[TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 01 September 2024 22:13 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDBBC14F5E7 for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpAHLb9-SVxG for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:13:05 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2115.outbound.protection.outlook.com [40.107.22.115]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25480C14F609 for <tls@ietf.org>; Sun, 1 Sep 2024 15:13:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H3W+6476Oea15HYuuw+dlbadsBKLwnUncpVB5ZNfMfCgk54HeXjisf8pikVAUpdm77+4T3dV45lrFOOXY/dB8O0B6OHO4xv3Sgt2J3GxTSCVLS4K6HVruRIpDnRBnc9qJ2n4ouFkK/EQ2ikfnP45ZsbdJ79zWKCW8PpWov74zEap+titGB6h9bd2HekhyQV/dn13B7POfrBrWQVuF899/QSH33ouKL0jWvH6CBqXHFgdC/0N7/1oqE73ja61kW+XM7cJ63hJdIPOueiFdaGqg4/E0d0cFCFj6nyIiiOGzAekBen4AodDhPz/hyoBJ9D/q8VE6XokaY4rGoD2uSbw6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ku7R83wbCqt6Hhz/gQr8Uu7xnq+wlL96jGI7mxAq1kg=; b=kK6AGoQBJ1RKooaRyb5NOL2FUQarvmoxBEPtXf74S2QunjgbZuhAySGSLHXBVCOWMqkesayKIWRyHqbprADhCWUaEDfra5PRu7mtknRYYIijvEIrb1YvpmbB6eNv8PuGFv8sTrbGBeXjjYMZ/JKdiO5NnabnVkKttk4SBpEvQeIM7gNqn5VAK66n7S84WcZQh8Vf4XvItrxgcxtdrAcaCW1Qwj6HfSfKhwlDaRYfdypwluRWw7IDFIVqJAZEsBADggZgz+J5SKmaak7w9vF5ClDOGInXf0zTd2JPSr4o9tvEaR1W2s6dyataGfkWewFup+9wHoiuoeIkGfdrCJ1Ejw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ku7R83wbCqt6Hhz/gQr8Uu7xnq+wlL96jGI7mxAq1kg=; b=gncVswPaMHG75PcS1WIJAvGD5hyr9AnlKYp/B9UhOsr8mTRliPV249S1uw2SYQ/rUgb3gUEw+hvn9kEnzdWbWdntt1do6cQfIXJUR6soxV6mNB1ntCUnDjbmdx5RHggEIwcNV5hIO5eKbrfpwhgxpATIELp1vFTM+bxSEi/7rMJUMgqkLMtLVCQ6vXnxxfXG6VxLrSvz/VEojbM5FuXMKOrRGpXUv+sX+CmnNx496CrYBLlfDfbDP5YDzaQUUxgE5rbv9BzrEIvnEf37SaiXh1coVlRYSQatv4Op8Q9Q3/j0+97mab5UhSo1sG9HPlkDjT+4T/5QDNI+pb2BhKg3uA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by AS2PR02MB10429.eurprd02.prod.outlook.com (2603:10a6:20b:5f4::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.24; Sun, 1 Sep 2024 22:13:01 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%6]) with mapi id 15.20.7918.024; Sun, 1 Sep 2024 22:13:01 +0000
Message-ID: <da5d12d4-e2a9-49b5-9a6a-cafc16611953@cs.tcd.ie>
Date: Sun, 01 Sep 2024 23:12:59 +0100
User-Agent: Mozilla Thunderbird
To: Douglas Stebila <dstebila@gmail.com>
References: <CAFR824wCMcyF1szc76P+4i8LKv2-d1ciHWRMFFmZ8hpi=1PHtA@mail.gmail.com> <ffb33944-00e8-46e2-93d5-e5dd14d457af@cs.tcd.ie> <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------gsy0UijgoSehFUcclEIEKFxI"
X-ClientProxiedBy: DU2P251CA0004.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:230::14) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|AS2PR02MB10429:EE_
X-MS-Office365-Filtering-Correlation-Id: 65fc6010-0830-4bbc-dc7a-08dccad33e12
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014;
X-Microsoft-Antispam-Message-Info: DI8us2X6Ez4jeuyXmHC0IZa24VUknJ65SD2wcDRPZTSPWVgKQS0LttkLv7J0oUzGE+p3iVdw5uTwrIHxIV2J5rAtwUcIU9teEqsC4Vmsda66LkzbmHHCNnb/s5uSz79efdrgBnRoR77NQx/cGxSWpqWwRd+mr3PFKY9MzjpepDF0r8HaCmDT4cpNS9Kv5X4UMgddlDwL+iusc9tlD5/tHrX7P9jCYjyCa3RZQzJax4Xd4xTEnyZ9VoFMtIPsTH6aMT0GQUyvGNO/OWcZXAMoIUfewaNWcJLyFBHITd/T5dbax6YZ6jGF4evKsdCvAEJpqKOlHzHcRSvqsrL1//N5cBPQP9dcL6SlUM6kZPEgelJ14LlwNZ3eEtVb8kXSUYJmLI5Q1fBtdw/BQQjboqnrBt2oAyQY7yRLs/kTGrLV/4V38aQEcy6AQlaYcsRkz1xj/sWw8nTrE++yICKvk+/Zp8T/4/QjFKsnxsM3ZJmbPo6VAhXzSkm/u0stwtD1faq0ZiOVirLjIFBGFLbw/cDsISDxZMWVVKq0t7Cg9bafvUBDIW6PFxvIsRcav9t+0DFl7eOOL8NdDM40fDaFuPATW2wtY6X+iVx19aYytl+8XNe8acdatVStUah3tyA4xXa5cVGAHyp/7zm0yXWwhr6HDhXBznBhDEOZIRc5b3Z5TeYtAdyOAmdbEne0WNG9c4eyEe8zgQ7qOV0315QTCD99M9qV6apNDpTMLp+cgEYIUNSK3mzjw4UyekosYNlShKvthWVHeO1dzEvNaxOwqv0ZG5BwsySkq1gwzFJXDsqUK23N5dvqehPp8Sf63NHZEZkOUz8O3hsbLsZNVLuhWMDpLrhgxQ13Jr/cMNcr499nx2AYYvsdOE8mFrYfvRJwFKMwowzWM73ywtNPQHTbTZ8Y8YR+hIIMyjoiqc3wUlMS16Ycg2OqZ0O9MDoMF4CjBIb0ExxOnkELaRq6hHT1E2ZVwppQXqKXmtgV/EAtuISCpXCnqUTvttQ7gaMrKVkM7iwL9B/RPOmBYi0r5ZXK9EYTyLlajj/p8GitzLlCy3FJP4kyO5oae5i7IMwsfh1fU58F3gwSdQwA3pGBGfOnUcEQ2yaJ5qug0Cnt3/9EM7liLrVRZcGsooaw/QeBXGs8Jsc4p/P1dOGyzqSmJpeSPm+nkXaE4CC0TT+IRg5ihTmPLhXEmWJjG5F46zXqTCh56wf1dISKw7wXmz1ge6BAPuxl+2G8dHCl/XnBaBUF/6DQv3vll2+xAMX7BaZ6BU3XyKN0DMi714hA+Ap6xocew+SqADDIc61Xr425fxdD6YRPiWfYgerExRV6asMS453XPr6q0up9i+OM7jfAQyT8G4MaVQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Nqg68PfP4G+eDM3oeL0xSpNLhs6WmJawPq0A4vSj98BSgYWkO8T1XqQg/J0C7Unz5u+4WnOjBNmxJB9HixabXHlYbas9XVHYFv9r1+5HGlkDbLhu8IR0lOw22rUIz0wVsdYgzr1LJuRjigapxpN0qNMt3cyIXyDZ8A50GinJMEzol7sKmnV7H1IjvT1oP6cDymwmfHZo++6Ump+P1YtnSbjz+dfbLXi06WH/pzMVtQ5U2cPzkjj6oQi27Wxllc2h3msMVUtvEaH0saAfK5l9X+criAamlJ+a6GOv5gs87FVmhogGV9EqA7Qgzlm4tm1ejrcnIuYb/4v4uXuGalPDej2JvZfIwwV21oC2Vw0t+OqapDNoXUpOclQo4MI+afLUBCnb28/T5honAPQI1L/j4ANaw/JHVXdUHRqnexg0XMn++pZfRnmofrLZ9cgc3VNxsj25wmW8z6JovAQrRfUvq0WO9t14BE2CS0MOMFSoiq47j8q7+jx86WGgdLKpihUxVuk1rJSYrdZ38nxPzOw19RHbwOpo98597FCjG4+6LALQUokEhvw6Gy+oatlzW6s0jwr2tpDALEU02idBFiF2jZGnLrWDSSyjOwMlJfnZYSyJzPiftiH77Zf5cRlhSx3DMn894Qf9NJKwSIHhLUpDu452d4PxR+a5ZpyhzwBfp17kjwHQeB1JoyRq3akx3HMY9YfFRtz9u+Fz6Uim+3SRkaZSwVCnxpNPM2wCogkdBQhmjdAzogiBrpxafuUoTk6gIX+2cn2unx4C6P0mzzrRHQX9bsQfNWvekTGZ2WNDSw/LSXbMnbCjBLflGeIcDf/x2tnZ36OHFMNBg/F3Tc8PB2KTeKWh+U8NuauelW3GcR/v9uziaB5Wi/+DMDLd+0EZMCiPsRIlUhQT1HstVCrig+qXpBoB0M4sFyqpO2wNGzyO626/3YufimTlSzP7L0gPHVKxwtN0hyk0zQLBFLL47NLaTmshYsTBrfKzDnOQhI3Rvq3FbfSzyIZcOpDVhYDtkwK8qoTdrOdek/BTPvaTg6vEp/C0pigTiYBjlaQOOMcauOdyShqAWPZlKI9rVtmf17hFj5AxnnywnGzDwI1zKHgIJY5XcJgn7LueqWzc/UgKLXRiPqVshp+9vMrx5vAnYXdIUYgKzaE6hxp+RPwksNkI4FaVDRiYOPQedeHnUxO8gYN2P7qjp6C+c8dW6S+27tG++jRFrPTiRVdIOVHqbVz0AjnsJbFYpjzcK3ZpxDjAUmnwfn1u5acZzZ9cx1rEC706vgODMzR3YbV7RMr60/wxdNpwBDk/q3qnGkeUA7f/pbQMKZ2eXf/VlQ/Scp8ogtXxCjcTBUvBUUNY0DXc4jDPwh4t/xQcHbFQadBsJ79Mcswq66lm3gzYQvqz91c0OBJ8imVUi1LYcc979xDggemlZzAKc2siApLsgqILxMsDDqEJw6yF0VQIiMyDpqidO8/O1KyEqozCR9cvxxQZl1GrF7WnN8CVek8B1cM5GBsw9oadeq/a5F1j9sonmpHIlLHquoztRCBO2CHajg9q95zfFwRcxeE03yCV2wvSDP3j3VJhwjGGA62yo4aLQl0vP7hY79oeK6DA/CR4fQa2AwkSmjwL4skTYokdsOnRpLy7ycSJSFLgCKlyU6v150HR
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 65fc6010-0830-4bbc-dc7a-08dccad33e12
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2024 22:13:01.1630 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: BteTEDaVNaQqqX0hZGmrLfXFmAvnyGjlznhbKczwO5TWfjYBPLC8EWRuhZv43zlA
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB10429
Message-ID-Hash: J5CFJLVISCUDGG6AYNIY2NKO6L2Q4TH2
X-Message-ID-Hash: J5CFJLVISCUDGG6AYNIY2NKO6L2Q4TH2
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1fmRLy_b-nRVfX77R3oZnvwyTdY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hiya, On 9/1/24 22:04, Douglas Stebila wrote: >> On Sep 1, 2024, at 10:47 AM, Stephen Farrell >> <stephen.farrell@cs.tcd.ie> wrote: >> >> Section 3.2 says there are two allowed ways to handle the same >> component algs being used in multiple key shares. However, doesn't >> ECH mean that additional possibilities exist? What should a client >> do in terms of re-use when using ECH? > > That's a good question. I'm not very familiar with subtleties > around ECH. Is there any re-use allowed between ECH and the main > handshake? "main" handshake isn't quite trelatedhe right way of describing things - whether the client's inner or outer CH turns out to be the one used for the session depends on whether the ECH decryption has worked or not. But in any case, it's relatively undefined in ECH, which says: " Repeating large extensions, such as "key_share" with post-quantum algorithms, between ClientHelloInner and ClientHelloOuter can lead to excessive size. To reduce the size impact, the client MAY substitute extensions which it knows will be duplicated in ClientHelloOuter. " I forget what browsers do now, (can test if useful), but IIRC it can vary between sending new key shares in the inner CH vs. having the inner CH also use the key shares from the outer. I'd not be surprised if the incentive to re-use the outer CH key shares was more pressing in this situation. The ECH code I'm trying to upstream to OpenSSL allows any of the possibilities as of now (esp. on the server side), but that code hasn't been upstreamed yet, so if we decide to be more prescriptive/restrictive, that'd be ok from my POV anyway. There's also a related issue about what sets of ECHConfig values to publish/use for ECH, if one wants to see the same level of record-now-decrypt-later protection for the ECH encryption and the TLS handshake. All in all, I'd say this maybe warrants a bit of discussion, but I'd say it shouldn't be too hard to figure a good answer and what words to use. (I don't have a set of words to offer now, sorry;-) Cheers, S.
- [TLS]Working Group Last Call for "Hybrid key exch… Deirdre Connolly
- [TLS]Re: Working Group Last Call for "Hybrid key … Thom Wiggers
- [TLS]Re: [EXTERNAL] Re: Working Group Last Call f… Andrei Popov
- [TLS]Re: Working Group Last Call for "Hybrid key … Douglas Stebila
- [TLS]Re: [EXTERNAL] Working Group Last Call for "… Douglas Stebila
- [TLS]Re: [EXTERNAL] Working Group Last Call for "… Kris Kwiatkowski
- [TLS]Re: [EXTERNAL] Re: Working Group Last Call f… Deirdre Connolly
- [TLS]Re: [EXTERNAL] Re: Working Group Last Call f… Salz, Rich
- [TLS] Re: [TLS]Working Group Last Call for "Hybri… Stephen Farrell
- [TLS] Re: [TLS]Working Group Last Call for "Hybri… Douglas Stebila
- [TLS] Re: [TLS]Working Group Last Call for "Hybri… Eric Rescorla
- [TLS] Re: [TLS]Working Group Last Call for "Hybri… Stephen Farrell
- [TLS] Re: [TLS]Working Group Last Call for "Hybri… Martin Thomson