Re: [TLS] OPTLS: Signature-less TLS 1.3

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 November 2014 05:51 UTC

Message-ID: <5461A3DD.4030102@fifthhorseman.net>
Date: Mon, 10 Nov 2014 19:51:25 -1000
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Icedove/33.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CADi0yUOZ8LqsJbTTZmYL6XgrTjWvTMqvFMd7euzv+xQPU9vPJg@mail.gmail.com> <CABcZeBM+CcG8Tr_+XZ6nkw4xJP8DGFXguvRvLGhTUXYdhEOUqA@mail.gmail.com> <87r3xdfzi1.fsf@alice.fifthhorseman.net> <CABkgnnWqppL-1VJORYfrwuKn8n=NO-rZX6LDTiq+-qxddsp1mg@mail.gmail.com> <87r3xawv8a.fsf@alice.fifthhorseman.net> <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost> <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com> <20141111021201.GH3412@localhost>
In-Reply-To: <20141111021201.GH3412@localhost>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="bBe8uMKR6WLiVF258llsjdACt7lP5e1PI"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/5-lHkW3A8Jg_Z5o8HeZ3FveI39k
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
Precedence: list

On 11/10/2014 04:12 PM, Nico Williams wrote:
> The time should be relative, as a TTL.

relative to what?

If the credential is standalone (e.g. in such a way that the signing key
can be kept offline) then the TTL established can be replayed by an
attacker who takes control of the DH secret to extend the lifetime of
the delegated credential, right?

if the credential isn't standalone (i.e. if it's accepted by the client
based on its inclusion in the signed handshake which has been
authenticated by a signature from the signing key), then we aren't in a
signature-less TLS scheme.

if it's not relative, but it's long-lived, then we introduce a new
revocation problem.  if it's not relative and it is short-lived, then we
introduce interesting clock skew issues (though perhaps those are the
same as OCSP-must-staple clock skew issues?)

None of this is to say that delegation is a terrible idea, but just that
the details matter and it's not something to casually adopt without
understanding the tradeoffs we're taking.

and those tradeoffs are complex enough that they seem to overwhelm the
possible performance gains from the OPTLS proposal.  (esp. when there
are other ways like ECDSA certs that give comparable performance gains).

> "This resumption ticket is good for 2 hours."
> 
> "This DH pubkey is good for 2 hours."
> 
> "hours" is good.  "days" is not.

I agree that short-lived is nice; I think it also possibly removes the
pro-OPTLS argument about keeping the signing keys offline.  (maybe
that's ok)

But without a concrete specification of what the delegation mechanism
looks like, the properties of the deployed proposal end up being very
different.

	--dkg

Attachment: signature.asc

Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
[TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk

Re: [TLS] OPTLS: Signature-less TLS 1.3

Attachment: signature.asc