz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ojZPNUpg
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e33SXBTRRzUH; Thu, 14 Jul 2022 12:14:00 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFBA9C16ECDE; Thu, 14 Jul 2022 12:14:00 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 7A8A1320047A; Thu, 14 Jul 2022 15:13:59 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Thu, 14 Jul 2022 15:14:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1657826038; x= 1657912438; bh=mDYR9yqwFGH34sjyKkuiKGH5OYvgodsrnb+rrpiX06g=; b=D arzLbFzIsx0eCxURghIO3Zs7ca54P6J1b+GXO+vFYhyD51V6IFDefOd3LZXgo+0H ZfNLHzVw9tC4x9iRJCbv1gUPM+yN3Pmy7UqfVvRx6ekDEh6YKa/TftTbgU6DGQAO 1jgH/E9S6dkGLJknqw2cAY195TrJdKJPKnZMseJ3np4682TYBRZBWmko8xqeyrrX W9lWgo3jquhI0N0vwlFcM4CHnaqGAH99t3JJD0ySFQj8zFMeZQh3FoLe8u16z91z lGRKmwEdYUxA7QvOMrNLijbZnloolp+i1nJDzV7OUe6W/aps+oiBdxnEDF2qzZbG z28/IaW0iGCIBlkeCfq9A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1657826038; x= 1657912438; bh=mDYR9yqwFGH34sjyKkuiKGH5OYvgodsrnb+rrpiX06g=; b=o jZPNUpgNatcCtJ/HOYcA/U7bPZCdalW3napUZ5jgzQT4MdTdNC6IbtwAfSjOjjdp uJ4Z8TFngu30CrbyexxfkysSckf4qsHJL6Xw6N55A2Sa1P2JaVestmiTsZDlv+2g rP1fAwji3PYQMs4DFSzq59JRmiENVVTmHeolbIRiyenx/MXPji/NvWUolcskwH47 sWEIic66eIepwg+K5IwdWdoaBbTM0hDwT0AABKR+wZULGFvKRlvm2AGVuIgCmnMP fSjA6y1BvE/9nGIIfZ5rdg8TjlBvxHrAp6mkQIfalOcmaLYjR6w/SioKOLH6Kj8y 3q5JNGWknIvSwUGlMUzPg==
X-ME-Sender: <xms:9mrQYoLjBdW-MddOhoomWCZcpp_Lr_6iGIZtEuXkpg-Pl_nUb9raFw> <xme:9mrQYoLGtr0jy2P5ieCDV80B60KTU-HDo_1E6VPRfJIa_mvQo5rB7NZrTt9YKGJpU xjc91QOldTnTyBp4w>
X-ME-Received: <xmr:9mrQYoupY7Aoyf4ZGo0QEGvSojK62bZGv096U59VQ2DlFkbxOk5pMKd-qKx2>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejledgudefiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfvfevfhfhufgjtgfgse htjeertddtfeejnecuhfhrohhmpefrvghtvghrucfurghinhhtqdetnhgurhgvuceoshht phgvthgvrhesshhtphgvthgvrhdrihhmqeenucggtffrrghtthgvrhhnpedttdfgueeuie dtteeuieekhefhfeevleeihfevgfdtudefvdduveevieevgfetteenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsthhpvg htvghrrdhimh
X-ME-Proxy: <xmx:9mrQYlZ-yb95j5ViZyg9oWpeoiPllFYIy-8KWS9eqHvgpu3Q926LaQ> <xmx:9mrQYvbS1_fDLFgDYPtxgumyn43SNkzouNhe82Ub6Ia3P2TwlSgE3Q> <xmx:9mrQYhBzHL52Rkg1ZaBtczzUUQVaTHk-NlvwB0BP3o3zJLBuMzrEDw> <xmx:9mrQYuXSPhPpoiwKoSI7IkslP_kRPbWJykc-qGugTzpD9NL1Eln-aA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 14 Jul 2022 15:13:58 -0400 (EDT)
Message-ID: <4c7fcbfe-5055-d33d-e1d1-27e85592551a@stpeter.im>
Date: Thu, 14 Jul 2022 13:13:57 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Cullen Jennings <fluffy@iii.ca>, art@ietf.org
Cc: draft-ietf-uta-rfc7525bis.all@ietf.org, last-call@ietf.org, uta@ietf.org
References: <165728991008.45773.10659091812976572509@ietfa.amsl.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <165728991008.45773.10659091812976572509@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/uIfZRK80iz1drU4369Xpzn1ugk4>
Subject: Re: [Uta] Artart last call review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 19:14:05 -0000

Hi Cullen, thanks for the review and my apologies about the delayed 
reply. Comments inline.

On 7/8/22 8:18 AM, Cullen Jennings via Datatracker wrote:
> Reviewer: Cullen Jennings
> Review result: Almost Ready
> 
> To have impact on actually deployments, this documents need to be clear in
> explaining why it makes the recommendations it makes. For the most part it does
> do this but I am reviewing it from the point of view of will it be compelling
> in helping improve security or will people just ignore it.

Well, RFC 7525 is referenced by 100+ RFCs, but that might be pro forma. 
The question is whether implementers and service providers are paying 
attention, and we don't have any data on that. But we definitely agree 
on the goal.

> Section 1, para that starts "The recommendations herein take into
> consideration"... I think this paragraph needs to be scoped to the scope in the
> applicability section because otherwise it seems unlikely to be true. I do not
> think people looked at prevalence in implementations of embedded systems TLS -
> if they did, that should be document. It would be good to actually document
> what was found with HTTPS / Web numbers. Overall, I think the introduction
> should be scope the work along lines of applicability section.

The immediately prior paragraph does have a forward pointer to the 
applicability section.

I do think this statement is accurate:

    The recommendations herein take into consideration the security of
    various mechanisms, their technical maturity and interoperability,
    and their prevalence in implementations at the time of writing.

Thomas Fossati can vouch for the "prevalence" claim better than I can, 
but we have definitely looked at which features are actually available 
in implementations as opposed to just wishing those features were 
supported. One example of many that I find in my email history is 
extended master secret (RFC 7627).

> On the "No TLS 1.1" ... of course I agree with this but the rational is not
> very compelling for people current running this. I think it would really help
> improve getting rid of this if people pointed out that 1.1 only had only SHA1
> and the issues with that. These issues have been made worse by the crypto
> community developing very high speed hardware for SHA like hashes.

Good point. This is all in RFC 8996, but a brief summary might be helpful.

> Section 3.4 - the information in this section is very useful but seems like it
> should be put in it's own RFC that updates TLS 1.3

Hmm. Our intent with this document is certainly not to create protocols.

> On ESNI in section 3.7. My view is the statement "this information leak is
> closed by use of TLS Encrypted Client Hello." is false. The traffic patters to
> most websites along with IP even when fronted very often reveal exactly that
> information. Often the unencrypted OSCP data on port 80 promptly following the
> ESNI packet reveals more than one would hope. I think there should be clear
> discussion about how using this causes schools in some jurisdictions to be
> legally required to have to install monitoring software on computers owned and
> administered by the student and how this is really bad for privacy. There are
> clear cases where ESNI makes sense, but there are others where the IETF in
> trying to help privacy, is actually making the situation worse.

We could say "you should strongly consider using ESNI when available if 
appropriate for your situation and taking into account all relevant 
considerations described in the ESNI spec" but it seems that the ESNI 
spec ought to be the one that covers this topic in depth.

> Section 4.1
> 
> No NULL. I think this should be scoped to no NULL by default and no NULL in
> production but that NULL MAY be used in testing. (other parts of the draft
> sugest that is ok in testing). 

This document is all about deployment in production to provide services 
over the Internet. Don't we already have some wording to this effect?

       Nevertheless, this document does not discourage software from
       implementing NULL cipher suites, since they can be useful for
       testing and debugging.

What would you change there?

> The "SHOULD NOT negotiate cipher suites based on RSA" could use a bit or word
> smithing here. What you mean is should not do things that do not have PFS but
> use of RSA (along with a PFS scheme) is fine. This made my head explode when I
> first read it. I think the intent is fine but that the current words are wrong
> - I would strongly argue that "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" is a
> crypto suited "based on RSA".

I see your point. we'll look into wordsmithing this.

> Given the requirements for crypto agility, I think this there should be at
> least one MTI algorithm that does not rely on EC. Pinning all your hopes on a
> single algorithm surely is not the best security advice the IETF can provide.
> If a EC did have a problem, clearly we would want something already build and
> deployed that we could switch too.

The authors will discuss this and reply again.

> The draft does not say MUST not use SHA1 (other than in certs) but I think you
> should provide clear guidance on if this is a MUST not or SHOULD not and why.
> (referring to the depreciation documents would be fine). This is one of the
> issues that often comes up when trying to make performance trade offs and it
> seem weird, given the rest of the advice in this draft, that this is missing.

Huh, I thought we had text along those lines. We'll check into it.

> On the topic of forward security ... this draft does not really provide much
> information about the gains of doing this. Yes, I understand but you are trying
> to convince others. Many people argue for short lived single transaction HTTPS
> flows that are common in reporting metrics, this does not buy you much and most
> the compromises that would reveal a session key would like still end up
> revealing all the info. I'm not arguing you should not have PFS, I am trying to
> say that this document is not very convincing on the cases that PFS helps in
> and the cases it does not. The draft would be improved by a section that
> discussed the practical attacks this protects from and the ones that it does
> not. 

We'll discuss among the authors once Yaron is back online.

> If my whole machine has been root'd - PFS does not help much.

Naturally. :-)

> In section 4.2.1, the draft should provide more information about why it
> recommends the two curves it recommends. I do not see how we get
> interoperability by putting theses at a SHOULD level instead of a MUST. 

Another topic for the authors to discuss and bring back to this thread.

> I think
> the drat should also discuss curves that SHOULD NOT be used.

That could be a long list...

> End of section 4.5. For RSA certs it has MUST be 2048 bit. This seems right for
> 112 bit security min which seems fine but given how many other places in the
> spec we add a SHOULD for 128 bit security, would it make sense to add a SHOULD
> do 3072 bit RSA?

That's possible, let us have a think about it.

> I don't think BCP is the appropriate status for this. I think it should be PS.

I strongly disagree, given the history of this document in RFC 7525 and 
how it is referenced by 100+ RFCs.

Peter

v2.23.0 | Report a Bug | By Email