Transport Layer Security (tls)

Scott Rea | 1 Aug 2012 03:44

RFC 6125

We'd like to address a few concerns with RFC 6125.  Because the relevant
discussion list is not active, we contacted the authors and TLS Chair who
instructed us to post our concerns to this list.

Our primary concern with RFC 6125 is that Wildcard certificate use is
wide-spread and has proved to be a cost-effective alternative to
multi-domain certificates.  Asking for the deprecation of wildcard
certificates undermines a lot of existing infrastructure and current
establishments.   We feel that RFC's current recommendations fail to
adequately balance the risks and convenience of an existing practice, is
based only on theoretical problems, and does not accurately reflect current
industry practices or beliefs.

We suggest the following changes to RFC 6125:

-------

Section 1.5 - Overview of Recommendations

[........Edit..................]
Move away from the issuance of so-called wildcard certificates (e.g., a
certificate containing an identifier for "*.example.com").

[........Replace with....]
Follow the established rule set for interpreting wildcard certificates
(e.g., a certificate containing an identifier for "*.example.com").

---------

Section 4.1 - Rules

(Continue reading)

Stefan Santesson | 1 Aug 2012 19:56

Proposed cached info update

I went through the cached info draft and found something in the protocol
syntax that I don't believe is totally correctly expressed.

I made a diff that shows my proposed update:
http://tinyurl.com/cachedinfodiff

The issue at hand is that we use an existing structure to send the cached
info.

The data being replaced is in both cases sent as a vector (single
dimension array) of opaque blobs.
The data being sent instead is a vector of structured cached info elements.

This makes the sending of cached info syntax compatible with the original
syntax as the structured cached info element is compatible with an opaque
blob element.

The current draft and the proposed change is bits on the wire compatible,
it just assigns the vector containing cached info a more sensible name
"cached_objects<1..2^24-1> instead of using the name of the old opaque
vector being replaced (i.e. ASN.1Cert<1..2^24-1> and
DistinguishedName<1..2^16-1>).

I would like those being more experts in the TSL presentation language to
double check me so I don't make a stupid error here.

Thanks

/Stefan

(Continue reading)

Peter Saint-Andre | 1 Aug 2012 23:26

Re: RFC 6125


On 7/31/12 7:44 PM, Scott Rea wrote:
> We'd like to address a few concerns with RFC 6125.  Because the
> relevant discussion list is not active, we contacted the authors
> and TLS Chair who instructed us to post our concerns to this list.
> 
> Our primary concern with RFC 6125 is that Wildcard certificate use
> is wide-spread and has proved to be a cost-effective alternative
> to multi-domain certificates.  Asking for the deprecation of
> wildcard certificates undermines a lot of existing infrastructure
> and current establishments.

RFC 6125 does not deprecate use of the wildcard character '*' in PKIX
certificates. Although Jeff and I would have liked to deprecate such
use, we did not go that far, based on the feedback we received while
working on the document that became RFC 6125.

See Section 4.1:

7.  Unless a specification that reuses this one allows continued
       support for the wildcard character '*', the DNS domain name
       portion of a presented identifier SHOULD NOT contain the wildcard
       character, whether as the complete left-most label within the
       identifier (following the description of labels and domain names
       in [DNS-CONCEPTS], e.g., "*.example.com") or as a fragment
       thereof (e.g., *oo.example.com, f*o.example.com, or
       fo*.example.com).  A more detailed discussion of so-called
       "wildcard certificates" is provided under Section 7.2.

See also Section 6.4.3.

(Continue reading)

Martin Rex | 2 Aug 2012 00:26

Picon

Re: RFC 6125

Scott Rea wrote:
> We'd like to address a few concerns with RFC 6125.  Because the relevant
> discussion list is not active, we contacted the authors and TLS Chair who
> instructed us to post our concerns to this list.
> 
> Our primary concern with RFC 6125 is that Wildcard certificate use is
> wide-spread and has proved to be a cost-effective alternative to
> multi-domain certificates.  Asking for the deprecation of wildcard
> certificates undermines a lot of existing infrastructure and current
> establishments.   We feel that RFC's current recommendations fail to
> adequately balance the risks and convenience of an existing practice, is
> based only on theoretical problems, and does not accurately reflect current
> industry practices or beliefs.

I assure you that the issue of wildcard certs, their usage
has been discussed in quite detail on the cert id mailing
_before_ the document now known as rfc6125 was last called
and published.

(Finding the mailing list archives seems non-trivial, since the
 discussion list itself seems to be no longer listed under
 "non-WG discussion lists" on www.ietf.org)

http://www.ietf.org/mail-archive/web/certid/current/maillist.html

(I realize I should have modified/changed the message subject
 more often...)

A few selected (non-representative!) postings from the discussion
on the certid non-WG IETF mailing list that mention wildcard matching:

(Continue reading)

Hannes Tschofenig | 2 Aug 2012 23:54

Picon

Re: Proposed cached info update

I agree that this change is useful. 

On Aug 1, 2012, at 10:56 AM, Stefan Santesson wrote:

> I went through the cached info draft and found something in the protocol
> syntax that I don't believe is totally correctly expressed.
> 
> I made a diff that shows my proposed update:
> http://tinyurl.com/cachedinfodiff
> 
> 
> The issue at hand is that we use an existing structure to send the cached
> info.
> 
> The data being replaced is in both cases sent as a vector (single
> dimension array) of opaque blobs.
> The data being sent instead is a vector of structured cached info elements.
> 
> This makes the sending of cached info syntax compatible with the original
> syntax as the structured cached info element is compatible with an opaque
> blob element.
> 
> The current draft and the proposed change is bits on the wire compatible,
> it just assigns the vector containing cached info a more sensible name
> "cached_objects<1..2^24-1> instead of using the name of the old opaque
> vector being replaced (i.e. ASN.1Cert<1..2^24-1> and
> DistinguishedName<1..2^16-1>).
> 
> I would like those being more experts in the TSL presentation language to
> double check me so I don't make a stupid error here.

(Continue reading)

Nikos Mavrogiannopoulos | 10 Aug 2012 14:17

preventing cross protocols attacks -01

Hello,
 I've updated the document proposing protection against cross protocol attacks.
http://tools.ietf.org/search/draft-mavrogiannopoulos-tls-cross-protocol-01

This version references a new cross-protocol attack on TLS described in:
http://www.cosic.esat.kuleuven.be/publications/article-2216.pdf
In that attack a client is vulnerable to a server impersonation
attack, if the server implements the explicit elliptic curve TLS
option.

regards,
Nikos

Jack Lloyd | 15 Aug 2012 23:40

DTLS 1.2 HelloVerifyRequest version numbers


I'm having a hard time reconciling these statements in RFC 6347 (all
in section 4.2.1):

(a) "[...] DTLS 1.2 server implementations SHOULD use DTLS version 1.0
[in the HelloVerifyRequest] regardless of the version of TLS that is
expected to be negotiated."

(b) "In particular, DTLS 1.2 clients MUST NOT assume that because the
server uses version 1.0 in the HelloVerifyRequest that the server is
not DTLS 1.2 or that it will eventually negotiate DTLS 1.0 rather than
DTLS 1.2."

(c) "The server MUST use the same version number in the
HelloVerifyRequest that it would use when sending a ServerHello.  Upon
receipt of the ServerHello, the client MUST verify that the server
version values match."

Statement (a) says servers should send server_version=1.0 in the
HelloVerifyRequest even if they and the client both support DTLS 1.2,
(b) seems to be saying that a client seeing a HelloVerifyRequest with
server_version=1.0 should not assume the server will eventually
negotiate 1.0, and (c) seems to say that the client must, after having
seen a 1.0 HelloVerifyRequest, reject a ServerHello with version != 1.0

How, then, is it expected for a DTLS 1.2 connection to be negotiated?
The only out I see here is servers ignoring the SHOULD of (a) and
sending DTLS 1.2 in the HelloVerifyRequest if that is what it would
have negotiated from the client hello. And the MUSTs of (b) and (c)
seem to directly contradict each other, so I have to wonder if the

(Continue reading)

Joseph Salowey (jsalowey | 20 Aug 2012 07:07

Picon

Re: Proposed cached info update

I also agree with this change.  Can you submit a new draft with this change and then we can go to working group
last call? 

Thanks,

Joe
On Aug 2, 2012, at 2:54 PM, Hannes Tschofenig wrote:

> I agree that this change is useful. 
> 
> On Aug 1, 2012, at 10:56 AM, Stefan Santesson wrote:
> 
>> I went through the cached info draft and found something in the protocol
>> syntax that I don't believe is totally correctly expressed.
>> 
>> I made a diff that shows my proposed update:
>> http://tinyurl.com/cachedinfodiff
>> 
>> 
>> The issue at hand is that we use an existing structure to send the cached
>> info.
>> 
>> The data being replaced is in both cases sent as a vector (single
>> dimension array) of opaque blobs.
>> The data being sent instead is a vector of structured cached info elements.
>> 
>> This makes the sending of cached info syntax compatible with the original
>> syntax as the structured cached info element is compatible with an opaque
>> blob element.
>>

(Continue reading)

Daniel Kahn Gillmor | 29 Aug 2012 21:54

shared secret keys between TLS clients: specific risks? OK in certain suites?

Hi TLS WG--

This is a hypothetical question about an unusual use of TLS, a scenario
which goes against all my instincts about reasonable key management.
I'm hoping for any insight or analysis that might help me understand the
specific risks.

Consider a TLS server that requires client-side key-based
authentication, but doesn't actually need (or want) to know which one of
a group of clients is connecting.

Let's say the operator of this TLS server creates a single secret
asymmetric (RSA or ECDSA or DSA) key (and corresponding X.509
certificate), and shared the same key each one of the group of several
clients.

I'm also fine assuming that both the server and the clients will insist
on negotiating a non-NULL cipher suite (maybe even a specific one if
necessary), are compliant with TLS 1.2, are extension-capable, and
refuse to negotiate down to an earlier version of TLS.

Is there a way that one such client (with a copy of the secret key used
by the client group) could snoop on (or inject traffic into) a
connection established by one of the other clients that share the key?
Or would this depend on the cipher suite selected?  Clearly, at least
PFS in the face of client-key compromise is a pre-requisite here; i note
that several of the existing PFS notes deal with the concept of the
server's secret key being compromised, but don't mention if a
compromised/shared client-side secret key has the same implications.
And of course PFS doesn't itself address the possibility of active

(Continue reading)

Adam Langley | 29 Aug 2012 22:08

Picon

Re: shared secret keys between TLS clients: specific risks? OK in certain suites?

On Wed, Aug 29, 2012 at 3:54 PM, Daniel Kahn Gillmor
<dkg <at> fifthhorseman.net> wrote:
> This is a hypothetical question about an unusual use of TLS, a scenario
> which goes against all my instincts about reasonable key management.
> I'm hoping for any insight or analysis that might help me understand the
> specific risks.

DH/ECDH certificates would allow a private key holder to decrypt other
connections made with the same client certificate.

I believe that a signature based (RSA/ECDSA) client certificate is
`safe' as a group authentication method in that one member of the
group could not intercept/decrypt a connection made by another.

"Group signatures" are a problem that has been studied and has a
practical solution:
http://crypto.stanford.edu/~dabo/papers/groupsigs.pdf, although the
bilinear group presents an implementation challenge. ("Group
signatures" in that case are defined to have slightly different
properties, see the paper.)

Cheers

AGL

Group

gmane.ietf.tls.

Search Archive

Page

1 | 2

Articles in period: 11

August 2012

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

TLS Cached Info Status (14 May 2013)
ECC key exchange messages (8 May 2013)
comments on draft-balfanz-tls-channelid (1 May 2013)
whither draft-agl-tls-nextprotoneg? EncryptedExtensions? (was: Update (30 Apr 2013)
HTTPS vs HTTP Data Increase (23 Apr 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
New Revision: draft-ietf-tls-applayerprotoneg-01 Posted (25 Apr 2013)
I-D Action: draft-ietf-tls-applayerprotoneg-01.txt (25 Apr 2013)
draft-mcgrew-tls-aes-ccm-ecc (23 Apr 2013)
AD review of draft-ietf-tls-oob-pubkey (16 Apr 2013)
Protocol Action: 'The TLS Multiple Certificate Status Request Extensio (15 Apr 2013)
TLS CBC ciphersuites fix (14 Apr 2013)
I-D Action: draft-ietf-tls-multiple-cert-status-extension-08.txt (12 Apr 2013)
comments on draft-ietf-tls-applayerprotoneg-00 (10 Apr 2013)
ALPN - specifying client preference (9 Apr 2013)
[Editorial Errata Reported] RFC5054 (3570) (27 Mar 2013)
SCSVs and SSLv3 fallback (4 Apr 2013)
Working Group interest draft-merkle-tls-brainpool-00 (2 Apr 2013)
I-D Action: draft-ietf-tls-multiple-cert-status-extension-06.txt (2 Apr 2013)
draft-ietf-tls-multiple-cert-status-extension-04 (28 Mar 2013)
draft-ietf-tls-cached-info-14 (28 Mar 2013)

Archives

11	May 2013
110	April 2013
165	March 2013
109	February 2013
17	January 2013
48	December 2012
69	November 2012
44	October 2012
32	September 2012
11	August 2012
39	July 2012
52	June 2012
122	May 2012
147	April 2012
123	March 2012
31	February 2012
31	January 2012
69	December 2011
89	November 2011
52	October 2011
147	September 2011
79	August 2011
162	July 2011
22	June 2011
37	May 2011
109	April 2011
114	March 2011
142	February 2011
31	January 2011
20	December 2010
96	November 2010
66	October 2010
78	September 2010
145	August 2010
224	July 2010
226	June 2010
252	May 2010
49	April 2010
133	March 2010
142	February 2010
136	January 2010
547	December 2009
1074	November 2009
92	October 2009
76	September 2009
36	August 2009
94	July 2009
50	June 2009
94	May 2009
120	April 2009
83	March 2009
40	February 2009
18	January 2009
53	December 2008
33	November 2008
106	October 2008
38	September 2008
42	August 2008
66	July 2008
57	June 2008
73	May 2008
59	April 2008
84	March 2008
51	February 2008
84	January 2008
80	December 2007
92	November 2007
84	October 2007
87	September 2007
27	August 2007
144	July 2007
139	June 2007
72	May 2007
6	April 2007
111	March 2007
37	February 2007
204	January 2007
210	December 2006
195	November 2006
81	October 2006
53	September 2006
15	August 2006
68	July 2006
53	June 2006
40	May 2006
33	April 2006
31	March 2006
61	February 2006
32	January 2006
9	December 2005
63	November 2005
45	October 2005
30	September 2005
18	August 2005
6	July 2005
32	June 2005
27	May 2005
28	April 2005
16	March 2005
23	February 2005
39	January 2005
19	December 2004
4	November 2004
4	October 2004
21	September 2004
77	August 2004
12	July 2004
15	June 2004
37	May 2004
32	April 2004
4	March 2004
23	February 2004
44	January 2004
14	December 2003
51	November 2003
13	October 2003
6	September 2003
1	August 2003
6	July 2003
49	June 2003
14	May 2003
12	April 2003
9	March 2003
39	February 2003
16	January 2003
20	December 2002
30	November 2002
20	October 2002
80	September 2002
108	August 2002
5	July 2002
18	June 2002
39	May 2002
36	April 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template