IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 16 December 2024 14:25 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24A5C151061 for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 06:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.741
X-Spam-Level:
X-Spam-Status: No, score=-9.741 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQnnfPN46rBu for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 06:25:05 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9837C14F71B for <tls@ietf.org>; Mon, 16 Dec 2024 06:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=28494; q=dns/txt; s=iport; t=1734359105; x=1735568705; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=tTRc8Ie2TXnuyJ9yn6iKpPd6NqW+HFEq/gtQy2K8Wlc=; b=YwgFYrLB1BvM8/IfoTxL9m2D+c9xLNdEa7SJiZV+j3PKnZN526apxAG2 Z7bVFVUkV6WlN3KmXTIBhpqulzkIU/Fh523H+HZz2pSVWYTEJ0hlImIyq HelrSD+njNpw9icu7FO7y/qh49j5/6jmnWG/oZTp/i19/FVxBuY8rZK9H E=;
X-CSE-ConnectionGUID: 70WnQRlbQOShCn1aER382Q==
X-CSE-MsgGUID: nKskeDsYQCeDLphgu0F6Jg==
X-IPAS-Result: A0AEAAC/N2Bnj5AQJK1aGwEBAQEBAQEBBQEBARIBAQEDAwEBAWWBGgYBAQELAYFAMVJ9gRxIhFWDTAOETl+IcgORSoxOFIERA1YPAQEBDQI1DwQBAYUHAhaKVgImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwUUAQEBAQEBOQVJhUEIMg2GWgEBAQEDEhEKHAUgCwwEAgEIDgMEAQEBJwMCAgIuARQJCAIECAYFCBEEAgIBgl8BghxIAwGkSAGBQAKKK3qBMoEB4CCBSAGITQEqgTICDoQagz2BHycbgUlEgRVCeYFvPoJhBIEbDgESAQkaBQcJHwiDHTqCLwSCBwICAhIEFx0vaTh6MAGBEwICAgICAgICAgICAgICgQ0lZ4IDgXthAg0DgWlYEnWBXIEMaYE7BimBBoMXgl2CE4ZVUnUiAyYzIREBVRMXCwcFgSkfKwOBFYIFgVsFN0c5AYIQaUk3Ag0CNoIifIJNgluCPYRhhFiGGoIXgWgDAxYTLR1AAwttPTcUGwUEgTUFmmkBgQMBRoJoNj8VVVaBEgdHDEEGCzqTJoMzi0qjagqEGqF8F4QEpk2Ye4JXoH0EBIUkAgQCBAUCDwEBBoFnOmtwcBU7gmcJSRkPggeMM4NhwEB4AgE5AgcBCgEBAwmRQwEB
IronPort-PHdr: A9a23:cIAyaxLTgR8lFvrXdtmcuVQyDhhOgF28FhQe5pxijKpBbeH6uZ/jJ 0fYo/5qiQyBUYba7qdcgvHN++D7WGMG6Iqcqn1KbpFWVhEEhMlX1wwtCcKIEwv6edbhbjcxG 4JJU1oNwg==
IronPort-Data: A9a23:j2tDYKy9uuPM3/pAcGt6t+dJxirEfRIJ4+MujC+fZmUNrF6WrkVSx zEaWWqAP6zYYTHzc49/aozg/E1TvJTdmIRjGlM4/1hgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/lH1b+CJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 ImaT/H3Ygf/h2cuazxMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJB5uAoshwOJ9OEZ19 dcecTkgVEvT3dvjldpXSsE07igiBMDvOIVavjRryivUSK55B5vCWK7No9Rf2V/chOgXQq2YP JRfMGQpNUicC/FMEg9/5JYWh+msm3nlfidwo1OOrq1x6G/WpOB0+OO8YYWEJo3VFa25mG6eh XnF8kjiMygxOfC70TqK7yqC2M3AyHaTtIU6T+DgqaUw3zV/3Fc7FBkNfVq2vff/jVSxM++zM GQd/i4o6Kx3/0uxQ5ylAFuzoWWPuVgXXN84//AGBB+llfLr5T+jAmI9aQVBQ9p/veIMHmxw7 wrc9z/2PgBHvLqQQHOb076bqzKuJCQYRVPugwdaHGPpBPG9++kOYgLzczp1LEKiYjTI9dDML 9Ki8XBWa1Y71JJjO0CHEbbv2GvESn/hFVRd2+kvdjj5hj6Vnab8D2BS1XDV7OxbMKGSRUSbs X4PlqC2tb9VUcvdy3DcHL9cTNlFAspp1hWC0TaD+LF8qFyQF4KLJ9s4DMxWfR0wa51VI1cFn meK6VsNtfe/w0dGnYcsPtruUJ51pUQRPd/kTfvTJsFfeYR8cRTP/SdlIyatM5PFziARfVUEE c7DK66EVC9CYYw+lWreb7lGi9cDmHthrV4/sLinlHxLJ5LCPybNEd/o8TKmMogE0U9ziF6Mr YYCaZbUm083vS+XSnC/zLP/5GsidBATLZv3sMdQMOWEJ2Jb9KsJUZc9HZtJl1RZoplo
IronPort-HdrOrdr: A9a23:CwkDQKuIWI071X91f1DI9+z+7skCP4Aji2hC6mlwRA09TyXGrb HMoB1L73/JYWgqOU3IwerwRpVoIUmxyXZ0ibNhW4tKLzOWyVdATbsSobcKrAeQYREWmtQtsZ uINpIOd+EYbmIKwvoSgjPIburIqePvmMvH9IWuqkuFDzsaF52IhD0JczpzZ3cGPzWucqBJbK Z0iPA3wAaISDA8VOj+LH8DWOTIut3Mk7zbQTNuPXQawTjLpwmFrJrhHTal/jp2aV5yKLEZnl Ttokjc3OGOovu7whjT2yv49JJNgubszdNFGYilltUVAi+EsHfoWK1RH5m5+BwlquCm71gn1P PWpQ07Ash143TNOkmovBrW3RX62jpG0Q6j9bbYuwqhnSXKfkN+NyNzv/McTvIf0TtmgDhI6t MI44tejesQMfqPplWl2zGCbWAbqqP9mwtQrQdUtQ0QbWPbA4Uh9rD2OyhuYc89NTO/54Y9HO Z0CsbAoP5QbFOBdnjc+nJi2dq2Qx0Ib1y7q2U5y4WoOgJt7ThE5lpdwNZakmYL9Zo7RZUB7+ PYMr5wnLULSsMNd6pyCOoIXMPyUwX2MF/xGXPXJU6iGLAMOnrLpZKy6LIp5PuycJhNyJcpgp zOXF5RqGZ3cUPzDs+F2oFN73n2MS+AdCWoztsb64lyu7X6SrauOSqfSEo2m8/luPkbCt2zYY fEBHuXOY6VEYLDI/c84+SlYeghFZA3arxhhuoG
X-Talos-CUID: 9a23:nbC6eG/au2wPyUoFmmKVvxFMJcYcSHnX9VDrI2S+UG9EcubFE2bFrQ==
X-Talos-MUID: 9a23:r54xAQ9rIfsoveU3V1tZ/dSQf8FL+KejJFs8qL4Ll+2cNSNtYxnDrjviFw==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-l-core-07.cisco.com ([173.36.16.144]) by alln-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 16 Dec 2024 14:25:04 +0000
Received: from rcdn-opgw-1.cisco.com (rcdn-opgw-1.cisco.com [72.163.7.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by alln-l-core-07.cisco.com (Postfix) with ESMTPS id 95DDE180001D3 for <tls@ietf.org>; Mon, 16 Dec 2024 14:25:04 +0000 (GMT)
X-CSE-ConnectionGUID: ydbQaYS4RCGm8ySMuJj9eg==
X-CSE-MsgGUID: MFZI5bI1S3+qEeU/fwZouA==
Authentication-Results: rcdn-opgw-1.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.12,238,1728950400"; d="scan'208,217";a="21735802"
Received: from mail-bn8nam12lp2176.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.176]) by rcdn-opgw-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 16 Dec 2024 14:25:04 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=d6os7oRPmvuPxlzHwpBl9+21iCQQKjPaMm9bCybJHNuNPx02KKOBM14rXQXO47XtLYxJplUxMFZBMiTmvIqxykwhH7opoRllF3Cb11+mfZgUXQpd5AjwCIhrve2cmiTh0fy/3XIpLb63v8wnvHz74PaMr/UBTseqeMxFkM7/O5OJ4RDiMrz5Mooe0DV34CcJ5yYrVQzdIOYol9M6aiROvF0bTpbXFNTFlAjewibDiuV+20hCQoBhU/ThQjW3zQ+dXCP9UutcMfD5uw1TPEuqJpiqCo6RhTkkqoYRT3HuxUyuOlUJoEBxXAiLqYQZSbEJY8dfr+rv/NN8ltWDAdTDeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tTRc8Ie2TXnuyJ9yn6iKpPd6NqW+HFEq/gtQy2K8Wlc=; b=f5GFDMLSDPV5xO5kvDaBXE/+crLXt4dxY5NTZxleOm8DeMtYgNuYp5U3W9bf1xyeev+nA+eGz8FiXbjnOqk3DmLUIOj3IP9Y+3oG0rwkX4CO3jOEoIUqLDMzC4X9jQ36ECLvfk0wysSaM6lKfaRWLAIj3Wx/YTcvmLegTHCxNdNeJ0Cc3s/eAabsdwV+LO5dDoOS1a6OKqkQz1aJkACae0DVwS8ohONcfTvyJp0mvppD86uEMlgxWohnd0+y6PtCa21yPmhGuWEvphiS6IeyW38y3JHXMkbvXDoF7oD7VUFppZ7EbxP2/+d2rRGiqYyLWiVbmk/ryVhUeXzlXmZ3ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from CH0PR11MB5444.namprd11.prod.outlook.com (2603:10b6:610:d3::13) by LV3PR11MB8554.namprd11.prod.outlook.com (2603:10b6:408:1bb::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8251.21; Mon, 16 Dec 2024 14:25:02 +0000
Received: from CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::5f89:ba81:ff70:bace]) by CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::5f89:ba81:ff70:bace%6]) with mapi id 15.20.8251.015; Mon, 16 Dec 2024 14:25:02 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys
Thread-Index: AQHbT8Bf8m98Y1aOAkGdV07Hl01JlrLo5SUQgAAEHYCAAAEiUA==
Date: Mon, 16 Dec 2024 14:25:02 +0000
Message-ID: <CH0PR11MB544496B0BE64A80F904A8A84C13B2@CH0PR11MB5444.namprd11.prod.outlook.com>
References: <LV8PR21MB4158CEABE28A5068931F32788C3F2@LV8PR21MB4158.namprd21.prod.outlook.com> <F215DE9E-D11B-47BC-A3AB-14CA38481ADF@huitema.net> <50935d5a-3072-4db5-ab38-244b2d97cfeb@redhat.com> <CH0PR11MB5444194BDB61738FA5219E2EC13B2@CH0PR11MB5444.namprd11.prod.outlook.com> <CAL02cgSJ29p57tAvgnOiisZbaCGL-e8ng8mq0XfcMqy5VPOSEg@mail.gmail.com>
In-Reply-To: <CAL02cgSJ29p57tAvgnOiisZbaCGL-e8ng8mq0XfcMqy5VPOSEg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5444:EE_|LV3PR11MB8554:EE_
x-ms-office365-filtering-correlation-id: d5eca841-7201-4f28-03b9-08dd1ddd6e01
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|4022899009|1800799024|366016|7053199007|8096899003|38070700018;
x-microsoft-antispam-message-info: /EHc8/qYU8poyuWYdL2DmSOoOLSqzsu0eVJfV+FqUvBcDp9RVQGH+vfgWa5TPlnMz8sfFvthkLDOCcv3OkrXvfDMok/POwnsEhvVZsNYcNStZrfwzBrDSpy84bXMZHLY5aDQ+lzYJ9j/Jx0tegqXdGOk2M7JZFJjRlDuo9AOb5rLHzyFicHTd15CLABwUFS/+JtPiVlH1zH2K6nzMBbnJjWOeQJGRd6cfYFbapxYxUE78CX3A/s7ZivhSQeKb28DVregnlo/oSzagV7tNWIRS3dMSuiFehyqUZXptq5Ug3hkjRsZWWKkzBlthGy/Wt98pG/sQ0YNbmfhHxHwDaEmxaOxQs1JsZp/M1QKlCjGEvKqun6KzXwZIjmtKJkXEbV8Jhg8HupKki7wZNm0q3oQrSESzko2oWq0aT+r4qyDysk7jv8R62RDLqFiwG/Lc6R9yFPMY0f/lF9ilHDgbDo1u1zZ+uI7r5yC/clUZrTLblAexG1VHVvm+STgDWt9qEfsapa0venq3YcUAxTQufiw82YZBddZI/mN0RZHh6+Q89Irex1ehwMUjac6Mh9V/PgghiS6F5c0mNAlAjFUhGQ0Gzuywweq2/Tlu5qfkRULMlo/HEtNA7Xv6KqWD2/vUC14Kd1rduOZ3GRfwXXnfXde5fQC7CMtdvGrpM3paMJa0NE5O42r+K2UGqJmRfXhco1mLvQBF1Y5SH5UbU1Onj+NqXtmguaKf75OIhmQHhLaZoEsIcvtOjohgu8T1eTc+zb30wYiqGwSZFGvw2VwPuEzDaJ1kHCeqjj/IFyX+fGx2hqwmrliqaPnRt9oEtjUYF9RwDjk3gtqD7vSXZula3MR50fbPdUthwwpUlMmVhzOuzzsR+qHe+o+LYQdfnZT/+xgiCkHyZtQ7ilVMdeNRYewpeP4bVxa3UCiXMyQs+bE6pjWN9Nt2Wxa1czewEYgi4rUESZnbuh47fJdyd1xJ0oDgjTzPUiqvBSob9on4HPcJBS8NRKggLU/RJRswc0nzzlCkm48NhuR8gA55aCsVQmZ+ZJAozZwmQpERIYWfe+Gvsdxwk6wN4vcXd67mJd3tLg3ezfkBBNNGAF9AkCHcfG17QWJJzxkayuKXUXkiKEwN8ZruFGxuCoIYHJLErMRatMjVp8Y3g3tRSwZPT/iKGIIjAhb5n//vr2BN69iBhhRyaRC7LW0Qfdv93guY0GpN+IXdb7kSactmt8kyWQuN1FsLG3dJ9RpNfwpVniY59qESzakTOocC9aWM4O43dpA0rpIIR2GBZhQ8R3fF9TwbY8sG4UG1lWyY1HRMxXDDgc7FXnwC6QV4DrR2o8W+genI4C5kOU5BueeEvZU+AM8yTXb4oBoAqKZ9TCYaeevYalQV1GDHZAp7oQ7jtfIJG6EuzEh
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR11MB5444.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(4022899009)(1800799024)(366016)(7053199007)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FAozc5nVBPr0GBRVfPurkXU5rshdNrQvgFo4nDFnIcwVWlhLBp3oLpXNsPRHi8aKrYkG8Rmpkm4PoUL9qi0yFyJUc3ru3rdUyYtmDEpnPxgH/dLlsZqRTmXg/T/i5yAYpLEfNng7KGLxBz4A5r1UEq4WdtFsMD1mjj6fhxMULYdlEN7yQbY5b+MTRNw5XYRysV8v3OQTGBeIYPFAbVmEqcpnfG1y6/JqJo8Ccw99RXkg5gJA+pVhQaD72nGwkAohj32meCteyfZwVAb4L8RhKbCQQ0a0FrLAN6wFrgVvP6iRr5qctI28RaqyW3IhT0RPi3wu145G6ZnXvfX0dlQSwa2OYARTDkQkzkmXWD9TBNel+wOmwEHOXEKn+hWvx8xeag9tZsEVfjxmqUJJPVvaFgSXYwURMM2xN0yX5Q5dDj32oTXO588W/f234HsRCGdvND3KsGjBhkHoNCXDhEouFUqFhKZzawndiUMeX4eeGn9tQ4GndrHu4gcNaxgVBaSNzQj8mP7jtlRenyuhWwLpvbuwhHwZTnXOV4jLvZ2waOhs5Hdk0NJymJ+sn7jN89WYugswersFlO8a0UtqlcpaiOs6UnNK24PKILKujiJemj+XWaY4FNWJ59aiWWlR5jlU4v6ENiLeL2jM449wT0hYPzDi8nhrV6gbjQvSVMbQQ7iaC1ncVN76hcVcAr7XH2I0wfY/nSYyqIoaZLEwt0AKxNdlwdZoNjnTR+C4cZ26p/Fu6VFWYJMr45P4ldkFBfMec7jLxwqRoW1OY3C66zjmLfBRDw5ocm7mpqz1dEUCfOrxVoJAQDisXVVRc8KKhuMzFPJyAQd3WPY5McGLR2jqqOg3WaQe2N03dcySZqtz1oaRM4S61wVy9HRstyqomw+yZHUjTUHDkTl06GjoQV+OwiSlwAtTjxU9u5zpxYdJeQdlK6KU7fs14JiNmjTd/3W+9kaBWFaA5ExP9ybZqhWyTRMJZ4AMIpFZt+Vn3loxxOuz9MH082Guh8d+f4Emqz5a4cE3i/F3i78GEVJSqUuWRebXK5HsKIVS6NCu4DZ0W5xK568oA+TN9XViCLvLHlBtZD0aNgR6mYrW2ATCujEWsWyU5DU+CMzXnBrMBZcQYPLVfN3SLqCaL7fMbjdcKFgV3YSN+6RxU0jsRmWc7ihVz7L25F6ySvkHIxLud7B1wmake8pbAqLCW0K8/qD8uVNI2xcQPvTRE6k+fQkB+tqmN0WutTLi85fa6Eoagqut8nZnrm4525fxM+BP5Ic7nHlNCiR3iMsqtwMEUGeD16iRrgkrwNppS18N/nbMUgUj73wIL4PkpTyCyEozxePfShG4hU/m4BH7ND9BQaWY730USvdhohpWs3UV/ml0QjWo9gQusiaaN+VosV1hPy74JnZE8BH3kXtHaCY17b7/ElPdMIlVpgwEOcLl0XmDAZyKcUsM5KL9EzHrU5FjtkhVFZMv42FpvQoStA2o4LLuG89scyFrFRjF2TyfCO3VlYO+9e4/JaxL4xCfJMiMvurEd8tsI1XOytlfVO6aqCFD3nqw6KYMiB6hPOBvRBA6+i5s0xs=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB544496B0BE64A80F904A8A84C13B2CH0PR11MB5444namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5eca841-7201-4f28-03b9-08dd1ddd6e01
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2024 14:25:02.6878 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HgxIAKkNsoVyC/nlNYe5iHf3tUL0wARswAUw+rjxKB1XiAR5HbOSXm3PKusYR5n9zNUoAyTjHKzTpHFrkbzyeQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR11MB8554
X-Outbound-SMTP-Client: 72.163.7.162, rcdn-opgw-1.cisco.com
X-Outbound-Node: alln-l-core-07.cisco.com
Message-ID-Hash: RJ6PCA3D2QLZ5OOC2FRRU5S4QJDPH456
X-Message-ID-Hash: RJ6PCA3D2QLZ5OOC2FRRU5S4QJDPH456
X-MailFrom: sfluhrer@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrei Popov <Andrei.Popov@microsoft.com>, IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1JUv5-ucVVqGMY6o0MqZ8y2Hd8Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hmmmm, I see we attach different meanings to the word “forbid”.

You take forbid as “if the client does it, it doesn’t interoperate”.  As you point out, in practice servers won’t do it (because it’d be quite difficult for them, and for very little benefit).

I take forbid as “make a statement in the RFC, so that if they do it, they’re not in compliance”.  This is more standards language than interoperability, with the possibility of compliance being externally testable (and not that it would be tested on a routine basis).

And (on a different note) to recap my two open questions:


  *   Do the existing TLS security proofs assume that there will be no public key reuse?  As the TLS security proofs are considered a step forward, staying within their assumptions would appear to be important (and if they make that assumption, that means that we really have to forbid reuse).
  *   Assuming that the security proofs work with key reuse, I can see a case where a highly constrained implementation might want to use key reuse, possibly to extend battery life.  Would the working group buy such an argument from such an implementation?  I ask this because that’s the only reason I can think of that a client would want to do key reuse.

From: Richard Barnes <rlb@ipv.sx>
Sent: Monday, December 16, 2024 9:11 AM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: Alicja Kario <hkario@redhat.com>; Christian Huitema <huitema@huitema.net>; Andrei Popov <Andrei.Popov@microsoft.com>; IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys

You’re technically correct, but if you look at how TLS stacks work in practice, the amount of state they keep across connections is tiny, basically just what is needed to support resumption, if that. So tracking which public keys have been seen would be a big lift.

On the other hand, if a couple of widespread clients started enforcing uniqueness, it could be enough to make the ecosystem inimical to reuse.

On the third hand, enforcing means failing connections that would otherwise work, so you would need a substantial security benefit to get a critical mass to enforce.  Which I’m not sure is there.

—Richard



On Mon, Dec 16, 2024 at 09:03 Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote:
Might I remind people the ML-KEM public key reuse is detectable?

The ML-KEM public key is in the client hello, which is either in the clear, or (in the case of ECH) is readable by the server.  Hence, if the same ML-KEM is reused, then (in the worse case) the server can detect that.

And, if it is externally visible, I believe that the TLS WG can forbid it.  Whether it should or not is what we are debating, but I believe the debate can't be closed on that basis.

Has anyone considered the open questions I gave a few days ago?

> -----Original Message-----
> From: Alicja Kario <hkario@redhat.com<mailto:hkario@redhat.com>>
> Sent: Monday, December 16, 2024 8:42 AM
> To: Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>>
> Cc: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>>; IETF TLS
> <tls@ietf.org<mailto:tls@ietf.org>>
> Subject: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys
>
> No, the specification definitely can, and should, specify behaviours that are
> unenforcable.
>
> When there are preferred or recommended ways of doing something, we
> should absolutely put that in writing.
>
> On Thursday, 12 December 2024 21:07:03 CET, Christian Huitema wrote:
> > I like keeping as they are. Disallowing only makes sense if that
> > prohibition can be enforced, and one of the peer refuses the
> > connection if it detects key reuse. Would we want to do that? And,
> > even if we wanted to accept the cost of refusing connections, could
> > individual nodes actually detect reuse by a peer?
> >
> > -- Christian Huitema
> >
> > On Dec 12, 2024, at 10:11 AM, Andrei Popov
> > <Andrei.Popov=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote:
> >
> >
> > +1 in favor of option1.
> >
> > Cheers,
> >
> > Andrei
> >
> > From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
> > Sent: Thursday, December 12, 2024 9:43 AM
> > To: Joe Salowey <joe@salowey.net<mailto:joe@salowey.net>>
> > Cc: IETF TLS <tls@ietf.org<mailto:tls@ietf.org>>
> > Subject: [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys
> >
> > I prefer option 1.
> >
> > Russ
> >
> >
> > On Dec 12, 2024, at 12:35 PM, Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:
> >
> > Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of
> > ephemeral keys.  This was the consensus of the working group during
> > the development of TLS 1.3.  There has been more recent discussion on
> > the list to forbid reuse for ML-KEM/hybrid key exchange.  There are
> > several possible options here:
> >
> > Keep things as they are (ie. say nothing, as was done in previous TLS
> > versions, to forbid the reuse of ephemeral keys) - this is the default
> > action if there is no consensus Disallow reuse for specific
> > ciphersuites.  It doesn’t appear that there is any real difference in
> > this matter between MLKEM/hybrids and ECDH here except that there are
> > many more ECDH implementations (some of which may reuse a keyshare)
> > Update 8446 to disallow reuse of ephemeral keyshares in general.  This
> > could be done by revising RFC 8446bis or with a separate document that
> > updates RFC 8446/bis
> >
> > We would like to know if there are folks who think the reuse of
> > keyshares is important for HTTP or non-HTTP use cases.
> >
> >
> > Thanks,
> >
> >
> > Joe, Deirdre and Sean
> >
>
> --
> Regards,
> Alicja (nee Hubert) Kario
> Principal Quality Engineer, RHEL Crypto team
> Web: www.cz.redhat.com<http://www.cz.redhat.com>
> Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
> To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>

v2.29.0 | Report a Bug | By Email | System Status