Re: [quicwg/base-drafts] Use the same KDF regardless of TLS version (#2034)
Martin Thomson <notifications@github.com> Thu, 22 November 2018 22:34 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E38130E7E for <quic-issues@ietfa.amsl.com>; Thu, 22 Nov 2018 14:34:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uGrEpSkx6BW for <quic-issues@ietfa.amsl.com>; Thu, 22 Nov 2018 14:34:33 -0800 (PST)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 406C812D4EF for <quic-issues@ietf.org>; Thu, 22 Nov 2018 14:34:33 -0800 (PST)
Date: Thu, 22 Nov 2018 14:34:32 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542926072; bh=Ib3q6wRZ1GjN825g4nmC5dOg5nDPGMH5s/dkEj77oa0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=oBYXwnrh16mjkJOGYfGnWD1p1kMmzD85ATrKtnw9gwgs1edUTFZycarl/+w7SQybU +dVeGo13DKMnZdnhI+rWfMVjJBeeiaymQNOib+658SwLH0K+IycbuLDUeSSJCYXqbA MopKnN8w/+YReHkeYi/LU0VmRaKMrJxe8PMPZPzA=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab02a54074a650ba4c514ccc82a3117ca32cd8156892cf00000001180ef0f892a169ce16d3c410@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2034/c441129242@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2034@github.com>
References: <quicwg/base-drafts/pull/2034@github.com>
Subject: Re: [quicwg/base-drafts] Use the same KDF regardless of TLS version (#2034)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf72ef83c1d2_2ebb3ff0572d45c41105a7"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/aO6a1gavnAupgzmZGk8v10n_Fa8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2018 22:34:35 -0000
The intent was always to permit negotiation of newer TLS versions. That's an easy fix. However, this discussion goes to the core of what the interface between QUIC and TLS is. The stream0 contract, as I understood it, was that TLS would pass secrets to QUIC. This is why we changed so that the invasive change to the TLS KDF was not allowed. QUIC is responsible for taking those secrets and turning them into keys and IVs. It seems like people are arguing here that the TLS KDF is also part of the contract. As an implementation convenience, that's fine, but I don't think that's a good idea. It means that we have inconsistent use of KDFs within QUIC (TLS 1.3 for initial keys, TLS X for other keys), and it means that the API contract is tighter. If your QUIC stack wants to use the TLS KDF, that's fine, but this binds the call to the negotiated TLS version. You can't just call `tls13_kdf(secret, label, L)`, you have to build `tls_kdf(tls_socket, secret, label, L)`, AND you still need the other API for initial secrets. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/2034#issuecomment-441129242
- [quicwg/base-drafts] Use the same KDF regardless … Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… Kazuho Oku
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… Kazuho Oku
- Re: [quicwg/base-drafts] Use the same KDF regardl… MikkelFJ
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… Kazuho Oku
- Re: [quicwg/base-drafts] Use the same KDF regardl… MikkelFJ
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… janaiyengar
- Re: [quicwg/base-drafts] Use the same KDF regardl… Marten Seemann
- Re: [quicwg/base-drafts] Use the same KDF regardl… Alessandro Ghedini
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… ekr
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson
- Re: [quicwg/base-drafts] Use the same KDF regardl… MikkelFJ
- Re: [quicwg/base-drafts] Use the same KDF regardl… MikkelFJ
- Re: [quicwg/base-drafts] Use the same KDF regardl… MikkelFJ
- Re: [quicwg/base-drafts] Use the same KDF regardl… ekr
- Re: [quicwg/base-drafts] Use the same KDF regardl… Martin Thomson