Re: [TLS] Fwd: New Version Notification for draft-whyte-qsh-tls13-01.txt

Brian Smith <> Mon, 21 September 2015 04:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2AADA1A878B for <>; Sun, 20 Sep 2015 21:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1NNbgabEVzlf for <>; Sun, 20 Sep 2015 21:53:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7264D1A8787 for <>; Sun, 20 Sep 2015 21:53:50 -0700 (PDT)
Received: by igxx6 with SMTP id x6so50715724igx.1 for <>; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Y67c+JNkZ8pO8CVrttPklijNpScaabLsN8TF6xbTo8g=; b=ZXXkM/nnskg8JvBKJm3sFMHOJ46IA0wLJKPSMZmTSClg6z3eemHU/rVHcnUjdxE/tY BUZA4NNDdnqhNggmhMBn21BJAjgpNfNPMWXEJ5fffA8LOv3EHbjGflYF8lTmR7couico LJv3ToKOmDCpIWnXjYCq0n2FGEW0MqqDmN+RGs26T9la0fIxWiP65Zh02yWBXNxStFK9 J/fW6MIMPdFktaUN0zyKmvja0Qp/gXn3s4qCiFEjmcP3j8FH+vjXAxqK5MD4fnH/Ro7E lv+7TxjpIaNZGOy0xLRfMB8qGTF2eQwTzW63xiWWU5LM1JDaEIsjtW+J1ezIdErqVvv0 acLg==
X-Gm-Message-State: ALoCoQn50Kg6JOa2+n+uS3P/KI46p0Jgn87gO68F6hDS3P/qtkLf35x9ubzH+Wi3JdDaQ72KWTCz
MIME-Version: 1.0
X-Received: by with SMTP id v8mr1061688igh.35.1442811229773; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
Received: by with HTTP; Sun, 20 Sep 2015 21:53:49 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Sun, 20 Sep 2015 21:53:49 -0700
Message-ID: <>
From: Brian Smith <>
To: William Whyte <>
Content-Type: multipart/alternative; boundary="047d7bdc0a2ad43f1d05203aaa38"
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] Fwd: New Version Notification for draft-whyte-qsh-tls13-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Sep 2015 04:53:52 -0000

On Sun, Sep 20, 2015 at 7:59 PM, William Whyte <> wrote:

> Hi all,
> We've updated the TLS 1.3 Quantum Safe Handshake draft to use extensions
> as suggested by DKG in Prague. All comments welcome.
> There's an interesting issue here: McEliece keys, which should be
> permissible, are larger in size (about 2^20 bytes) than the maximum
> permissible extension size (2^16-1). In order to support McEliece keys it
> might be worth increasing the maximum extension size to 2^24-1 for TLS 1.3.
> Is there a strong reason for keeping the maximum size at 2^24-1, other than
> saving one byte on all the relevant length fields?

William, I suggest you first do an experiment:

Create a TLS client that contains all the stuff a browser puts in its TLS
handshake. Then, add your new a maximally-sized (2^16-1 bytes) extension,
but don't otherwise change the client. What percentage of handshakes fail?

I suspect that a huge percentage of the handshakes will fail. First, some
implementations won't accept a ClientHello larger than 1KB (IIRC) due to
artificial limit imposed presumably as a DoS measure. Secondly, I suspect
many implementation will fail to handle a ClientHello that is split across
multiple records. Keep in mind that since the maximum record size is less
than the maximum extension size, a ClientHello with a maximally-sized
extension must require more than one record to be encoded.

In general, I would expect most implementations don't want to receive a 1MB
message of any sort unless they've advertised that they want such messages.
So, a different design that doesn't require including a huge extension in
the initial ClientHello would probably be better.