Re: [TLS] Client certificate alerts

2016-09-19 Thread Hubert Kario
On Saturday, 17 September 2016 20:09:40 CEST David Benjamin wrote: > Hi folks, > > We've run into some problems with client certificate alerts in Chrome that > I'd like to fix going forward. > > The first is easy. handshake_failure is an unhelpful alert for server which > required client certs.

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread Eric Rescorla
On Mon, Sep 19, 2016 at 2:49 AM, David Woodhouse wrote: > On Mon, 2016-09-19 at 10:29 +0200, Nikos Mavrogiannopoulos wrote: > > On Mon, 2016-08-08 at 11:28 +0300, Ilari Liusvaara wrote: > > > More compact and makes the option where server sends some bad option > > > more

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread David Woodhouse
On Mon, 2016-09-19 at 04:41 -0700, Eric Rescorla wrote: > > Do we care that the '0x00 0x12' bytes on my third line above are > > entirely redundant on the wire? Or have I interpreted it wrong? > > Not enough to fix it, this is just the way TLS rolls. An interesting contrast to Nikos's

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread Eric Rescorla
On Mon, Sep 19, 2016 at 5:26 AM, David Woodhouse wrote: > On Mon, 2016-09-19 at 04:41 -0700, Eric Rescorla wrote: > > > Do we care that the '0x00 0x12' bytes on my third line above are > > > entirely redundant on the wire? Or have I interpreted it wrong? > > > > Not enough

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread David Woodhouse
On Mon, 2016-09-19 at 05:46 -0700, Eric Rescorla wrote: > > > And then the client only needs to supply one copy of it for the > > identity which the server actually selected, not one for *each* > > identity which was being offered by the client. > > We're most likely going to allow only on PSK

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread Eric Rescorla
On Mon, Sep 19, 2016 at 7:07 AM, David Woodhouse wrote: > On Mon, 2016-09-19 at 05:46 -0700, Eric Rescorla wrote: > > > > > And then the client only needs to supply one copy of it for the > > > identity which the server actually selected, not one for *each* > > > identity

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread Eric Rescorla
On Mon, Sep 19, 2016 at 8:37 AM, David Woodhouse wrote: > On Mon, 2016-09-19 at 07:55 -0700, Eric Rescorla wrote: > > > What if my client authenticates with an actual pre-shared key, and I > > > also want to resume a session? As it stands, that means I really do > > > need

Re: [TLS] PR#625: Change alert requirements

2016-09-19 Thread Sean Turner
Thanks for the discussion. We’re going to ask ekr to merge this one (obviously dealing with the additional input provided during the discussion). J > On Sep 06, 2016, at 17:33, Sean Turner wrote: > > All, > > The chairs would like to get some eyes on this PR by this Friday

[TLS] Should TLS 1.3 servers send "signature_algorithms" extensions

2016-09-19 Thread Xiaoyin Liu
Hello, There seems to be a conflict in the TLS 1.3 spec on whether servers should send "signature_algorithms" extension or not. In section 4.2.2 Signature Algorithms, it says: Servers which are authenticating via a certificate MUST

Re: [TLS] Should TLS 1.3 servers send "signature_algorithms" extensions

2016-09-19 Thread Eric Rescorla
On Mon, Sep 19, 2016 at 3:56 PM, Xiaoyin Liu wrote: > Hello, > > > > There seems to be a conflict in the TLS 1.3 spec on whether servers should > send “signature_algorithms” extension or not. In section 4.2.2 Signature > Algorithms

Re: [TLS] Should TLS 1.3 servers send "signature_algorithms" extensions

2016-09-19 Thread Xiaoyin Liu
Thank you for your explanation, Eric! Xiaoyin From: Eric Rescorla [mailto:e...@rtfm.com] Sent: Monday, September 19, 2016 7:13 PM To: Xiaoyin Liu Cc: tls@ietf.org Subject: Re: [TLS] Should TLS 1.3 servers send "signature_algorithms" extensions On Mon, Sep 19, 2016 at

Re: [TLS] TLS1.3 + PSK with multiple identities

2016-09-19 Thread David Woodhouse
On Mon, 2016-09-19 at 09:53 -0700, Eric Rescorla wrote: > > Perhaps I should turn your question round, and ask: if PSK is a first- > > class citizen as a key exchange and authentication method, why *should* > > we be forbidden from resuming sessions which started that way... > > Well, I'm not

Re: [TLS] PR#625: Change alert requirements

2016-09-19 Thread Eric Rescorla
Please post a PR for this and see what the WG thinks. On Fri, Sep 9, 2016 at 7:35 AM, Hannes Tschofenig wrote: > Hi Ekr, > > I read through the text and I think it is an improvement. > > I only had one question that is only slightly related to your edits > because it

Re: [TLS] PR#625: Change alert requirements

2016-09-19 Thread Eric Rescorla
Resolutions below. On Thu, Sep 8, 2016 at 11:08 AM, Hubert Kario wrote: > On Monday, 5 September 2016 11:02:57 CEST Eric Rescorla wrote: > > PR: https://github.com/tlswg/tls13-spec/pull/625 > > Finally found some time to take a look at it. > > So in general I like the change