Re: [TLS] The future of external PSK in TLS 1.3

Carrick Bartle <cbartle891@icloud.com> Wed, 23 September 2020 17:52 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73E43A1321 for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 10:52:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.867
X-Spam-Level:
X-Spam-Status: No, score=-1.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkry-7srdaJy for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 10:52:34 -0700 (PDT)
Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFFCC3A1318 for <tls@ietf.org>; Wed, 23 Sep 2020 10:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1600883553; bh=MG7dF28BOBEQqFqFj82E1/6JOcZI3wfMBFotSrqREOU=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=tomyhlJ3uJjIH6skUJuAP8He94GXpvCl0W7ILm/75hz+h3QfdW14b4eYqGd5nT9iD cGmTT12VpIcjiadjuS1YFn3DOgt3zJ4n5nyimcjw8Dj3BFIGdvaK+vG1w76X1UzOKy YJwggLaQ150UWraAMEgVhGLTX6o5JV2GuSMRFPAuy4rBTG7PtZ9M/AYvPe2Ye7Imjd xa3qiXH0R3FjoHbBcDf/EsRFPbaqIRuO71dP34XpWC+ZrtaqS/UTr9H/k3f1IwNyrF Rnj+hHtIQlk4R/ZOtK+7ux68iTSz6NVZUvDbeVi9DEpRFJdTQmeJS92A/M9SvHTmCg VF0qD5Jpxzekg==
Received: from [17.232.175.92] (unknown [17.232.175.92]) by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPSA id E205D120A20; Wed, 23 Sep 2020 17:52:27 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <3CCF8EE6-5EC2-4A6A-BA01-A5EEFFB6C9E0@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4CB004EC-B905-4363-9617-92230948D53B"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Wed, 23 Sep 2020 10:52:27 -0700
In-Reply-To: <AM0PR08MB371678103D9EEB89C9AA44C1FA380@AM0PR08MB3716.eurprd08.prod.outlook.com>
Cc: Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, Filippo Valsorda <filippo@ml.filippo.io>, "tls@ietf.org" <tls@ietf.org>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
References: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com> <1600516093048.75181@cs.auckland.ac.nz> <2f2ecb30-bef5-414a-8ff7-d707d773c7ea@www.fastmail.com> <FDD012C2-9B37-461D-BC81-854135EE994E@icloud.com> <AM0PR08MB3716861B782527DAB3C1EA1BFA3A0@AM0PR08MB3716.eurprd08.prod.outlook.com> <DF3B268F-2E80-4444-B643-D33BC0C7151E@icloud.com> <AM0PR08MB371678103D9EEB89C9AA44C1FA380@AM0PR08MB3716.eurprd08.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-23_13:2020-09-23, 2020-09-23 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=990 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2006250000 definitions=main-2009230135
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/14fD7UCXt3Ljk5KiOTxuew42YYg>
Subject: Re: [TLS] The future of external PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 17:52:37 -0000

I didn't mention SCADA at all. Did you mean to address this question to Filippo or Peter?


> On Sep 23, 2020, at 4:49 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> 
> Hi Carrick, 
>  
> you note that SCADA is a pretty specific use case. SCADA sounds specific but TLS is used widely in the IoT market. It is even used in devices that use smart cards, which use TLS with PSK to protect their provisioning protocol.
>  
> I am worried that marking a ciphersuite as N with the meaning that it "has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases" is hard for readers to understand which of these three cases were actually the reason for marking it as “N”. The "has not been through the IETF consensus process" will scare off many people.
>  
> For most people the web is the generic case and everything else is a “specific use case”. Sure, the web is very important but TLS is a generic protocol used in many environments.  
>  
> I don’t understand John’s motivation. The LAKE group makes a decision to remove PSK support. That’s good for them. Does this imply that the TLS group also needs to make the same decision?
>  
> Ciao
> Hannes
>  
> From: Carrick Bartle <cbartle891@icloud.com> 
> Sent: Monday, September 21, 2020 6:19 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Cc: Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>rg>; Filippo Valsorda <filippo@ml.filippo.io>io>; tls@ietf.org
> Subject: Re: [TLS] The future of external PSK in TLS 1.3
>  
> Can you justify your reasoning? 
>  
> Which part?
>  
> 
> 
> On Sep 21, 2020, at 2:22 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
>  
> Hi Carrick, 
>  
> Can you justify your reasoning? 
>  
> The challenge I have with the work on IoT in the IETF that the preferences for pretty much everything changes on a regular basis.
>  
> I don’t see a problem that requires a change. In fact, I have just posted a mail to the UTA list that gives an overview of the implementation status of embedded TLS stacks and PSK-based ciphersuites are widely implemented.  
>  
> Ciao
> Hannes
>  
> From: TLS <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org>> On Behalf Of Carrick Bartle
> Sent: Monday, September 21, 2020 5:31 AM
> To: Filippo Valsorda <filippo@ml.filippo.io <mailto:filippo@ml.filippo.io>>
> Cc: tls@ietf.org <mailto:tls@ietf.org>
> Subject: Re: [TLS] The future of external PSK in TLS 1.3
>  
> I'm also fine with marking psk_ke as not recommended to be consistent with the non-PFS ciphers, but there are plenty of valid use cases that justify keeping dhe_psk_ke as recommended for external PSKs. Several of these use cases are detailed in draft-ietf-tls-external-psk-guidance-00.
>  
>  
>  
> On Sep 19, 2020, at 9:00 AM, Filippo Valsorda <filippo@ml.filippo.io <mailto:filippo@ml.filippo.io>> wrote:
>  
> 2020-09-19 13:48 GMT+02:00 Peter Gutmann <pgut001@cs.auckland.ac.nz <mailto:pgut001@cs.auckland.ac.nz>>:
> John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org <mailto:40ericsson.com@dmarc.ietf.org>> writes:
>  
> >Looking at the IANA TLS registry, I am surprised to see that psk_dhe_ke and
> >especially psk_ke are both marked as RECOMMENDED. If used in the initial
> >handshake, both modes have severe privacy problems,
>  
> PSK is used a fair bit in SCADA.  There are no privacy problems there.  So
> just because there's a concern for one specific environment doesn't mean it
> should be banned for any use.  In particular, I think if a specific industry
> has a particular concern, they should profile it for use in that industry but
> not require that everyone else change their behaviour.
>  
> Indeed, if the SCADA industry has a particular need, they should profile TLS for use in that industry, and not require we change the recommendation for the open Internet.
>  
> Setting Recommended to N is not "banning" anything, it's saying it "has not been through the IETF consensus process, has limited applicability, or is intended only for specific use cases". SCADA sounds like a pretty specific use case.
>  
> I don't have a strong opinion on psk_dhe_ke, but I see no reason psk_ke wouldn't be marked N like all suites lacking PFS.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.