Add warning about agreement on Client certificate bytes. #76
Conversation
Done. |
Fix nit. Co-authored-by: Armando Faz <armfazh@users.noreply.github.com>
|
This is useful information to convey to implementers and users. +1 |
| negotiated out-of-band it is possible to negotiate EAs without agreeing on the | ||
| entire transcript. Servers SHOULD send application data before sending a | ||
| CertificateRequest to the client. If there is no application data to send the | ||
| server MAY send a NewSessionTicket. |
There was a problem hiding this comment.
NewSessionTicket is not an application message, so the previous text does not actually say that receiving NST would suffice to produce full-transcript agreement. (It would, of course, since NST is protected by application traffic keys, but we should probably tweak some text to be more precise.)
There was a problem hiding this comment.
Suggest adding "(because that is also protected by application traffic keys)."
|
@ekr To follow up from the meeting, this is only relevant in the case where the server has requested a client certificate, which is why you can't predict the client |
|
@jhoyla the text (as shown in the session) says that the server sends something though. But the server can do that without seeing the client certificate. I think that this needs to be something different, perhaps "the server has received and validated the client's Finished". |
| @@ -511,6 +511,13 @@ The signatures generated with this API cover the context string | |||
| "Exported Authenticator" and therefore cannot be transplanted into other | |||
| protocols. | |||
|
|
|||
| In TLS 1.3 the client and server are not guaranteed to agree on the client’s | |||
| final flight until the first application message. Because EAs can be | |||
There was a problem hiding this comment.
As noted, this first is false. 0-RTT or 0.5-RTT both violate this.
There was a problem hiding this comment.
MT is right. You need to delete the first sentence. just the second two are sufficient. Otherwise, this is fine.
There was a problem hiding this comment.
We do get a guarantee of agreement eventually, though nailing down a concise way to describe exactly when that happens may take some thought. IIRC it's successful use of application_traffic_secret_0.
I think the phrasing would be a little awkward if we just jump straight in as "Because EAs can be negotiated out-of-band it is possible to negotiate EAs without agreeing on the entire transcript". If we don't want to mention the lack of transcript agreement at all, we might flip it around, "It is possible to negotiate EAs without agreeing on the entire transcript, as might occur if [...]". We might also make the first sentence blander without removing it entirely, to mention that the non-agreement on the client's final flight is possible/a risk, without making a specific claim of when the risk goes away.
There was a problem hiding this comment.
I don't believe that that's true. application_traffic_secret_0 does not include anything from the client's last flight.
There was a problem hiding this comment.
What do people think of this text instead:
In TLS 1.3 the client does not explicitly learn whether its Finished message
was accepted. Because the application traffic keys are not dependent on the
client's final flight, the client cannot learn whether the server ever received
it. To avoid disagreement between the client and server on the authentication
status of EAs, servers MUST verify the client Finished before sending an EA.
There was a problem hiding this comment.
That seems like a good approach. I might spend a few words for "client cannot learn just from TLS messages" or similar, since some application protocols on top of TLS might enable the client to do so. But I don't think it's strictly necessary to have such a clarification.
I'm still trying to work out what threat we are considering here. Is it the server pretending to read the Finished and not or is it the server making an error and not reading the Finished. In the former case, it's not sufficient to send the NST because the client doesn't know what RMS the server has computed. In the latter case, why not just tell the server not to send a request until it's read Finished if there is a client cert? |
|
At the end of a mutually authenticated handshake the client doesn't know that the server has agreed on the ClientCertificate's bytes. The threat is that the client's last message might have been corrupted in flight (intentionally or otherwise). |
|
I think that's the only thing that works. |
|
@jhoyla Just checking to see when this might be updated? |
|
Changes pushed. |
|
@ekr Does the final change address your issue? |
|
[Clarifying]
The traffic keys do not depend on the client's final flight at all. So, I don't see what the "first application message" does here. The client receiving the server's messages doesn't tell the client anything, and receipt of the client's first application data isn't really relevant here. It's the Finished that matters. |
|
Maybe something about how we rely on the server to not send application data if the client Finished fails to validate (and thus for application data to not be exchanged in case of tampering), rather than talking about "agree on the client's final flight"? That lines up nicely with the new MUST-level requirement to not send EA if the client Finished doesn't validate. |
|
@jhoyla, @grittygrease: can you please coordinate and come to a resolution that addresses the remaining comments in this thread? In particular, I think we're seeking clarity on the conditions for agreement and how that relates to the client's finished message (and not necessarily application data, though that may imply agreement, if I'm understanding the intended text here). |
What about 0.5RTT? |
|
@grittygrease @jhoyla can we please get an update here? Would additional editors here help the process? |
Yes, the server can send 0.5RTT before the handshake completes. That's why my focus was on "we rely on the server", as the client doesn't always have a great way of telling for sure. The application protocol's semantics might be able to clue that a given response was 1-RTT and not 0.5-RTT, but it might not, too. I probably should have said "close the connection" rather than "not send application data", or maybe "not continue to send application data". |
|
LGTM.
…On Tue, Mar 1, 2022 at 8:34 AM jhoyla ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In draft-ietf-tls-exported-authenticator.md
<#76 (comment)>
:
> @@ -511,6 +511,13 @@ The signatures generated with this API cover the context string
"Exported Authenticator" and therefore cannot be transplanted into other
protocols.
+In TLS 1.3 the client and server are not guaranteed to agree on the client’s
+final flight until the first application message. Because EAs can be
What do people think of this text instead:
In TLS 1.3 the client does not explicitly learn whether its Finished message
was accepted. Because the application traffic keys are not dependent on the
clients final flight, the client cannot learn whether the server ever received
it. To avoid disagreement between the client and server on the authentication
status of EAs servers MUST verify the client Finished before sending an EA.
—
Reply to this email directly, view it on GitHub
<#76 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIPLIMU7KWKUOY2HCZHWK3U5ZBITANCNFSM5CXTWACQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
What do people think about putting "before sending an EA or processing a received EA." instead of "before sending an EA"? The server might then accept the EA and do some action, but then reject the Finished message. |
Co-authored-by: ekr <ekr@rtfm.com>
In the TLS 1.3 handshake the client and server do not agree on the client's certificate bytes until after the first server application message.
If this is significant to an application, then the server should send an application message before authenticating the client with an EA.