[saag] IETF 120 TLS working group report

Joseph Salowey <joe@salowey.net> Thu, 25 July 2024 00:59 UTC

Return-Path: <joe@salowey.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F011AC1E7245 for <saag@ietfa.amsl.com>; Wed, 24 Jul 2024 17:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCoztDClL2Yl for <saag@ietfa.amsl.com>; Wed, 24 Jul 2024 17:59:04 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB89C1EBF45 for <saag@ietf.org>; Wed, 24 Jul 2024 17:59:04 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2f0271b0ae9so4298131fa.1 for <saag@ietf.org>; Wed, 24 Jul 2024 17:59:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1721869142; x=1722473942; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=t1WgN8jMEVDPt+VhkLANQtWBR3PdTVTJMGWj71LGogc=; b=VKkrU2mlYfwlVgqDdPiGDJ+A9QgT6WWTXMzF0fTFe3ZM/Ykd/sDNEt+ky5itGjpbof 6j08q/u6CexvWXn3J3Z269H5xR/SBtocqy9uZYrj1/pnpLY0NBKwCpjYC8TbpcJ828n5 FLSk2IBqsfeULLRJ5H6rRLx8IBjme8V1yhxc9Aq1xyN37uPB1LMJ/ApO1Ry4fy/VGGHJ p2boxjqlCo+CRkgWEJymNxES2kc27W6d+cbLXFvJPmcKRZpLHlwLIToVGPWM6VFySGk1 Nn/gxU/G5I9Fjt9KEiZLEhZ1Auh5ZNpBwctfOaskKhggygRiCZ7fk2t9OqVWApuLIpjK DupA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721869142; x=1722473942; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=t1WgN8jMEVDPt+VhkLANQtWBR3PdTVTJMGWj71LGogc=; b=lh9/lbhBqZyErLcwWk3MuoMcxjQgd5C5+8oTCye6BOWPwVkRI/A4DXOd1j6B31KN80 1KBGA2BZ224XsDhNsWqhORG6pUFBX5rwhdK2nuqZaivEGRu5VUZFAb5ny5HRmoKZTJs+ w3tfO3lXEAV+xW4Af6HxDHQ2tx9Jo4ol50N2KCn08zLQOQdy1iSySSRozcIyntWHXZSD x4EelnNSqsMzI6nnhFnLwfP60cLgj4drdN5mxXf17KuYrBIjqr/qGh1AcCP2hT+bX04U tvmdVfbHSYRMvPYBdQ2qjhUZpVKXO1ssx16UND39VFLDXbfHnKH66l+kog49B7R0mLu5 9M0A==
X-Gm-Message-State: AOJu0YyU0nD4e2yILZDOwk76vdV9J4B6Y1nD8TzdxVbco0nLcgGxK0dl hi23x2VBNA9zDowm+vazpAsYOlnpGU886Ic4bZIKaRLvmLn8H6jkvuVPK9dF518OCIoM5IYPGDk wYnVN+OX77D9eG7a0SdXuRTNaEbxRck+HfoolOGkwo5hPkFs/9xs7c+O7q20=
X-Google-Smtp-Source: AGHT+IETnt/DTAb5AVGn96CWgmmmxMh6B19Fe8wJu2kbmZyOFFrYgfKzSsNYH37eAPhbVH/ilumhBkalFKAohscick8=
X-Received: by 2002:a2e:be0c:0:b0:2f0:3cff:30ce with SMTP id 38308e7fff4ca-2f03cff31ccmr3747211fa.0.1721869141632; Wed, 24 Jul 2024 17:59:01 -0700 (PDT)
MIME-Version: 1.0
From: Joseph Salowey <joe@salowey.net>
Date: Wed, 24 Jul 2024 17:58:50 -0700
Message-ID: <CAOgPGoBMWF3coHGOwry-E8Pr9ZkCCFCLrZSzM8x96i8hSyJbLw@mail.gmail.com>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="00000000000089861c061e07e68f"
Message-ID-Hash: NDTRIK2ZX4ALIRL65HNPIAKUXDZGZSOV
X-Message-ID-Hash: NDTRIK2ZX4ALIRL65HNPIAKUXDZGZSOV
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [saag] IETF 120 TLS working group report
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/nuW7-9IHqinuo9Ct2keNVHFh1GM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

TLS met on Wednesday afternoon. We had some discussion on both Pure KEM PQ
and hybrid KEM PQ key exchange for TLS. It seems like there is support for
also defining a pure KEM approach, but there is some decisions that need to
be made on whether the general mechanism and specific KEMs are defined in
one or two documents. There was consensus in the room not to try to update
the MTI in 8446 bis. We had some discussion on the requirements and process
for the formal analaysis triage panel for tls. The current process needs
more refinement. The mechanism for ECH configuration continues to evolve
and there was a question whther it should be made into a general mechanism.
Presentation on SSLKEYLOG for ECH and Extended Key Update received some
interest. We finished of with a discussion of improving trust store
negotiation for TLS. Two mechanisms were proposed: Trust expressions and
Trust Achor IDs. The group seemed to favor trust anchor IDs, but there is
still a contingent of the group who don’t like the general idea.