On Fri, Mar 05, 2021 at 02:01:52PM +0000, Fries, Steffen wrote:
> I've got a question regarding application of TLS 1.3 to protect long
> lasting connections. Specifically on the trigger to perform a
> revocation check for the utilized certificates in the handshake.
>
> The background is that for the securing TCP based communication in
> power system automation we defined the application of TLS in IEC
> 62351-3. The document specifies how to use TLS v1.2 in this
> environment. As some of the connections are rather long lasting
> connections, the document defines the usage of TLS session
> renegotiation at least every 24 hours to update the session key
> material on one hand and to enforce the certificate verification from
> both sides (TLS is always used with mutual authentication) including
> the revocation check. The 24 hours were motivated by an expected CRL
> update once a day.
This harks back to another recent thread where it was noted that one
needs to make a distinction between authentication and authorisation.
The integrity of a TLS 1.3 session (which always performs ephemeral key
agreement that offers forward-secrecy) is not compromised if later the
signing keys of one of the parties is compromised. So there is no need
to check CRLs or renegotiate to just to maintain a secure connection.
On the server side, if the client's identity is used as a key into an
authorisation table, one just needs to periodically (or even at each
logical request) to revalidate the client's authorisation, there is
generally no need to "re-authenticate" the client.
If the client is presenting bearer-tokens for entitlement, the client
may periodically need to obtain fresh tokens.
If there is a concern that a server may somehow mid-session cease to be
a legitimate application endpoint for clients that are still connected
to it, and an expectation that timely CRLs and periodic revalidation
of the server certificate would help to avoid that, then perhaps
something should be done.
This feels to me like rather a very distant risk. When a server is
taken out of rotation, the operator should typically terminate all
client connections at that time. How often would one expect to
lose operational control of a running server, such that the only
way to protect active clients is via certificate revocation, with
clients finding out soon enough for this to be useful?
If loss of operational control of servers is a real concern, then I
guess clients should avoid long-lived sessions, and open new connections
frequently, limiting connection reuse and TLS session resumption to just
minutes (just to amortise the cost of the initial handshake over a short
sequence of back-to-back requests).
Once there's a new TLS session every ~5 minutes, there's no need for
CRLs, renegotiation, ... but a quick sequence of requests is still
handled efficiently.
So, in summary, avoid CRLs, OCSP, ... they're obsolete crutches. Use
short-lived certificates (possibly just days or hours), reconnect often
if that's appropriate. Demand fresh authorisation tokens from clients
if authorisation is encoded in the tokens, rather than checked out
of band by the server on a request-by-request basis.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
