Re: [TLS] PSK in TLS 1.3

Eric Rescorla <ekr@rtfm.com> Mon, 21 March 2016 22:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B38E12D10D for <tls@ietfa.amsl.com>; Mon, 21 Mar 2016 15:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIP6U4FiWB1n for <tls@ietfa.amsl.com>; Mon, 21 Mar 2016 15:09:33 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E3412D0F1 for <tls@ietf.org>; Mon, 21 Mar 2016 15:09:25 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id g3so232155537ywa.3 for <tls@ietf.org>; Mon, 21 Mar 2016 15:09:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CiFC3dv5S0PehfVI4hqmLHQifAKgSfdQbcW5VNCce8o=; b=zduCQdfREAOWjSU3DAMLNkLQWg1SPhGZPO+ts/JRFOopDNHk4//yKiIuClhE39EOLN CeeerGr6zjglMwxW29JnKC66vYLOVphyg8byIiA4PW4XeMCAvh1xI/Ksd8kNXSR93NJl 87VnBjP8r5ppWE++8uz4Gtk0ko5b/cG41/xpSwUGL/M8snOnDaL6WaR4qoyAWQ6t49o4 lHUK3vIWnhMhSUC9dFDXKBo7Oq4EXG+rhIUvFXYaWCPu0+Rmn1XB5Qnmb0EPA/MJJCQF AZJMZ2C3zqW8yo5hWstRwogU9vB0EypWvjsJk0I6zsiME0IMxf3CpQ2fDBfDwvZwY9tA djFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CiFC3dv5S0PehfVI4hqmLHQifAKgSfdQbcW5VNCce8o=; b=jyVPxV3SfTY80yPkQe86jdv9QG0VxnqYEoxrY5nq060Dhe8TgoNFR8XE3Cek9kGUGo mS86uMQ2tMX2J65fiOAdmXP9ms7ff2Djq4WCntZNBhl8G+DhTU+j6J3leAIgLL09dkQ+ 9Qmkid5kqcNLev2VkKa4Gw160jHfqBOtSHKQ6/URZk3adVx1kTnGFz0BEe6p044yJksa /YpKxzojpw2CZHGfSrX37hph3zq8OxyRscKxduiITbf9g/vC41atQabSQSx/0plNCaQ6 r0ig5cQT/FtMpJD0IkTq4iq1r9I+c0xk5WxEz0TwvDkrj+BMgrk92LidcA2eqOHLdK0s siPQ==
X-Gm-Message-State: AD7BkJJGTrI92lMAK6dMHv64WEBtzfLxyVPGn8AwCnFdISc77Vt03RqXPtY7iq4fCRT6xLuuzmo3PnyObeMtKA==
X-Received: by 10.129.46.87 with SMTP id u84mr14521721ywu.129.1458598165166; Mon, 21 Mar 2016 15:09:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Mon, 21 Mar 2016 15:08:45 -0700 (PDT)
In-Reply-To: <56F06EDC.9080406@gmx.net>
References: <56E874A4.3030506@gmx.net> <CABcZeBOS+D2wkctkq0pmNRJCxi=EA9Hk4dH6YrUTcAXLq8xaEw@mail.gmail.com> <56F06EDC.9080406@gmx.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 Mar 2016 15:08:45 -0700
Message-ID: <CABcZeBO1jd=UiccoeOauGskWosF3zQ0_FNrg40NG5wELjLyj-Q@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=001a114140ba816cf6052e96591b
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4u8hUnWHNaB8PbX6uFT7OtTTuUE>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 22:09:46 -0000

On Mon, Mar 21, 2016 at 2:59 PM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi Ekr,
>
> ~snip~
>
> >     Section 6.3.1.2 explains that the ServerHello message handling:
> >
> >     "
> >     The server will send this message in response to a ClientHello
> message
> >     when it was able to find an acceptable set of algorithms and the
> >     client’s “key_share” extension was acceptable. If the client proposed
> >     groups are not acceptable by the server, it will respond with a
> >     “handshake_failure” fatal ale
> >     "
> >
> >     What this text should be saying is that the response from the server
> >     depends on the selected ciphersuite. Implicitly you are saying that
> in
> >     another part of the document, namely in Section 8.2 "MTI Extensions".
> >
> >
> > Sorry, I'm not following your question here. Can you say more?
> >
>
> The conditions for the server to return a ServerHello are complex and
> the wording is confusing.
>
> The decisions are at least based on:
>
> - Is there an acceptable set of algorithms and groups that are mutually
> supported?
>
> - Did the client’s KeyShare contain an acceptable offer?
>
> - Is a KeyShare extension present?
>
> - Is “signature_algorithms” extension present?
>
> - Does msg offer (EC)DHE cipher suites?
>

Ah, I see. Let me see if I can clear this up, if you wanted to send a PR,
that wouldn't
help too.

-Ekr