Security of alternative handshakes

Watson Ladd <> Thu, 22 April 2021 04:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 62D0C3A08A7 for <>; Wed, 21 Apr 2021 21:11:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RaP5h-Rx-BmI for <>; Wed, 21 Apr 2021 21:11:41 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E9813A08B0 for <>; Wed, 21 Apr 2021 21:11:40 -0700 (PDT)
Received: by with SMTP id v6so65339548ejo.6 for <>; Wed, 21 Apr 2021 21:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=5r7x2CDL0ESYa2hO6w/5dmKKOnawuf/8cAOSGtgQWbs=; b=ASLG+7fVVy7dB/UK/2RRnpWx0Vnyay0eqIFCa+olTo79NVnXQRSMAfiuh+PMNEjyAM nMEZGWAzMFDfuEQ4+gXd/mIW/Fx6oTh0jIz6vuM/ZaxqxnqUF5W16fvrtA5aPe8RKkBy id3z7MgewJUg6AZ85Fy2VgnQC6UCJZN7lenapZABIlItYoIMNZLYaGVduM1XeD9ZcE+1 leraX6ooV+HiaKByeFgE9jXvRZB4Gg8p0w7aPbCEmxXKkbiuBemQqicezsNIseNerCWR s1cp6DZsMDUEmEEJrfLG2cYau4mCgT1iLvrW5fJoOpe/NU6fbMUrGFcxRBTgaAS1dEBh gZFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5r7x2CDL0ESYa2hO6w/5dmKKOnawuf/8cAOSGtgQWbs=; b=GYER62hlqYpAJgG1im4JfSyzVNHQHvt6fCecffVCQB3a3uBc7MD3RljYT3v7/1CUXd EOpSBWsIBqjM8FEpamORKE0Qw5BNeiyAG3y6wglb7bP4gtxyfmbLBnP9bO2rZUcg8sQQ LoJAPP12FIPL7cJy2YP/SZH6DD24419cKMyQOUJPnxepciKcP54B1WSQBV54uXuHnBFa gIihLXaxmwBF7hVxji+rfzFDzAvgVQP5tJ9QwCGPB6+xKxUKnU0MuTsl/4IDlQvw/BhP iHBExz9i5CBfwKnxzWph/nV72F516iHKoINrecxBgevR/9NoCszRXebJDmB1wjyg6ZWZ 5+5A==
X-Gm-Message-State: AOAM530k51mfTapVe6+HfLvJWB3zXFuNY8+Fsf3iD4mk4tzMkfT317rN tt7YvbAekUcC5S9mKHOrTPfothjwPDe47SXW3eaQoJQGNPk=
X-Google-Smtp-Source: ABdhPJx3Y4o4D6GpMwaITAS9dDwyNsR9w1Wp5kEp+pmvx8Sg/qKHNTQOFGGVhAZEPNQYI0lAcQt5Rrxg3GW1zogpdyw=
X-Received: by 2002:a17:906:5619:: with SMTP id f25mr1116147ejq.393.1619064697520; Wed, 21 Apr 2021 21:11:37 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <>
Date: Wed, 21 Apr 2021 21:11:26 -0700
Message-ID: <>
Subject: Security of alternative handshakes
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2021 04:11:46 -0000

Dear WG,

After the meeting I was thinking through the security of version
negotiation and I realized that there is a wrinkle with the way TLS
and QUIC are layered, and proposals such as noise-QUIC. And that
wrinkle is that while TLS is secure, and noise-QUIC is secure, nothing
says that they are secure together when using the same PKI information
or negotiate well together. With TLS 1.3 we finally added domain
separation to what is signed, but one hopes protocol X does the same
but different.

The other wrinkle is that so far with TLS we've had a pretty uniform
idea of how transport parameters feed into the handshake, and thus
assurance that they are actually implicitly authenticated by the
finished messages and agreed upon. With an alternate handshake that
goes away.

Watson Ladd
Astra mortemque praestare gradatim