Re: [netconf] TLS 1.3 and pre-shared-keys and raw-public-keys (was: More complications)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 07 July 2021 19:29 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 704D83A259F for <netconf@ietfa.amsl.com>; Wed, 7 Jul 2021 12:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.896
X-Spam-Level:
X-Spam-Status: No, score=-11.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kYmnTL5f; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=FT9/7eOK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nCt_wf7ytcs for <netconf@ietfa.amsl.com>; Wed, 7 Jul 2021 12:29:52 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52EC63A259E for <netconf@ietf.org>; Wed, 7 Jul 2021 12:29:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7722; q=dns/txt; s=iport; t=1625686192; x=1626895792; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=8GgkmuKPvJ3kN3kgAL0jBXVr6XUM7gP4HyzBWFGaq9Q=; b=kYmnTL5fEEwPysTqFbWnqNZ4a3y5TAFxvsnMfX90j7oCVMZfX1xtNNca /kDa9tQiNupRg2DV+IaEZVXcYaXhwbfUtPoBn4ANlpaHYnIx7M0hL6KW2 RYvJGaQ+bUabfVwQi3ssJAZ+MkWD/LWA3Gi/Vsxf3AaUI6IJrJ/+OKyUC 8=;
IronPort-PHdr: =?us-ascii?q?A9a23=3AJeozph8l0rxCP/9uWD3oyV9kXcBvk6r9IhUY7?= =?us-ascii?q?Nwhhq4dOqig/pG3OkvZ6L0tiVLSRozU5rpCjPaeqKHvX2EMoPPj+HAPeZBBT?= =?us-ascii?q?VkJ3MMRmQFzH8eZEkD9avjnc39yEMFLTlQw+Xa9PABcE9r/YFuHpHq04HYSF?= =?us-ascii?q?xzzOBAzKP7yH9vZjt+80Ka5/JiACzg=3D?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AUn2b7qMzM7RFS8BcT0f155DYdb4zR+YMi2?= =?us-ascii?q?TDiHoRdfUFSKKlfp6V88jzjSWE9wr4WBkb6Le90dq7MA3hHPlOkMgs1NaZLU?= =?us-ascii?q?fbUQ6TTL2KgrGSuAEIdxeOk9K1kJ0QD5SWa+eATWSS7/yKmjVQeuxIqLLsnc?= =?us-ascii?q?zY5pa9854ud3AWV0gK1XYeNu/vKDwPeOAwP+tBKHPz3LsimxOQPVAsKuirDH?= =?us-ascii?q?gMWObO4/fRkoj9XBIADxk7rCGTkDKB8tfBYlul9yZbdwkK7aYp8GDDnQC8zL?= =?us-ascii?q?6kqeuHxhjV0HKWx4hKmeHm1sBICKW3+4oow3TX+0OVjbZaKvq/VQMO0aeSAZ?= =?us-ascii?q?ER4YDxSiIbToBOArXqDzmISFXWqlLdOX0Vmg7fIBej8AveSIrCNWgH4w4rv/?= =?us-ascii?q?METvMfgHBQ4e2UmZg7rF6xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOL?= =?us-ascii?q?FuIoO5gLZvtH+9Kq1wVx4SKbpXZ9VGHYXZ/rJbYFmaZ3fWsi1mx8GtRG06Gl?= =?us-ascii?q?ODTlIZssKY3jBKlDQhpnFoiPA3jzMF7tYwWpNE7+PLPuBhk6xPVNYfaeZ4CP?= =?us-ascii?q?0aScW6B2TRSVbHMX6UI17gCKYbUki95qIfII9Frd1CXaZ4g6fatK6xJW+whF?= =?us-ascii?q?RCDX4GU/f+rqGj2iq9NFmAYQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C8CgAdAOZg/5tdJa1RCR4BAQsSDEC?= =?us-ascii?q?DLCkoB3daNzGESINIA4U5iFsDj2SKQ4FCgREDVAsBAQENAQFBBAEBhFMCF4J?= =?us-ascii?q?eAiU4EwIEAQEBEgEBBQEBAQIBBgRxE4VoDYZFAQEBAwESEREMAQE3AQQHBAI?= =?us-ascii?q?BBgIRBAEBAQICJgICAjAVCAgCBA4FCBqCUIJVAw4hAYwqjzQBgToCih96gTK?= =?us-ascii?q?BAYIHAQEGBASFHhiCMgmBECqCe4QOhUKBHyccgUlEgRQBQ4JiPoQYEgIGFBU?= =?us-ascii?q?PgnE2gi6CM2MFPypDDyECDTcrBwgUHA4nAwsZBQkBAgIHLwKMDIRvg2ynbQq?= =?us-ascii?q?DIZdLhnYSg2OLSZcFmBSdMkeEZgIEAgQFAg4BAQaCPiSBWXAVO4JpUBkOjh8?= =?us-ascii?q?MFoECAQgCgkGKXnMCNgIGAQkBAQMJigZfAQE?=
X-IronPort-AV: E=Sophos;i="5.84,221,1620691200"; d="scan'208";a="910017350"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Jul 2021 19:29:50 +0000
Received: from mail.cisco.com (xbe-aln-002.cisco.com [173.36.7.17]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 167JToiM019377 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 7 Jul 2021 19:29:50 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-aln-002.cisco.com (173.36.7.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 7 Jul 2021 14:29:50 -0500
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 7 Jul 2021 14:29:49 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Wed, 7 Jul 2021 14:29:49 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ABdp7+K2l6/zjdyXV41t7anFHg26sRg4zGld9atIipuJckjnQ6aYn7u7bThIwkWjzL8u33e86vN5OuV47UO4e/nYY7carrBk+xXwLdpoqkt0LCtB5TrMLUkyuJ3sCMGm2jBek1XXbJZkisDVovp0q6dzsCsCyZAuOrxNTwrdGK4j8bz4SxPI286Z2S7vQH+h/xkisgPeVSNrgMzNfSkM9/AkOQtQN7+ZPPwO9yYCMCgAFM3/aSNieVjE2aU2fGC0LQzM0GyLWcUU0akT01Mzp0hNU8qqzlH7j8jOoOU1lSYf3N6qpbPeVFnPrCiiJaqAjeiqruSIyHJWB710+CqyXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8GgkmuKPvJ3kN3kgAL0jBXVr6XUM7gP4HyzBWFGaq9Q=; b=QgwmrjY9wTMKUwh0/PyHdHISP+bvM8LjdY7fwl9zuGApQ5yr/mc8MShbPjR8Zs0ZD/n0BE3pfGxikVWU6mdei+kDHHhDh7ncFf+FnPRhwMQjldPC66XZYLk2hfM8SMcuysYr/i142EFZctqcKdIVF6C2DahkYMMtDuXU+MdUskWq0ZWAfZVYd2a3eWTRNHGnlKVtjH/2P8gS0JlVBYtXzQlrttP+fZZBfjgx8d0yDR/a3edp/hh7UxY/5ehARASikAxFMuzmrStYRE90i7g0LBnqWInod2xePudGWwiwJIZ7nnOWhYBw6R6pt4hVKKE/xF4notcUO3wgQK9bigeb9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8GgkmuKPvJ3kN3kgAL0jBXVr6XUM7gP4HyzBWFGaq9Q=; b=FT9/7eOKRiZfhAd9vHVTDWfJQpYk79WR3nl51UCeOffC4StltAd0fXWxZIQ/dwQP7ccqYaxzEoqA6ZcORLdEfr0RCGFAix7iqDVGHkFpSodG+wQ2NUhIO5ESIpTavJd3jP6MdqA1FPtm03U6NzvY6aVw1/SBgAWEL/n1YQrqzJw=
Received: from DM4PR11MB5438.namprd11.prod.outlook.com (2603:10b6:5:399::21) by DM4PR11MB5392.namprd11.prod.outlook.com (2603:10b6:5:397::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.32; Wed, 7 Jul 2021 19:29:48 +0000
Received: from DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::a85a:cb8b:2d73:5e12]) by DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::a85a:cb8b:2d73:5e12%6]) with mapi id 15.20.4308.021; Wed, 7 Jul 2021 19:29:48 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, tom petch <ietfc@btconnect.com>
Thread-Topic: TLS 1.3 and pre-shared-keys and raw-public-keys (was: More complications)
Thread-Index: AQHXbYzb4eDciFU2RE+Tnfvb6yRaK6s3w+QAgAARzAA=
Date: Wed, 7 Jul 2021 19:29:47 +0000
Message-ID: <DM4PR11MB543800E8C42C8558D311819EB51A9@DM4PR11MB5438.namprd11.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com> <AM7PR07MB6248BBDEECB1134C56426F73A0239@AM7PR07MB6248.eurprd07.prod.outlook.com> <0100017a0aebfbf3-9e9c22e8-da12-4364-a572-8ce7fd43bf0f-000000@email.amazonses.com> <AM7PR07MB6248E24C8235FBD8573017C8A0309@AM7PR07MB6248.eurprd07.prod.outlook.com> <540b31e5-10a6-495f-cf44-820adb6213b3@sit.fraunhofer.de> <0100017a5987fa69-bb2b90f9-bdd5-44f7-935f-38c568121eeb-000000@email.amazonses.com> <AM7PR07MB624846BC347949725F339706A0019@AM7PR07MB6248.eurprd07.prod.outlook.com> <0100017a81dc358e-7a272368-3503-4b34-80c8-49bafb6d8694-000000@email.amazonses.com>
In-Reply-To: <0100017a81dc358e-7a272368-3503-4b34-80c8-49bafb6d8694-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d9a671cb-c21a-49b7-b7e4-08d9417d955b
x-ms-traffictypediagnostic: DM4PR11MB5392:
x-microsoft-antispam-prvs: <DM4PR11MB53926AB59AFAE7A2DB2569BCB51A9@DM4PR11MB5392.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Fvb7h5k2UM7PwuhPVu1ls454sfNG5hpC88gD06dtfJJzN3WbqpJrSJ2GM5XfL5GpVpibmHMndpIvc58WVi5BeEHlvs1JPiM6c2B6bdsjbgwuDY0hs7EgB6NepAbDGPyftlLCpbkRbVgJO8f3vLHF4loowdYMCBwpq3ggIFWWY7TJnKb+sUzHYVzOx1dro+k6xJeRk/HuIUpz5OjXvMYO15F/RAHqFbHmoekofQAbZ1OtQahyBEbaybB2GDvVdAHzwSPU2CG/OWhurdvUrlGLRShGbNo8YkJ9P8LQyBTdjlUCMZ5DgVvWZcqCX5YWODquXmMBktK8woHWLhU5nyCpR3LpTaI4reTPbZEXEccBfanQKSczmpDTFccHAYvA25/OvAXJcg6oFvufo+d1VzngpTINzuKUO8SFozoB+NHRoDehE2JznprHvj4AY7IdupGQ8JElEMOtM/PqVWYyFqjn09vFF8jIzfwRv3rijFw1zy29zgz6WTl5k0NYxEAYpp4FOwpJMFqsi8z23s60z5AEBreFPtoyKNXOg0vI/aBdkzYLhjZwOUandUxMY/KFKWNsPfFmE92VsADtYgP2bnczH0PexNXrnjmrQpX7DP3JocRVFrWxgmg+CSZkjp4eUl11C+0Qw/OdFOZRMPTx8/4L6Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5438.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39860400002)(366004)(346002)(396003)(136003)(55016002)(52536014)(186003)(8676002)(478600001)(122000001)(7696005)(71200400001)(86362001)(9686003)(66946007)(8936002)(4326008)(33656002)(54906003)(83380400001)(26005)(6506007)(316002)(66556008)(76116006)(38100700002)(66476007)(5660300002)(53546011)(66446008)(2906002)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?ek9jRXhvMHNDSlNOQ3l3L0hIa3Q2QThGS2gzVzhzVUQxOVVvK1MreWxFV2Y3?= =?utf-8?B?N1kyd2dtRjVlb3NjYU5DN3ZVOEsvU0t1emFxQUEzNjVKeHdOVisyT2lPWHl4?= =?utf-8?B?RDhGbWxBYlNNVkk1clBDMVhBZEJqeG45dlZJcGxQenozVzYvZk14alcvdkdS?= =?utf-8?B?cEpvdGhISU95WDlzMVgxNHU4K05jV1dPREJDU3hnOUFlYjZYTCtNTTN5QXov?= =?utf-8?B?VmJoQTZVeGhxaEQyZHNYcGZ6c0lGN2hEYWtPRm5PdFhOOFBFS0ZxQll4aGNm?= =?utf-8?B?MUFYMWp0NGlJODdGSmdDVENyQUJ2WCtFWjJUT2lhelc2S1FTWU5DUStzKzJx?= =?utf-8?B?azc2V2NBdk9iMGVlaDBZc0krZG9ReCtKUWFyU3lFRGtuWXowQ0dSR2h2d0hP?= =?utf-8?B?MWhPTHJGM2VOd2twU0hkbXRvZkdEekVaNHg2SHF0MHg2OWt2N2hVU1VFNm4z?= =?utf-8?B?MFBLNVRYRmdsRWxXeTN5OSthSCtEYVJIRThpTTV5UFlPZ2VoSmM4cUxKMVdw?= =?utf-8?B?R05TS2VNeFErSVFUWGpjNXRYeDQvMytuUTR1Z0E5YUhBZmZObGtLeDIyY1pR?= =?utf-8?B?UVc0Zk5WRU1JczBkNHBidVcyM3FWTjVOeEluNDgwZnU2RVpzZWwwb01oVWdP?= =?utf-8?B?bTRSVGtwYVJncUpZSXlXUFRvWnptSTg3dXkrNEFlUUpYMGQ0R2tJK1crNFVP?= =?utf-8?B?eTA3bkI0WHVZdEZuUk1ieThKbnV2WnYrYnRKMkU0OTJLZlNnbVRNcTNXdlNO?= =?utf-8?B?aXVRWkRkemY0Ni96RWFSNkQ5UUJLY0dNMWxrSzh5QWIxSkxuMjZxRk54MHdN?= =?utf-8?B?alNLekY2S01GejlwL0lWSyt4S1p6RFFBVWZUVEdUTk9tVTZrOTI2TmxwUU1p?= =?utf-8?B?Z2ZIa1QyQ2trYTkrRDV3S01oTGtHNVZTT2NqZ3NRczhtNVBaWTMzV1ZldzFY?= =?utf-8?B?d2V6ZklqYUNxNks3dGJCcmpzZzEvbXhjOG54cDhsTDhzK1BRV1MvZ3pLenlz?= =?utf-8?B?WStzdUdLUFBFb2ZUWTYzNU1NVDhjbmkwOGxmMnYyWURIVUtLaFRGRkdSbnJ6?= =?utf-8?B?aW81QWp4Ym9xaFZwS2ZCQ3pGZjc0KzI1QnB5YjE1dXJHeVAwNjFmMnI5U0h4?= =?utf-8?B?ckh1RTRESnRCR1VURzFOa3R5QlhteGpUUzUwL3dXTzdWaDBlUVhSRGJRRW5J?= =?utf-8?B?VzdlSzRwalRBaTh4N0NkMkk3S0hkMmJlSTZCaFhnbENvRUs1YlU3UGZUNVNX?= =?utf-8?B?eDZhaDFFbkVFYmloWVV4TUhhRW41REQxTEdlT25Sb2oxOHhRNG9EdmtoZ05R?= =?utf-8?B?dzNDbTIzRHZCek5JZWJ5RDZsdU1DVUprYWRKSlNIbzExbENYTXRLUXlRMHlK?= =?utf-8?B?cFJjckswc0VmT1k2KzEvcnpkMDJKZjZiOVFsSC9ZbUtxaFpaMmxOSDZzWkE4?= =?utf-8?B?RjVJQi9YYlFHYWxYR0VuL09RVFpGNHNPajBuRklpcTBxaHFwUy9KY1FiWExi?= =?utf-8?B?dkw5Ri94UzZUVzZUY2FkdGdVVlY3R05SMTZSM2c2SURNUHMxcmlUTnN6NmFy?= =?utf-8?B?VUVPUzZsNERDYXRITjd5K2RiSFpBUm92amJJQkdNRXE4d1A0empLRmh4NGo0?= =?utf-8?B?amtNUi9aSkVFVVVFWUZHODhoM2tSNGJtL1hRenpuRXMzZnN4c3NYN1FmZHBu?= =?utf-8?B?S0k0TlJoUTBTUFpVbFB4NHhpYkFhaldHOWRIRDZMNmxDazNSN0FpbjJKbXNP?= =?utf-8?Q?zL9yf+F4rRkscyhq/6CyNWUZ+qtuFcggfXSrmnU?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5438.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d9a671cb-c21a-49b7-b7e4-08d9417d955b
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2021 19:29:48.0705 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BbxLOReNLEpA7iIkNaiGGPRUQ2VsTM1kKEbTpmBe3MqxEvAevqACkVA185asGW8ioEHJLouqguVs1Pa3G8/lig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5392
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.17, xbe-aln-002.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/god2TazhH_ROvAsNYfMdZjGjfNw>
Subject: Re: [netconf] TLS 1.3 and pre-shared-keys and raw-public-keys (was: More complications)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 19:29:59 -0000

Hi Kent,

I think that the short answer is (1).

I've looked through the thread, but I'm not sure that I fully understand the implication of putting it in, or leaving it out.

If this is something that will take a couple of weeks to resolve then I think that delaying a couple of extra weeks to get the structure right is okay.

But if this will take longer to sort out, and it can be easily added in using augmentations then I don't think that we should delay this work further, even if it requires a bis in 6 months time.

Regards,
Rob


-----Original Message-----
From: Kent Watsen <kent+ietf@watsen.net> 
Sent: 07 July 2021 17:46
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: netconf@ietf.org; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>de>; tom petch <ietfc@btconnect.com>
Subject: Re: TLS 1.3 and pre-shared-keys and raw-public-keys (was: More complications)

Hi Rob,

As AD, please advise.  Before the draft-submit window closes, should I:

1) post the suite of drafts with this open issue pending?
2) post the suite of drafts with support for pre-shared-keys and raw-public-keys removed?
3) not post an update to these drafts?

Regarding #2, I don’t think anyone in our WG cares about pre-shared-keys or raw-public-keys.  They were only added by request.  I appreciate us wanting these modules to be useful to groups other than our own, it’s beginning to affect our ability to finish our work.  If the support is removed, it would be removed only in ietf-tls-* drafts (not crypto-types, truststore, or keystore) and thus could be easily added back in by a future effort or proprietary augmentations.

K. // contributor 


> On Jun 30, 2021, at 4:49 AM, tom petch <ietfc@btconnect.com> wrote:
> 
> From: Kent Watsen <kent+ietf@watsen.net>
> Sent: 29 June 2021 21:48
> 
> [tweaking the Subject line]
> 
> Hi Henk,
> 
> I just realized that I never replied to your question below regarding urgency.
> 
> It would be good to get a high-level response ASAP so that a quick-patch can be made that will pass the eminent SecDir review.
> 
> A more thorough response would ideally be "ASAP" also, but it is the case that this draft will remain open while a couple other drafts go through WGLC, so the hard-stop window is a few weeks out yet.
> 
> <tp>
> On IoT, there is an I-D on this 
> draft-ietf-uta-tls13-iot-profile-01
> which looks comprehensive and includes a statement about a plain PSK-based client but I am not clear that this covers the options.  It does cater for authentication by certificate followed by resumption with PSK with warnings about early data (which may be strong enough for a Security AD) but seems to skate over the case where no certificates are involved, in particular it makes no reference to the two TLS I-D about the use of PSK without certificates.  My understanding is that you need those two I-D to make PSK without certificates work and so the I-D is incomplete.  That apart, I think that it is the sort of TLS1.3 profile that the TLS WG expects to see for every application that uses TLS1.3 e.g Netconf must do something similar one day.
> 
> raw-public-keys are, to me, different, TLS1.3 simply treats them as another kind of certificate (although the UTA I-D does not) and so does not create similar issues.
> 
> Tom Petch
> 
> 
> Thanks,
> Kent
> 
> 
>> On Jun 15, 2021, at 7:53 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
>> 
>> Hi all,
>> 
>> a fellow IETF'ler poked me to pay attention to this thread. Sorry for the latency.
>> 
>> Hm - dropping PSK support for TLS 1.3 seems to be leaving a bunch of implementations in the IoT space behind that are inching towards migration, currently.
>> 
>> How urgent is this? I can certainly massage the current YANG module, but (in theory) I am occupied by another SDO meeting this week.
>> 
>> Viele Grüße,
>> 
>> Henk
>> 
>> 
>> On 15.06.21 13:36, tom petch wrote:
>>> From: Kent Watsen <kent+ietf@watsen.net>
>>> Sent: 14 June 2021 15:27
>>> [CC-ing Henk, to whom a question is directed to below]
>>> Hi Tom,
>>>> Top posting a new and different issue.
>>> Thanks for updating the subject line.
>>>> server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.
>>>> 
>>>> The client description also needs amending.
>>>> 
>>>> TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.
>>>> 
>>>> As I may have said before, TLS 1.3 is different.
>>> Henk, could you help with these edits?   Support for PSK and raw public key were added to draft-ietf-netconf-tls-client-server per your request and, if memory serves me, didn’t you help me with the YANG update too?   I suppose what is needed is a either a “choice” statement (with cases for 1.2 and 1.3) *or* sibling-container statements (in case it’s necessary both are configured in case, e.g., the client sends one or the other)...
>>> <tp>
>>> Or else drop support for PSK with TLS1.3 at this time because too little is known about it outside the use for HTTP.  I am starting to see I-D about how to use TLS1.3 with application X, even for HTTP,  and I think that such an I-D will be needed for many applications with or without PSK.
>>> Tom Petch
>>>> Tom Petch
>>> Kent
>