IETF Logo Mail Archive

[TLS] Comments on the cached-info draft

Stefan Santesson <stefan@aaa-sec.com> Wed, 07 November 2012 16:42 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26BF21F8C69 for <tls@ietfa.amsl.com>; Wed, 7 Nov 2012 08:42:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.249
X-Spam-Level:
X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id liPfFPp3LGnE for <tls@ietfa.amsl.com>; Wed, 7 Nov 2012 08:42:22 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id C142321F8C41 for <tls@ietf.org>; Wed, 7 Nov 2012 08:42:19 -0800 (PST)
Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id DDD29361C3 for <tls@ietf.org>; Wed, 7 Nov 2012 17:42:18 +0100 (CET)
X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se
Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CI__Xliv3s4M for <tls@ietf.org>; Wed, 7 Nov 2012 17:42:18 +0100 (CET)
Received: from s331.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 683E955FC6 for <tls@ietf.org>; Wed, 7 Nov 2012 17:42:18 +0100 (CET)
Received: (qmail 32734 invoked from network); 7 Nov 2012 16:42:17 -0000
Received: from dhcp-170c.meeting.ietf.org (HELO [130.129.23.12]) (stefan@fiddler.nu@[130.129.23.12]) (envelope-sender <stefan@aaa-sec.com>) by s331.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <tls@ietf.org>; 7 Nov 2012 16:42:17 -0000
User-Agent: Microsoft-MacOutlook/14.2.4.120824
Date: Wed, 07 Nov 2012 11:42:19 -0400
From: Stefan Santesson <stefan@aaa-sec.com>
To: tls@ietf.org
Message-ID: <CCBFF439.533CB%stefan@aaa-sec.com>
Thread-Topic: Comments on the cached-info draft
In-Reply-To: <312F1D0E-0C86-439E-A854-ADBBA0D7D23A@gmx.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: [TLS] Comments on the cached-info draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 16:42:24 -0000

It was quite a while since I wrote the first version of this draft.
Now that I bring it up to my attention I found a problem that I think
should be fixed.

After a close examination I'm convinced that the current spec breaks TLS.


The current approach is to exchange support for cached-info in client and
server hellos.
This includes hashes for cached objects (clients) and confirmation of
cached objects (server).

In addition to this, this protocol allows the cached data in handshake
messages to be swapped with cached object hashes.
This is a violation of the syntax of these handshake messages.

Take the Certificate handshake message for example. The spec suggest here
to replace the certificate_list vector to be replaced with a vector of
CachedObejct structured data.
This breaks the syntax of this handshake message. A strict processing of
the certificate_list vector will expect an ASN.1 encoded binary containing
a sequence of certificates, not a vector of data objects according to the
CachedObject structure.

My first thought was that we actually need a new handshake message.
However that is not helpful either.
The TLS spec require the Certificate handshake message to be sent in case
the chosen cipher suite demands it, so it MUST be sent.
It can't be replaced by another handshake message.

My current belief is that we simply should omit the cached data, and that
each cachedInfo type need to defined how to omit cached data.

In case of the certificate handshake message, the certificate list should
be replaced with an empty sequence.


There is actually no need to send the hash of the cached data in the
handshake message. Not if the confirmation of the cached info is exchanged
in the server hello. Sending the hash once more in the handshake message
is then redundant.


So I propose the following:

1) Clients send hashes of cached objects in client hello.
2) Server responds with one or zero hashes per cachedInfo type, that a)
matches a cached object sent by the client b) will be omitted by the
server in the corresponding handshake message.
3) How information is omitted from the handshake message is defined per
cached info type. For the current defined 2 types this is:
  A) cached certificate cahins in Certificate: replace the sequence of
certificates with an empty sequence.
  B) certificate_authorities in Certificate Request: Send an empty list of
DistinguishedName
4) Clients will act as if the cached objects (confirmed in server hello)
were sent in the handshake messages.
5) Everything else according to the current spec


The proposed approach will somewhat limit the functionality of the current
spec, but it ads value in simplicity.
I can't imagine a valid use case that would not be covered by this change,
but I might overlook something.

v2.23.0 | Report a Bug | By Email