Re: [TLS] Extensibility in SCVP draft

[Rob Sayre]

Hi,

Doesn’t it depend on whether it would be easier to do this select* or deal
with multiple validations in the same message? No one’s said that exactly
afaik, but I haven’t watched the meeting yet.

thanks,
Rob

* in the recent past, the stuff I’ve worked on has made this easy, but I
agree they’re a bit annoying.

On Mon, Jul 25, 2022 at 13:25 Russ Housley  wrote:

> I was thinking the same thing during the presentation.  An extension for
> SCVP seems fine to me.  Then in the future, if another validation comes
> along some day, a new extension can be assigned for that protocol.
>
> Russ
>
> > On Jul 25, 2022, at 4:13 PM, Martin Thomson  wrote:
> >
> > Take this:
> >
> > struct {
> > PathValidationType path_validation_type;
> > select (path_validation_type) {
> >  case scvp: SCVPValidationRequest;
> > } request;
> > } PathValidationRequest;
> > enum { scvp(1), (255) } PathValidationType;
> >
> > This adds a layer of extensibility that doesn't do a lot.  Please
> consider making this less generic.  If we want a different validation
> design, then another extension can be defined.  We have a poor track record
> of being able to use these nested extension points and it will be more
> efficient to just put the SCVP pieces in their own extension.
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Draft minutes

[Salz, Rich]

Draft minutes at https://notes.ietf.org/notes-ietf-114-tls?edit And attached.

# TLS at IETF 114

## Administrivia (5 minutes)

- Blue sheets; log into the "local" meetecho tool
- Minute-taker: Rich Salz with help from Nick Doty
- Jabber Scribe
- NOTE WELL
- Agenda revision; "TLS flags" document moved to end
- Doc updates; see chair slides

## Working Group Drafts (85 minutes)

### cTLS (Ben Schwartz)
- Recently joined as co-author
- Major changes:
- Profile ID's are registratable bytestrings if under four bytes (IANA); if more than four bytes, only significant within a significant deployment
- No longer a "compression" layer; was layer betwween TLS and its transport. Consensus is that this was not very simpler, prefer to have cTLS authenticated its own transcripts (without TLS). That's ambiguous so you prepend template identifier as a synthetic message. Template was JSON, is now a binary format roundtrippable to/from JSON.
- New handshaking framing option since most handshake are expecte to be small; `handshake_framing=false`
- Open/interesting questions: compressed EC points, compressed certs, versioning, etc.
- Expect some analysis, but also expect that this will map exactly to the TLS 1.3 guarantees.

### A well-known URI for publishing ECHConfigList values (Stephen Farrell)
- New co-authors (Rich Salz, Ben Schwartz) to cover some use-cases
- Sample code (this is a work in progress) available; see slides.
- Breeze through technical details
- Should we make this more generic (everything a web server would want, like ALPN etc). Prefer to be ECH-specific.
- Add ALPN? Yes probably.
- Think about what other, if any, inner CH content to add.
- think about what parts of SVCB to support.
- Other open questions/issue that were raised.
- EKR: conflicting lifetimes? Ben/Stephen: not the intent to replace generic HTTPS RR, only origin/DNS-server information to add RR data.
- Ted Hardie: If there are other use-cases, think about caching infrastructure. Maybe register a provisional, write an experimental RFC, see if it's worth doing.
- Ben Kaduk: if you want to limit to origin/dns, then don't register a url. Stephen: it's a reasonable argument.

### IANA Registry Updates for TLS and DTLS (Sean)
- SAAG suggested adding "D" for deprecated/disrecommended.
- Tough because new registrations have happened since TLS 1.3 RFC.
- Short-sighted to not include Recommended column in HashAlgorithm, SignatureAlgorithm, ClientCertificateType
- Table of changes; see slides.
- Martin: if there's no RFC that says "this is bad" then it should be "N"
- Discussion of some of the N or D ratings
- Revision planned, seeking reviews, hopefully then WGLC

### Deprecating Obsolete Key Exchange Methods in TLS (Nimrov Aviram)
- TL;DR: Remove RSA keyx, static FFDH, FFDHE only when >2048 and a safe well-known group, no static FFDHE
- Open issues: what are safe FFDHE groups? What shoud client do if it can't/won't verify group structure?
- Ben Kaduk: create a registry for "safe" named groups? Would that work?
- DKG: we should address why the pen-testing tools are wrong to complain in some cases.
- Nimrod: Will summarize the points made and bring it to the list.

## Individual Drafts and Presentations (30 minutes)

### TLS Extension: Validation Request (Rob Segers and Ashley Kopman)
- Global aviation uses SCVP (RFC 5055).
- Interop is key, states are sovereign, need standards. Moving to IP (as opposed to OSI).
- 5.5K entitites, 25K aircraft; trust anchor distribution issues.
- Block diagram; see slides for details.
- Extension to ClientHello message, TLS server does SCVP query, extension to CertMessage that includes the scvp response.
- Uri Blumenthal: appropriate for constrained devices; Hannes: yup, works fine.
- Response to question from EKR: plan is to get Boeing, Airbus, etc., national aviation authorities; seem to have good representation. Server-side needs changes, but that global count of them is manageable.

### Using Attestation in TLS and DTLS (Hannes Tschofenig)
- See also HotRFC presentation
- Doing prototyping/experiments.
- Works with RATS models; supports client- and server-side, usable with different attestation formats, TEE agnostic
- Need a nonce, so just using the "obvious" certificate_type is harder.
- Intent is to use for both client- and server-side attestations.
- Monty Wiseman: Need to be able to specify what kinds of things you want to attest. This is a lot of work, happy to be involved.
- Nick Doty: why is this a TLS protocol, not an application protocol? Hannes: good question. Want some guidance. Nick: serious privacy risks that should be addressed earlier rather than later.
- Henk Birkholz: meaning of evidence is unclear. Yes I know this is a 00 draft. Don't use attestation term. Hannes: yes, I will use the "Henk brush" for next version.

### NIST PQC Announcement (Sofí Celi and Thom Wiggers)
- See also CFRG notes.
- Parked draft ietf-tls-hybrid-design is the way to go
- Certificate-based authentication
- 

[TLS] client attestation type in draft-fossati-tls-attestation

[yangpeng...@chinamobile.com]

Hi all,

First of all, I think this document is very interesting and useful in scenarios 
like communication between TEE and client. In my point of view, I think the 
protocol could support other customized attestation formats for a wide range of 
use. For example, maybe a integrity measurement result or HASH value, etc. 

BR.
Penglin




___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Extensibility in SCVP draft

[Russ Housley]

I was thinking the same thing during the presentation.  An extension for SCVP 
seems fine to me.  Then in the future, if another validation comes along some 
day, a new extension can be assigned for that protocol.

Russ

> On Jul 25, 2022, at 4:13 PM, Martin Thomson  wrote:
> 
> Take this:
> 
> struct {
> PathValidationType path_validation_type;
> select (path_validation_type) {
>  case scvp: SCVPValidationRequest;
> } request;
> } PathValidationRequest;
> enum { scvp(1), (255) } PathValidationType;
> 
> This adds a layer of extensibility that doesn't do a lot.  Please consider 
> making this less generic.  If we want a different validation design, then 
> another extension can be defined.  We have a poor track record of being able 
> to use these nested extension points and it will be more efficient to just 
> put the SCVP pieces in their own extension.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Extensibility in SCVP draft

[Salz, Rich]

>  We have a poor track record of being able to use these nested extension 
> points and it will be more efficient to just put the SCVP pieces in their own 
> extension.

Yes!  For example, the "SNI hostname" is such a nested construct, nobody uses 
anything other than "a hostname string."

Wrapping in substructs requires pre-compute, buffering, etc.  Just say what you 
mean :)

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Extensibility in SCVP draft

[Martin Thomson]

Take this:

struct {
 PathValidationType path_validation_type;
 select (path_validation_type) {
  case scvp: SCVPValidationRequest;
 } request;
} PathValidationRequest;
enum { scvp(1), (255) } PathValidationType;

This adds a layer of extensibility that doesn't do a lot.  Please consider 
making this less generic.  If we want a different validation design, then 
another extension can be defined.  We have a poor track record of being able to 
use these nested extension points and it will be more efficient to just put the 
SCVP pieces in their own extension.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] RFC 9258 on Importing External Pre-Shared Keys (PSKs) for TLS 1.3

[rfc-editor]

A new Request for Comments is now available in online RFC libraries.


RFC 9258

Title:  Importing External Pre-Shared Keys (PSKs) 
for TLS 1.3 
Author: D. Benjamin,
C. A. Wood
Status: Standards Track
Stream: IETF
Date:   July 2022
Mailbox:david...@google.com,
c...@heapingbits.net
Pages:  11
Updates/Obsoletes/SeeAlso:   None

I-D Tag:draft-ietf-tls-external-psk-importer-08.txt

URL:https://www.rfc-editor.org/info/rfc9258

DOI:10.17487/RFC9258

This document describes an interface for importing external
Pre-Shared Keys (PSKs) into TLS 1.3.

This document is a product of the Transport Layer Security Working Group of the 
IETF.

This is now a Proposed Standard.

STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the 
standardization state and status of this protocol.  Distribution of this 
memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  https://www.ietf.org/mailman/listinfo/ietf-announce
  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-edi...@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] RFC 9257 on Guidance for External Pre-Shared Key (PSK) Usage in TLS

[rfc-editor]

A new Request for Comments is now available in online RFC libraries.


RFC 9257

Title:  Guidance for External Pre-Shared Key 
(PSK) Usage in TLS 
Author: R. Housley,
J. Hoyland,
M. Sethi,
C. A. Wood
Status: Informational
Stream: IETF
Date:   July 2022
Mailbox:hous...@vigilsec.com,
jonathan.hoyl...@gmail.com,
mo...@iki.fi,
c...@heapingbits.net
Pages:  13
Updates/Obsoletes/SeeAlso:   None

I-D Tag:draft-ietf-tls-external-psk-guidance-06.txt

URL:https://www.rfc-editor.org/info/rfc9257

DOI:10.17487/RFC9257

This document provides usage guidance for external Pre-Shared Keys
(PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446.
It lists TLS security properties provided by PSKs under certain
assumptions, then it demonstrates how violations of these assumptions
lead to attacks. Advice for applications to help meet these
assumptions is provided. This document also discusses PSK use cases
and provisioning processes. Finally, it lists the privacy and
security properties that are not provided by TLS 1.3 when external
PSKs are used.

This document is a product of the Transport Layer Security Working Group of the 
IETF.


INFORMATIONAL: This memo provides information for the Internet community.
It does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  https://www.ietf.org/mailman/listinfo/ietf-announce
  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-edi...@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls