Skip to main content

IETF conflict review for draft-msahli-ise-ieee1609
conflict-review-msahli-ise-ieee1609-00

Document history

Date Rev. By Action
2020-04-13
00 Amy Vezza
The following approval message was sent
From: The IESG
To: Adrian Farrel ,
    draft-msahli-ise-ieee1609@ietf.org,
    rfc-ise@rfc-editor.org
Cc: IETF-Announce ,
    …
The following approval message was sent
From: The IESG
To: Adrian Farrel ,
    draft-msahli-ise-ieee1609@ietf.org,
    rfc-ise@rfc-editor.org
Cc: IETF-Announce ,
    iana@iana.org,
    The IESG
Subject: Results of IETF-conflict review for draft-msahli-ise-ieee1609-06

The IESG has completed a review of draft-msahli-ise-ieee1609-06 consistent
with RFC5742.

The IESG has no problem with the publication of 'TLS Authentication using ITS
certificate'  as an Experimental RFC.

The IESG has concluded that this work is related to IETF work done in WG TLS,
but this relationship does not prevent publishing.

The IESG would also like the Independent Submissions Editor to review the
comments in the datatracker related to this document and determine whether or
not they merit incorporation into the document. Comments may exist in both
the ballot and the history log.

The IESG review is documented at:
https://datatracker.ietf.org/doc/conflict-review-msahli-ise-ieee1609/

A URL of the reviewed Internet Draft is:
https://datatracker.ietf.org/doc/draft-msahli-ise-ieee1609/

The process for such documents is described at
https://www.rfc-editor.org/indsubs.html

Thank you,

The IESG Secretary



2020-04-13
00 Amy Vezza IESG has approved the conflict review response
2020-04-13
00 Amy Vezza Closed "Approve" ballot
2020-04-13
00 Amy Vezza Conflict Review State changed to Approved No Problem - announcement sent from Approved No Problem - announcement to be sent
2020-04-09
00 Cindy Morgan Conflict Review State changed to Approved No Problem - announcement to be sent from IESG Evaluation
2020-04-09
00 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2020-04-08
00 Erik Kline
[Ballot comment]
doc{draft-msahli-ise-ieee1609-06}
ballot{No Objection}

[nits]

S1

* The sentence "In this document, we call this certificates: ITS certificates."
  is redundant with …
[Ballot comment]
doc{draft-msahli-ise-ieee1609-06}
ballot{No Objection}

[nits]

S1

* The sentence "In this document, we call this certificates: ITS certificates."
  is redundant with the last sentence of this paragraph, which nicely explains
  the definition of ITS.
2020-04-08
00 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2020-04-08
00 Roman Danyliw [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw
2020-04-08
00 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2020-04-08
00 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2020-04-08
00 Magnus Westerlund [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund
2020-04-08
00 Robert Wilton [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton
2020-04-07
00 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2020-04-06
00 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2020-04-04
00 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2020-04-04
00 Benjamin Kaduk
[Ballot comment]
The intent of this document is compatible with using TLS extension
points in the intended manner, so I am proposing the "no conflict" …
[Ballot comment]
The intent of this document is compatible with using TLS extension
points in the intended manner, so I am proposing the "no conflict"
response.  However, the details of how the document is written are
problematic in a few places, in particular there are some
inconsistencies that would merit a DISCUSS if this was an IETF-stream
document.  (I list only the summary here; specifics are in the
section-by-section comments.)

The document is internally consistent about whether the new mechanism is
to be used solely with TLS 1.3 or whether TLS 1.2 usage is also
permitted (multiple sections/occurrences).

Section 4.1 repeats text (including normative keywords) from RFC 8446
with minor variation, but does not state that this is a quote or
repetition of preexisting requirements.

Section 4.2 seems to use mutual support of this document to mandate
client preference for certificate types (which is a change to the TLS
protocol, since TLS does not mandate client preference), but then goes
on to have additional description of server behavior that is
inconsistent with mandatory client-preference.

Figure 3 in Section 6.2 depicts a handshake exchange that violates
invariants of the TLS protocol as specified in RFC 7250.

And now, the section-by-section comments:

Section 1

  ITS certificates.  Volkswagen have committed to deploying V2X next
  year using ITS certificates.  New York, Tampa and Wyoming are

nit(?): "next year" will probably not age well.

Section 1.1

  Certificate Type value, reserved through IANA (see Section 9).  An
  implementation of TLS that is not involved in the Experiment will not
  recognise this new Certificate Type and will not be able to interact
  with an Experimental implementation: TLS sessions will fail to be
  established.

nit: I suggest "and will not participate in the experiment: TLS sessions
will either negotiate the use of existing X.509 certificates or fail to
be established", since nothing in this document prevents an
implementation from supporting both ITS certificates and X.509 ones
(though I do not expect this to occur often in practice).

Section 3

  The TLS extension "client_certificate_type" and
  "server_certificate_type" [RFC7250] are used to negotiate the type of
  the Certificate messages used in TLS to authenticate the server and,
  optionally, the client.  Using separate extension allows for mixed

nit: s/the Certificate/Certificate/

  usage with TLS 1.3.  This document makes no change to the permitted
  certificate types for usage with TLS 1.2 [RFC5246] and earlier
  versions; accordingly, the server MUST NOT send the ITS certificate
  type in either the "client_certificate_type" or
  "server_certificate_type" extension on a TLS 1.2 connection.  For TLS

I think I had suggested this text in a previous review, but I remain
unsure that it conveys the desired intent.  If you expect ITS
certificates to be used with TLS 1.2, it will need to be reworded.  I'm
happy to help with that, but don't know what deployment is expected.

  Certificate message.  For TLS 1.2 [RFC5246], the "extension_data"
  field SHALL follow the [RFC7250].  In case of TLS 1.3, the
  "extension_data" field SHALL contain a list of supported certificate
  types proposed by the client as provided in the figure below:

The "extension_data" field for which extension(s)?

  As per [RFC7250], the server processes the received
  [endpoint]_certificate_type extension(s) and selects one of the
  offered certificate types, returning the negotiated value in its
  ServerHello (TLS 1.2) or EncryptedExtensions (TLS 1.3) message.  Note

Related to the comment above, if we are not defining the use of ITS
certificates for TLS 1.2 we probably don't need to mention the TLS 1.2
behavior here.  (Strictly speaking, it's not wrong, and could remind the
reader of how the extensions we use work in the cases we're not using
them for, but that doesn't directly help the reader understand what we
do use them for.)

Section 4.1

  For maximum compatibility, all implementations SHOULD be prepared to
  handle extraneous certificates and arbitrary orderings from any TLS
  version, with the exception of the end-entity certificate which MUST
  be first.

This "SHOULD" and "MUST" makes me somewhat uncomfortable, as it could be
read as trying to override the procedures specified in RFC 8446.
Luckily, it's not, but I would suggest making it a verbatim quote and
labelling it as such (Section 4.4.2 of RFC 8446):

                                                          For maximum
  compatibility, all implementations SHOULD be prepared to handle
  potentially extraneous certificates and arbitrary orderings from any
  TLS version, with the exception of the end-entity certificate which
  MUST be first.

(Note the "potentially" is not present in the copy in this document.)

Section 4.2

      - If both client and server indicate support for the ITS
      certificate type, the server MUST select the first (most
      preferred) certificate type from the client's list that is
      supported by both peers

This makes me a little uncomfortable, as the core TLS protocol does not
require the server to honor the client's preference at all.  That said,
I can see a reasonable interpretation of this text as only specifying
the behavior when this document is in use (by both parties) and thus not
directly contravening RFC 8446.

(Also, note that the most-preferred certificate type might not be the
ITS type!)

      - The server supports the certificate types specified in this
      document.  In this case, it MAY respond with a certificate of this
      type.  It MAY also include the client_certificate_type extension
      in the Server Hello (for TLS 1.2) or in Encrypted Extension (for
      TLS 1.3).  Then, the server requests a certificate from the client
      ( via the CertificateRequest message )

This seems to be in conflict with the first bullet point -- the first
case has MUST-level requirements on the server's behavior, but these
MAYs seem to allow behavior that contravenes the MUST.

      - The server supports the extension defined in this document, but
      it does not have any certificate type in common with the client.
      Then, the server terminates the session with a fatal alert of type
      "unsupported_certificate".

I still don't see how this is any different from "server does not
support any of the proposed certificate types and terminates the
session" in the second bullet point.  Whether or not the server supports
the extension defined in this document does not have any bearing on the
server's behavior when it doesn't support any of the proposed types.

Section 6.2

Figure 3 needs to include the CertificateRequest message from the
server, since it sends the "client_certificate_type" extension.  (Figure
2 does this already, so I assume this is just an oversight.)

Section 7.2

  received in the handshake expires.  We can consider the TLS
  renegotiation as specified in [RFC5246], but an implementation of
  proposed extension could favor terminating the session on expiry of
  the certificate.

[I commented earlier about some text that says this extension is only
intended to be used with TLS 1.3, which is not really consistent with
discussing TLS 1.2 renegotiation here.]

Section 7.3

  All ITS certificates use public-key cryptographic algorithms with an
  estimated strength of at least 128 bits ,specifically, Elliptic Curve
  Cryptography (ECC) based on curves with keys of length 256 bits or
  longer.  An implementation of the techniques specified in this

[Just to be clear, this is excluding curve2519, x25519 key exchange,
etc.  It's not clear whether that's intended or not.]

Section 7.4

  The assumption in this document is that a party that accepts ITS
  certificates will do it in the context of an access control policy
  that states what PSIDs and SSPs are to be accepted in the handshake,
  and what activities are permitted within the session based on the
  PSIDs and SSPs presented in the handshake.  [ISO21177] provides a
  generalization of this where additional certificates may be presented
  within the context of a TLS session to provide a more complete
  picture of the permissions of the counterparty within the session,

(Side note: This "additional certificates may be presented within the
context of a TLS session" sounds like it could be something that
conflicts with IETF work in developing mechanisms for post-handshake
authentication, but the ISO21177 document is not what's up for conflict
review.)
2020-04-04
00 Benjamin Kaduk Ballot comment text updated for Benjamin Kaduk
2020-04-04
00 Benjamin Kaduk [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk
2020-04-04
00 Benjamin Kaduk Created "Approve" ballot
2020-04-04
00 Benjamin Kaduk Conflict Review State changed to IESG Evaluation from Needs Shepherd
2020-04-04
00 Benjamin Kaduk New version available: conflict-review-msahli-ise-ieee1609-00.txt
2020-03-24
00 Cindy Morgan
From the ISE: "We previously kicked off a request for a conflict review of this draft, but I withdrew the request after discussion with Ben …
From the ISE: "We previously kicked off a request for a conflict review of this draft, but I withdrew the request after discussion with Ben Kaduk. I'd like to kick the request off again."
2020-03-24
00 Cindy Morgan Placed on agenda for telechat - 2020-04-09
2020-03-24
00 Cindy Morgan Conflict Review State changed to Needs Shepherd from Withdrawn
2019-12-16
00 Cindy Morgan The request for 5742 review of draft-msahli-ise-ieee1609 was withdrawn by the ISE.
2019-12-16
00 Cindy Morgan Removed from agenda for telechat
2019-12-16
00 Cindy Morgan Conflict Review State changed to Withdrawn from AD Review
2019-12-02
00 Benjamin Kaduk Telechat date has been changed to 2019-12-19 from 2019-12-05
2019-12-02
00 Alissa Cooper Conflict Review State changed to AD Review from Needs Shepherd
2019-11-27
00 Benjamin Kaduk Shepherding AD changed to Benjamin Kaduk
2019-11-25
00 Cindy Morgan Placed on agenda for telechat - 2019-12-05
2019-11-24
00 Adrian Farrel IETF conflict review requested