[TLS] draft-ietf-tls-tls13-15

Eric Rescorla <ekr@rtfm.com> Wed, 17 August 2016 21:50 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0266A12D7A3 for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 14:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WteK2KY-OFDQ for <tls@ietfa.amsl.com>; Wed, 17 Aug 2016 14:50:34 -0700 (PDT)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1365C12D0E5 for <tls@ietf.org>; Wed, 17 Aug 2016 14:50:34 -0700 (PDT)
Received: by mail-yb0-x22f.google.com with SMTP id r187so289357ybr.0 for <tls@ietf.org>; Wed, 17 Aug 2016 14:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=6a+B+rTXz5pw6idtCgcNpuT5l1D9gwxJfZVU7jUTunk=; b=HYNfkrLQ8gguI7HxMjGMJIuFpXTa+Wddb/DVKdATaL/YGWV7ct7EC+TSjabwI5Axhc Pxo4p6AzDYjvdi4oH1oju+1OoXtQhB9uGiwOlJR4K3WGfVOYBelHjup4D4GDod+m15DD uplfH3BYEwPBCXKG0gbvAjFU2UT16JFYxL6Q1Uoa9Y9wwJDGTLqQEg4UWhCcjrCel5sE aCoNdhJze9KpG1ij/0WgBUIiLmxeuky6Rlpz879hnvPf57/V8yVU5gssrlZ3cU2+jpiX as/mfbVNVnICX9rVBKhtRZRsNmd/o8nWXGUmNm9koqFb1ErFLc12zk7yRWo9a/ouNqpx 3XZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6a+B+rTXz5pw6idtCgcNpuT5l1D9gwxJfZVU7jUTunk=; b=lwnNcSnpqvATwDthVVBLKkRYSiQ3NZWjEtiUn0i8zbeRJZXsWPCq71LuFGVF9p8/DS 3VlZdffhqfQA4YsQcEWLAQQbe6gDu4xlGwveRT5d8gwbk2IaeiTa7FDmEQTkr/NcgUyD OXlgO/Nv71UCejivSR4+MpOAVR9U8wLnuHFTeAkW9keT+9h8YY+Y3m9DB2CNMD0LNhiB YAIeX+a0kGan2pjJl0IsgMzRwlE3DEDkW/7Ghg+M1TcfAOHUR86woFd8jZOq5VkoFQko EXSUyCDzG+iaxvq8pACus9etiBBhNqEDf008Eqigww1s7m5WAhunZ+QOTwC7v8PnDF1t kh4Q==
X-Gm-Message-State: AEkoouswivjfcbrOt+TAqrtnDxI/c0x0+LRA9mgYAXdjLugQ5Zf3nCy0OuxYpGAgtqsOFlRTk1STjb6Xjmzupg==
X-Received: by 10.37.211.9 with SMTP id e9mr16815244ybf.74.1471470633140; Wed, 17 Aug 2016 14:50:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.48.193 with HTTP; Wed, 17 Aug 2016 14:49:52 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 17 Aug 2016 14:49:52 -0700
Message-ID: <CABcZeBMqykSnQp__TRaNmyhpcLPaU=eeuM120zgAoprwd0555w@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c147dcc62f059053a4b744e
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1cxk48N0x0WJcZL6ApSBxfV4HmM>
Subject: [TLS] draft-ietf-tls-tls13-15
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 21:50:36 -0000

Folks,

I've just submitted draft-ietf-tls-tls13-15.

The major change in this document is the new negotiation syntax as
discussed in Berlin. There are also a number of small tweaks (see
ChangeLog below).

Remaining significant issues:

#588: The computation of the resumption context with external PSKs.
      Also, connected with this, should we require that the client
      prove knowledge of the PSK when offering a PSK.

#443: 0-RTT with server signing. This is possible with the new syntax
      but I didn't specify it in #15.

#580: receive_generation for KeyUpdate [CHAIRS: please bring to closure]

Also a few smaller ones I will be bringing to the list shortly.


Note to implementors:
NSS is currently at draft-14 (Firefox is at draft-13). We intend to
implement draft-15 immediately (hopefully in the next week) and would
welcome interop testing with anyone who is interested.

As usual, comments welcome.

-Ekr

- New negotiation syntax as discussed in Berlin (*)

- Require CertificateRequest.context to be empty during handshake (*)

- Forbid empty tickets (*)

- Forbid application data messages in between post-handshake messages
  from the same flight (*)

- Clean up alert guidance (*)

- Clearer guidance on what is needed for TLS 1.2.

- Guidance on 0-RTT time windows.

- Rename a bunch of fields.

- Remove old PRNG text.

- Explicitly require checking that handshake records not span
  key changes.