Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Nikos Mavrogiannopoulos
On Thu, 2018-04-19 at 16:32 -0400, Sean Turner wrote: > All, > > This is the working group last call for the "Exported Authenticators > in TLS" draft available at https://datatracker.ietf.org/doc/draft-iet > f-tls-exported-authenticator/. Please review the document and send > your comments to the

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Tim Hollebeek
I generally really like it. My only comment is about the use of a zero byte as a separator in a string (4.2.2). There are commonly used languages where this is likely to lead to implementation bugs, causing the signature to be computed over a shorter length than expected. While I dou

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Jonathan Hoyland
Hi Nikos, The problems post-handshake authentication has with HTTP/2 are described in draft-ietf-httpbis-http2-secondary-certs-00 a.k.a. draft-Bishop. See Section 1.2.3 in particular. In brief, the problem is

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Roelof duToit
How will this (and any mechanism built on top of RFC 5705 exported key material) interoperate with middleboxes? This use of the mechanism is not negotiated on the TLS level, so there is no extension for the middlebox to strip that would warn the endpoints not to use exported authenticators. Ar

[TLS] Reserve or close HashAlgorithm and SignatureAlgorithm registries?

2018-05-04 Thread Sean Turner
The open issue in draft-ietf-tls-iana-registry-updates is whether we should close the registries or simply reserve the remaining values. I’ve submitted the following PR to simply reserve the values and point to the SignatureScheme registry for 1.3 values: https://github.com/tlswg/draft-ietf-tls

Re: [TLS] Reserve or close HashAlgorithm and SignatureAlgorithm registries?

2018-05-04 Thread Russ Housley
I think that reserving them is the right thing for now. TLS 1.2 and earlier will take a while to disappear, so the ability to assign more values if there is a huge surprise seems prudent. Russ > On May 4, 2018, at 3:54 PM, Sean Turner wrote: > > The open issue in draft-ietf-tls-iana-registr

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Christopher Wood
I sent in one editorial PR as well. Pending the suggested change, I think the document is ready to go. Best, Chris On Thu, May 3, 2018 at 7:24 PM Martin Thomson wrote: > I've already provided enough input on this draft, but I sent in a few > editorial PRs. > Otherwise, this looks fine to go fro

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Benjamin Kaduk
On Thu, Apr 19, 2018 at 04:32:55PM -0400, Sean Turner wrote: > All, > > This is the working group last call for the "Exported Authenticators in TLS" > draft available at > https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/. > Please review the document and send your commen

Re: [TLS] WGLC for draft-ietf-tls-exported-authenticator

2018-05-04 Thread Benjamin Kaduk
On Fri, May 04, 2018 at 11:20:55AM -0400, Roelof duToit wrote: > How will this (and any mechanism built on top of RFC 5705 exported key > material) interoperate with middleboxes? This use of the mechanism is not > negotiated on the TLS level, so there is no extension for the middlebox to > stri