Re: [TLS] WGLC for draft-ietf-tls-tls13-cert-with-extern-psk

Christian Huitema <huitema@huitema.net> Thu, 23 May 2019 20:56 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B291200BA for <tls@ietfa.amsl.com>; Thu, 23 May 2019 13:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUVDAAGXlxHf for <tls@ietfa.amsl.com>; Thu, 23 May 2019 13:56:32 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9FD5120020 for <tls@ietf.org>; Thu, 23 May 2019 13:56:31 -0700 (PDT)
Received: from [66.113.192.14] (helo=xsmtp04.mail2web.com) by mx61.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1hTulI-0004oD-KD for tls@ietf.org; Thu, 23 May 2019 22:56:30 +0200
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp04.mail2web.com with esmtp (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1hTulC-0002Jc-3r for tls@ietf.org; Thu, 23 May 2019 16:56:23 -0400
Received: (qmail 466 invoked from network); 23 May 2019 20:56:17 -0000
Received: from unknown (HELO [172.16.0.187]) (Authenticated-user:_huitema@huitema.net@[194.168.27.109]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <joe@salowey.net>; 23 May 2019 20:56:16 -0000
To: Russ Housley <housley@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>, Joe Salowey <joe@salowey.net>
References: <CAOgPGoBA8KykyHmLxqSEp51jyXO673Wb==O9KVx+U23k3h1=Tg@mail.gmail.com> <CAOgPGoDArfcX09bXVT58VgsyXspG76Cm9TNaBUmGgaqUB=ULUA@mail.gmail.com> <9f82ec83-2776-4de3-6f6d-94df8650c2b7@huitema.net> <9FF3B61C-2EEE-42EC-84CD-615096609DE4@vigilsec.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <797055dd-15ac-53e8-4024-b3b3191fc7bc@huitema.net>
Date: Thu, 23 May 2019 13:56:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <9FF3B61C-2EEE-42EC-84CD-615096609DE4@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------35B6C461B29BA322E868EE58"
Content-Language: en-US
X-Originating-IP: 66.113.192.14
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.192.14
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.192.14@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.07)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fbJ1LThpDP3PaEa+mzHFASpSDasLI4SayDByyq9LIhVz+GLSW3dLsi4 gfIipNTAQ0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4arLY/uFp/SWrst5APmQNCyk4hYVdSH4ilEX20H0GUoaFpDrbUoFLnouvTs 61dA7MqZ3JKVmi72ocgY5kMQSjs7M7F7B+H4BOgiABPpiHhZIYO9VfqOHRAHONTkoyWcypaN9bEz YXQ5Bq54+8sOLcJpXof3r8kfRxpez5OlfYJRQkKHj8GhSvnXG6aqAO+QA5zAmfg+QMjm0Wxe7G4F AAR6avERpop5LF7RavHozgbn9YqgREAoh06jutiTfFzl2G4uss8347yATkLSIXqnQVGKSPZLLSx3 /6BTpL6UXmT8yFSCJlnatpQUVkDyz9+HEa34l0QmPyjhxxYY4z85MF0ZIK/1NH5THMtlYvyHAYGO GlmJIjyKo/pbSDRNIEOEwlMcz873cIRxyN1uC++vIKvC6PXxe2Gv17u0wqODRfOs3ui5SOqBSIci sDhvTZZ3UNA0ZK4tidpoeTbzFS//kyqYX0cxHiikldnEhneXee2OH4lkqscAyrkBm40BZdkty3fL EDK8hX5Mjj3K6v45KP9rHGWcfOjtTSOQwERm6qbTgncW4cIAGcb2cNTwDakbhAiw/i9M01ZUff8x GCyJrXM9z+ovG3e5b1xe16jgiakdFm1FaMSuGkF3ElAHy1sj37By2DNwOgV373pfDhBQ21Od3MUB FzOaGm9hK+fonV+pbSyKx2dXkl2oCrRQgdySoHDTVEM4ypmhD+J8YYFIP3hxCDRZgQnFYkq0SOLr mvxpF7Ozr+HlBNv4rXAGTFZjslUYQV5S2tL01oGmO4has73rVGkGolmtL78gKYrUH0FYKQ9Pgug7 9YBnmeXEg9rPBx23byv3CjhKpQiDxiH2EAzSjxi6dtTjIuf/XjLzh/HKpg==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1ICW4gMSJ5RdPOmZqgvxYL8LUEo>
Subject: Re: [TLS] WGLC for draft-ietf-tls-tls13-cert-with-extern-psk
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 20:56:35 -0000

On 5/22/2019 11:06 AM, Russ Housley wrote:
>
> Christian:
>
>> On 5/15/2019 6:20 AM, Joseph Salowey wrote:
>>> The last call has come and gone without any comment.  Please
>>> indicate if you have reviewed the draft even if you do not have
>>> issues to raise so the chairs can see who has reviewed it.  Also
>>> indicate if you have any plans to implement the draft. 
>>>
>>> On Tue, Apr 9, 2019 at 8:51 PM Joseph Salowey <joe@salowey.net
>>> <mailto:joe@salowey.net>> wrote:
>>>
>>>     This is the working group last call for the "TLS 1.3 Extension
>>>     for Certificate-based Authentication with an External Pre-Shared
>>>     Key” draft available
>>>     at https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-cert-with-extern-psk/.
>>>     Please review the document and send your comments to the list by
>>>     2359 UTC on 23 April 2019.
>>>
>> My only comment regards the trade-off in this draft between privacy
>> and resilience. The proposed method uses PSK to provide greater
>> resilience against quantum-capable attackers, and as Russ says this
>> is something that the US government cares about. But at the same
>> time, the use of PSK requires inserting a PSK-ID in the client hello,
>> which is sent in clear text. So we have a trade-off: government
>> communications are less likely to be decrypted, but the PSK-ID will
>> help track government employees. It might make sense to describe the
>> trade-off explicitly in the draft, maybe in the security section.
>>
>
> I suggest the following additional section for this document:
>
>   Privacy Considerations
>
>    Appendix E.6 of [RFC8446] discusses identity exposure attacks on
>    PSKs.  The guidance in this section remains relevant.
>
>    This extension makes use of external PSKs to improve resilience
>    against attackers that gain access to a large-scale quantum computer
>    in the future.  This extension is always accompanied by the
>    "pre_shared_key" extension to provide the PSK identities in plaintext
>    in the ClientHello message.  Passive observation of the these PSK
>    identities will aid an attacker to track users of this extension.
>
> Does that address your comment?

Yes, although "passive observation will help" is somewhat more benign
than what I would have written. If the "government employee" is some
agent in a foreign country, they may want to think twice before using
the proposed option. Or alternatively, you may want a solution in which
the PSK-ID is randomized using some ESNI-like process.

-- Christian Huitema