[hrpc] FW: New Version Notification for draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt
John Mattsson <john.mattsson@ericsson.com> Mon, 02 January 2023 09:58 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1AFC1516ED for <hrpc@ietfa.amsl.com>; Mon, 2 Jan 2023 01:58:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09NEeA2Xzw8J for <hrpc@ietfa.amsl.com>; Mon, 2 Jan 2023 01:58:14 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2073.outbound.protection.outlook.com [40.107.21.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C8A7C1516E8 for <hrpc@irtf.org>; Mon, 2 Jan 2023 01:58:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BPJIt72/0YbHnsDJg4C5P/xw5ZjP6V/ecfoihWcTh46z6sy1WpekudGYZegcGmiTRcfnRnZGFiskiCKytOxpkRQmEdkyIDaoXLT1bT5teb4PN1HbVsayhb+kxaB94igzhV04yEiIrj1ooGW2MsxpLqk+ffpR7+D5KoxITHduL4fOUHVWee7GQlB9l5eJTupGwaoSzkCw3G8LzCxdzGbakOKPQQyEcRLneRMU401IQUWUbXzMVAUrrvNOYmExALDTSoEXc1HYy7XspiBGu8Zvb945OHSBl6/WW2jZDsSNcfzlPDX1AYZGwwOeh4jXnUU1ibGxYxK46NCDGDOTP8mktg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=niZoNDjuCKlxjafr+l5m+Yhfa4Bk61qvpzvxIhzgSYE=; b=BBvxM4UemvjWjW9vXQSBQOAbcFoPZlNdKgy/71kXcd46p9XJlpVKXfMYyXEKFvV+7sJz0WUN6nS0vC6a7B8SVnY+XMZ//y74cwz1yT2NPTWz2CQgJeCjMC4tJtzv7hyOTiTvwGs8VbS/jrT33UbU2+X4mJfFGZUCmJ8O7WlTUoTZwv4AM/J/O7FanKhiy44YKgkE3N5xbyxq/+VZO7M2dh5VADPpmF3lS1s13ncD9CdTpOVS9z+v8IHWG9G0XraUUR/ApoMbiC+QdK26OBKb1Nb3Kxf3Um6AVqzDIHZD7mE4ym+DNiyztarnTzErcZ8sWQ/N26zGOFHV2ZRkNbbR+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=niZoNDjuCKlxjafr+l5m+Yhfa4Bk61qvpzvxIhzgSYE=; b=KMGz7XWv5acp946l75DNOKRrXTazryHB75mqAxIGQzo0Tmdh6LCcsPIkddyYKxflFebPUstOWVboyih/sRAPTo/EIvk82QLuLzVFB/BYgV13RzCu8mloTefaNYCZSu3+16nnAhKmCcgNzRi9Yl+pL4c8LQjKYo3f0qX6iBN3aqQ=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DU0PR07MB9639.eurprd07.prod.outlook.com (2603:10a6:10:31a::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Mon, 2 Jan 2023 09:58:09 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.5944.019; Mon, 2 Jan 2023 09:58:08 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "hrpc@irtf.org" <hrpc@irtf.org>
Thread-Topic: New Version Notification for draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt
Thread-Index: AQHZHCtVfhw/LValBEanfMHwPcRhUa6K4U1S
Date: Mon, 02 Jan 2023 09:58:08 +0000
Message-ID: <HE1PR0701MB3050EC4B8C23D6C3A902967789F79@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <167238999618.44941.2496293209257158766@ietfa.amsl.com>
In-Reply-To: <167238999618.44941.2496293209257158766@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|DU0PR07MB9639:EE_
x-ms-office365-filtering-correlation-id: f9319d60-29fd-4407-5cff-08daeca7da07
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2ScdFM08mav7bjAlUzIk/GO5Fh5DpbsN6kakRhYjRnEBGxgeHrkfSCwI22b3M2G8dsP4JBhc3jDMVUE0VLNHrCnFPyDIzS5IUw/QKjfmOA5YEczX1Dx0uh9/5BYEuBcB/KP4RB/Z7/U4x186ijZOnqGpnjIBTlUJybkXHEWWRf23gqm3b1t2aPG57MCMNHcUQf73PUbrjjkKF0Yk7WrHwdQUpqfWXsB0nFCj0x9vGEeWGVuU5LjK4Hc2UisiS+jS0vIb77APcp/AvqH5dUM3ySU+mj1Gn4xmq0yyBFdeyLq+7qgFok48IsBpBlgb/NhAbsYVYX6JXkLz8MBT7VvtcT8YKSpWhoThhJDsGUt37WOpzvbTcA7uzSVYbIJvfqfrmL85FRgUty7/w4QxDmBC3vVz0A6QOeaY/nJI2rruM0Pl75eVJD4WsGN5k2ysr8FIOCgqlTfP0acXD4MAagQ/LDfS0jaoa6dq9YHhNRgONMWFgqCDCTojNhIn6T0alsWwqgyHzEOK+4bAAxuIXT43xDm46C9w5x1Iaw3X2VHrMuk02OReL5l9yrf38dR0OmpYcJZWIBulEcRe8yq+wsXKRZXZvebF5hc1b9cbxRjrEOQt6UnPszpe+0jXxiD4C+RRQfrED3RA6mInnKlhhPW+GRZqJcOHy/9UPYU0WKfa5mZeL/Q1luWZiEgr1SQDfM62txS4Kt3JqT5+BJUJD6mj0e/Toy+9Q3VEBHPzQe0CUSos9hVA50R0AHJeBc9UZnMUut4UpYPCFnbECiiYJGaprNXG+eaki7DiM/LYfsekEZw6yo8S+aEplipB3Hh3KhaRrNAKP8xLP94GzX6vWEpwwVXXb+7GDUvoLwkvUVFQXuQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(346002)(366004)(136003)(39860400002)(376002)(396003)(451199015)(83380400001)(66574015)(9686003)(26005)(186003)(53546011)(33656002)(55016003)(6506007)(7696005)(38070700005)(86362001)(38100700002)(166002)(82960400001)(122000001)(21615005)(41300700001)(8676002)(66899015)(15650500001)(4001150100001)(5660300002)(2906002)(8936002)(44832011)(966005)(71200400001)(478600001)(52536014)(66946007)(66556008)(66476007)(76116006)(316002)(91956017)(6916009)(64756008)(66446008)(22166006)(192303002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gq9SwxZoRYJWQA0RNmfNjeVByj36iUvUemtD9SWqfluMs1mtBWqFZZUpIyXVeLOb/liKoMZfQmfcIFLoqbVQc2uhWSD4T7ERZCMvel1friLsPV7jeCxSHX7O1BR//icjGLwn5YxzvpG3XEliPVT/3WFh97H9fOPfRJMUp+8AVShrhj/2b9CY55vZjNStjlR0dTkT/64JyXfuh0cj3YW4I2Ju7jrcQvpGovDeN980Ao5GfZnQA/3p60CMmjBORNZ8Kz+OhxxjhCoNn/pFE6iS9yQ4uBHJp4QEPKmcts6G8ApzVV7AyrSwZcXvp6bxuQno3OP2fJLC+9ZoW/Wu6EUFkCZmlrs4OAyEZ/5iqR+G02ACRPz2RxUVyzpA20exluckXh6mcXmZsZjVvDuJjti4eRVirQ3B1K/BSw+d1FsV3p6oz9yW7YnsdmzWtOqppWjRzQQ96UnFWZyS3d0FUJoj3ZELuqeSTTRxtEzuCVMbQzENZuJr8h0XZLh6EukPu7udqRRv1Q0E0phng4uEpdqMPSeW3DuLspYdCKZh5OM3poclreaowJPHLV7TAdJOnd3AJsb1wjKuIXmYVAdc++lWO58DBgC/inglp2yVkEMQEEcsM0PorGMMMvYLsjrKUCotCf57dgBy/h0AD7bc2WLLCIr+dWj6NIKne7R0trdLD+mEWCpOxEs2kbeYlAeB9fOpySMVBaMm+Iag0VoIvVcpY+12ufAjMk5bamDQxOUHzpl+2dqlkv/d5fIJezAhal433EEiache8pAve58S7zP2nnFKEsvLMRwKN8/Uivsp93BdJj+I1aD+7M2AkGcrD2tJeyx5ODja9OyUtVDgjYsKObooWWIPWB43npF0eXnKcwGij+weqP8GGvyBT6ZDCdItNXtEbvXMnYa05Aw7KM14QBG5mNT0A3iJrBUxeLTnO45/s2BjOh+vuA0LDHDI2DlmJaCn2/RqbHvPAXvWMJvcv2DZarY1DMpSepGDkV2bwNTZgqgF3URKlODpNLmyIuUvYwwUZawM97dtj8WQix3JabjffQP1TLIwNrD+ZM1GbQFRYTs0iRGQKH2CKtC/M8VQL64HpFoLgJ7t2hxiKrOw1vPcGAizdM5JYrrJma/Z6fF8sfwZ87dts1RO0lfg5PtbOxK6mQdNIJAV751GWNsWmHssVfTxkLYq6aKygbleF7ogKwuBRJvx8nalRRXQh0GOJDQKr/7XnObbFF91tG0s8S/qZN05T1WBXSsh8BBdXL1eDouRlsgoEZeN0zDe6kl8mjHQbVOLYJQrRjaD4L7Jq5VAj7V+Mk62WUHganvU3KfBpWgEuYewQFyBIBUEDI0HqJUGtPF7F88iHCDuXG7RX8ZVaPttV2SuuW+9v8WBngGXRKiaD9Aijl3QgqNoKg4i2FDjn/yv7+oPN0l+v3vDy+JNTTBwCBxw/ADMwDMH3Rbtb5fKocMrkXMS8ur9Z1oIUsEUzyAOCyYbCZnhCqtkhiSZE1IesJ4/fqX1ci5/AqNdmWRpWo/GrpSM0Z+fAGlzaRjEOlLkMFOy8+YzHkYcCtpj8zeHr8/jNGlYRAntS/fL3jgWA6Hc2aBpb3hYZCHn4s9nF5ujAoleFKJEvB/k2uGwMGS0lDp5Y5mV96GKN1Q=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050EC4B8C23D6C3A902967789F79HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f9319d60-29fd-4407-5cff-08daeca7da07
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2023 09:58:08.7330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hzrXjs5gyGFyHivQexM56mTXaqT8XQzUvIB9cAXT5DGZmXiYI4ttQxCMsLQGiguDAV6GyxNoma8uEPHVgumxOiz0ZPvYtwEglAT1ZtD2RPk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR07MB9639
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/Y-FJdZJfwlJru2uC0zvZYHHCudY>
Subject: [hrpc] FW: New Version Notification for draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2023 09:58:17 -0000
Hi, I would love to get some HRPC feedback on draft-mattsson-tls-psk-ke-dont-dont-dont. If somebody wants to help me driving this as a co-author that would also be very welcome. I am a very strong believer that key exchange without forward secrecy should be phased out everywhere. That is also Ericsson’s view. After Snowden, IETF certainly did talk the talk, but it does not always walk the walk. IETF is still producing new standards without forward secrecy and identity protection. I think forward secrecy and identity protection should be requirements for any future standards track documents. As Eric Rescorla wrote in a mail a week ago, nothing that HRPC says is able to bind the IETF at all. I think it would be good if more people from HRPC got actively involved in IETF work. In addition to the TLS 1.3 draft, I am also co-author of several other drafts with the aim of phasing out key exchange without forward secrecy. IETF needs to be a leading voice here. If IETF is accepting key exchange without forward secrecy and protocols without identity protection, it is very hard to phase out these things in other SDOs like 3GPP. https://datatracker.ietf.org/doc/draft-mattsson-tls-psk-ke-dont-dont-dont/ https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/ https://datatracker.ietf.org/doc/draft-ietf-ace-edhoc-oscore-profile/ Cheers, John From: internet-drafts@ietf.org <internet-drafts@ietf.org> Date: Friday, 30 December 2022 at 09:47 To: John Mattsson <john.mattsson@ericsson.com>, John Mattsson <john.mattsson@ericsson.com> Subject: New Version Notification for draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt A new version of I-D, draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt has been successfully submitted by John Preuß Mattsson and posted to the IETF repository. Name: draft-mattsson-tls-psk-ke-dont-dont-dont Revision: 02 Title: Key Exchange Without Forward Secrecy is NOT RECOMMENDED Document date: 2022-12-30 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/archive/id/draft-mattsson-tls-psk-ke-dont-dont-dont-02.txt Status: https://datatracker.ietf.org/doc/draft-mattsson-tls-psk-ke-dont-dont-dont/ Html: https://www.ietf.org/archive/id/draft-mattsson-tls-psk-ke-dont-dont-dont-02.html Htmlized: https://datatracker.ietf.org/doc/html/draft-mattsson-tls-psk-ke-dont-dont-dont Diff: https://author-tools.ietf.org/iddiff?url2=draft-mattsson-tls-psk-ke-dont-dont-dont-02 Abstract: Massive pervasive monitoring attacks using key exfiltration and made possible by key exchange without forward secrecy has been reported. If key exchange without Diffie-Hellman is used, static exfiltration of the long-term authentication keys enables passive attackers to compromise all past and future connections. Malicious actors can get access to long-term keys in different ways: physical attacks, hacking, social engineering attacks, espionage, or by simply demanding access to keying material with or without a court order. Exfiltration attacks are a major cybersecurity threat. The use of psk_ke is not following zero trust principles and governments have already made deadlines for its deprecation. This document updates the IANA PskKeyExchangeMode registry by setting the "Recommended" value for psk_ke to "N". The IETF Secretariat
- [hrpc] FW: New Version Notification for draft-mat… John Mattsson
- Re: [hrpc] FW: New Version Notification for draft… Paul Wouters
- Re: [hrpc] FW: New Version Notification for draft… John Mattsson
- Re: [hrpc] FW: New Version Notification for draft… Eric Rescorla
- Re: [hrpc] FW: New Version Notification for draft… John Mattsson