[TLS] Re: TLS 1.3, Raw Public Keys, and Misbinding Attacks

Achim Kraus <achimkraus@gmx.net> Tue, 19 November 2024 08:10 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C59C110D2B; Tue, 19 Nov 2024 00:10:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EzflY_WVYE_S; Tue, 19 Nov 2024 00:10:45 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19884C1840E8; Tue, 19 Nov 2024 00:10:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1732003841; x=1732608641; i=achimkraus@gmx.net; bh=HCDnCLWMZBzCf8IdqSj5PJd1oxg+63IiPNnnWUl0fXk=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:Cc: References:From:In-Reply-To:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=nk9IFiO921UtrqUloqaR1fT25lFseRGj1EAq1COi+o2Nib6F4DxANX7sSJf5TtJn A3bSX3qK0CqmYp2vKNvTjNA3MvnM9L237sRTXKazGxFOdJkBHxEVIJtKRpUesoxVW ttNVNtHw+oyOVCJ0ln6FY86GsZE7ZD2RLe8j4IpV1+JlVM1ayjjVfg3dsPQ8xqALI 9XJvElkTlv6dmxEMwHTTGyrnTsxPYMoUhQjx4NTp9Mom/Yvr2TeJSW7zx4nJNnSeb N4wwgBv6i6X20NRmXIu9WsvC8cmIOZlHYke3vezxRCibNov9Whr2btpXS60UjnjRR Bar//AHsN2PEa4GbeA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.10] ([5.146.193.164]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MGz1V-1t0zWl3v1f-003bj5; Tue, 19 Nov 2024 09:10:41 +0100
Message-ID: <c5fe3a26-e3f7-458a-8ced-8915c5e45b3d@gmx.net>
Date: Tue, 19 Nov 2024 09:10:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Mohit Sethi <mohit@iki.fi>
References: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com> <AS8PR10MB7427BE068D9472C465A7392EEE082@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <5a79de00-2204-4e92-84bb-8b9b272a6ea6@iki.fi> <6aff1943-e896-4b00-8a61-d00c3b574953@gmx.net> <b986a11a-c00a-43a5-80d0-100dbd3f6fbf@iki.fi>
Content-Language: de-AT-frami
From: Achim Kraus <achimkraus@gmx.net>
In-Reply-To: <b986a11a-c00a-43a5-80d0-100dbd3f6fbf@iki.fi>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
X-Provags-ID: V03:K1:YcP4zaZ4n6zeAlKRTdww5Br6uqk3Vy83mhhwPIQTooUZhORjwOd glkDWTHGUkOmzFxchfl+ZCZ9bJjGdrr2DWdU6XZUl2rutOJAOTdZbdSFvHObx1lSKbNhsa/ 2EFpRqZqhXR5fgbe4XLGRUqH2Ka9MUpltv1C5cEv0atXhB2+Tqdrz8skjZHzORtoGsInzPy Kqz5TaoSAYm/S7aTdIVnw==
UI-OutboundReport: notjunk:1;M01:P0:hZ94krOEKt8=;BhEGcdc5MKAo4+QNBC8X3cHCAWs j3kJWxape+ZLHs2JvS8y1XL76mlwWDq0wBwsEHbdXh1K6hDAGVUmgtYjLFJRID6ImNjzXzJTl Sxtx7BowrEBI1XTCxjvau687ieYh68nvMwQCwPBjrDbLz979YbSxjcN3ebktWHMcXm/ALh0IT KsamRnq2yLVDKM9NvsEZPxYoi3U9azOZ0oKFakHtjaDuqoimNM7i0RbDr0oJmAP2VLSkS6C4L rDKQX83R2Kz1fPuP/ChE2RpZqm4ZcJ4J039u9Tu6b+McUcT7KRq4CcCFv0U9ywdFWR4+oBxHx vgSJOlTaheTH8KUCvR3cNdKs5wFisXJMzEPpR/5iCVpYFjV5NjgtEqSWEdnt+HLxzEV+qqC2z Iv7yo5OQ2eT9e4dmZfn0WFr4iROOs6Vw+PX70GJaADzGIRyCsofjjAA8f4cHMkrJVKbMPonZ7 B7ke0KxmHWGUGzif6K0RXiFXOKhxd75YHlVfmFcbIhhsPhh0oBX/bO/De9ZABIQx7Td22R+Au P+4ct4Sjf38wozocHCXG0yLeeoTE8dkf4twQouy9C5rCvrpcwWyjYK1B41iBWWRbSS/gGSwoX 1RbqzPZ9zH+a1ySwLl1Pa/JeBGK//hpEoZHmLVg6nlvtr65/Miu7OvduuwjC8nD10CICTsrC5 0DUx+NqitNarzjeo1rv6srpcDx16R/VYl8ETTePDYFjx5A1lI/mT7115hxzBRzTukeYZcA56q 5aLbtAS7FVZ99AFjP4GxWElvX4ZiSU85qzTp1FlL6GQYaBkKF10UT/7PQbiyPzI3G7IJxPptd 8ArfI1xq5JH0vK4wEQ/FlMCLE3u0dJPrwwz2u/wCOFvYwQYEqwXf+65/jkQSrXisZb5W66Z/c zzWwTeLZfVqlRL9re+yGy56Hqn48OTpJOUNTcjW7l0DtsVw/wDW204XRI
Message-ID-Hash: O6B5CYYX7HFCVFKJBIZRJAD7MQZIM3A3
X-Message-ID-Hash: O6B5CYYX7HFCVFKJBIZRJAD7MQZIM3A3
X-MailFrom: achimkraus@gmx.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: TLS 1.3, Raw Public Keys, and Misbinding Attacks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5Q7L59dBSVl2IKJ2mkNM1wzu5DA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Mohit,

 > B and C are fighter jets, and A is their commander. B has been
 > compromised by the enemy. A tells B to self-destruct, but because B
 > mounted a misbinding attack, the command goes to C.

As long as:
- each party uses it's own key-pair
   (that is commonly achieved by generating a key-pair for each)
- all private keys stay private, they are obvious not shared at all
- all public keys are exchanged ahead (out-of-band and in a trustful
   way) so that each fighter knows, which public key authenticates
   each other fighters.

I hardly see the attack.

br
Achiom




Am 19.11.24 um 07:52 schrieb Mohit Sethi:
> Hi Achim, Viktor,
> 
> Answering to multiple posts in a single email.
> 
>> The provisioning is frequently done "out-of-band" and the trust is
>> based on that procedure. 
> 
> As observed from the formal modeling exercise: 
> https://arxiv.org/pdf/2411.09770, misbinding is possible even in the 
> case where provisioning is "out-of-band".
> 
>> I consider, that your statement applies for some use-case, and for
>> others not.
> 
> There typically is always an identity associated with a key. You may 
> correctly choose not to care about the identity. For example, client IoT 
> devices will still have an IP address when connecting to a server. 
> Naturally, client’s IP address is rarely a reliable identifier because 
> most clients have dynamic IP addresses or are behind a NAT. Therefore, 
> libraries such as libCoAP assign the identity "RPK" to all clients when 
> using (D)TLS: 
> https://manpages.ubuntu.com/manpages/noble/man3/coap_encryption.3.html
> 
>>     * NOTE: If using RPK, then the Public Key does not contain a CN, but "RPK"
>>              * is presented for the cn parameter.
> Ultimately, it depends on how you build the local file or database of 
> trusted public keys and whether you care about detecting and preventing 
> misbinding.
> 
>> With that, please keep RFC7250 "as it is" and if you really insist,
>> introduce a new certificate type, which then may be trimmed to the
>> use-case, you have in mind. 
> I don't know how you got the impression that there are some changes 
> suggested to RFC 7250 and a new certificate type is necessary. There 
> isn't. I am also not sure what use-case you are referring to?
> 
> Viktor wrote:
> 
>>    So "misbinding" attacks are not
>>      "interesting" in this context.
> I fully agree with the assertion that the consequences of misbinding in 
> different situations isn't always clear or even relevant. Our paper 
> presents several potential attack scenarios of server (section 4) and 
> client (section 5) misbinding when using RPKs for authentication. On a 
> broader note, one example consequence of misbinding that Hugo Krawczyk 
> gave in a lecture was:
> 
>> B and C are fighter jets, and A is their commander. B has been 
>> compromised by the enemy. A tells B to self-destruct, but because B 
>> mounted a misbinding attack, the command goes to C.
> 
> For a long time, like Viktor, I thought all this to be very speculative 
> and not "interesting". But maybe with drones etc., I think the example 
> by Hugo Krawczyk now has practical relevance (for me).
> 
> In any case, I think it doesn't hurt to provide guidance on detecting 
> and preventing misbinding where possible. Obviously, the guidance should 
> not deter the use of RPK altogether. The intention of the pull request 
> to 8446bis is to suggest that endpoints should verify each other's 
> identity when they are unique and meaningful (which is at least the case 
> when servers use domain names as identities). We can modify the exact 
> text accordingly.
> 
> --Mohit
> 
> On 11/18/24 08:55, Achim Kraus wrote:
>> Hi Mohit,
>>
>> > Coming back to this. I'd disagree with the assertion that when using 
>> the
>> > raw public key mode, the public key is the identity. We don't open a
>> > connection to a key - we open a connection to a domain name or to an IP
>> > address .... unless of course we are a HIPster and use Host Identity
>> > Protocol (HIP) such that the key and the address is strongly 
>> intertwined.
>> >
>>
>> I consider, that your statement applies for some use-case, and for
>> others not.
>>
>> Especially for device communication, it is also common to use a rather
>> "private" deployment with ahead provisioned credentials (PSK, RPK).
>> The provisioning is frequently done "out-of-band" and the trust is
>> based on that procedure.
>> For the client-side I also can't see, that the certificate of the
>> client is related to a "domain-name", at least it's in my opinion
>> not a "public" domain-name.
> 
> 
> 
>>
>> With that, please keep RFC7250 "as it is" and if you really insist,
>> introduce a new certificate type, which then may be trimmed to the
>> use-case, you have in mind.
>>
>> br
>> Achim
>>
>>
>>
>>
>> Am 18.11.24 um 07:25 schrieb Mohit Sethi:
>>> Hi Hannes, all,
>>>
>>> Coming back to this. I'd disagree with the assertion that when using the
>>> raw public key mode, the public key is the identity. We don't open a
>>> connection to a key - we open a connection to a domain name or to an IP
>>> address .... unless of course we are a HIPster and use Host Identity
>>> Protocol (HIP) such that the key and the address is strongly 
>>> intertwined.
>>>
>>> John is right here, if we don't include the server identity (e.g.:
>>> domain name) in the handshake or verify it separately, then misbinding
>>> is possible. We modeled TLS RPK with Proverif and found that misbinding
>>> is possible: 
>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Farxiv.org%2Fpdf%2F2411.09770&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011653679%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=m1WHWu6x4Mji1I3V5lDx%2F1xsp9wkEll7lXATML0dZaE%3D&reserved=0. The model detects
>>> misbinding in both cases: i) where the received public key is verified
>>> via DANE, and ii) where the received public key is verified from a list
>>> of pre-configured of keys.
>>>
>>> In fact, the existence of misbinding of TLS RPK can easily tested in the
>>> real-world with OpenSSL using the following command (version 3.2.0 
>>> and up):
>>>
>>>> openssl s_client -connect msguru.eu:25 -dane_tlsa_domain "msguru.eu"
>>>> -dane_tlsa_rrdata "3 1 1
>>>> F4D9CF3B4E251085A4F3193DAAF3A5141CD95C7109D33C971C3F8F7CEC48CD1B"
>>>> -starttls smtp -enable_server_rpk
>>>
>>> The above command results in a successful TLS handshake as is evident
>>> from the output:
>>>
>>>> Server-to-client raw public key negotiated
>>>> Server raw public key
>>>>   Public-Key: (2048 bit)
>>>>   Modulus:
>>>>       00:c8:eb:ec:64:97:5d:aa:b6:99:06:68:13:8d:76:
>>>>       ff:31:06:77:fa:30:d0:a8:91:8e:90:fa:d5:77:7d:
>>>>       ad:0c:a3:5d:20:23:ee:b9:c7:23:5e:e4:3f:60:cd:
>>>>       6e:e6:2d:84:16:8e:03:ab:5b:a9:b3:ce:38:16:2d:
>>>>       6b:82:8f:22:ab:2c:23:19:7d:30:57:95:10:80:fe:
>>>>       d4:50:e5:c5:e3:c0:78:dc:86:31:87:aa:46:c8:95:
>>>>       3f:4a:8c:eb:21:58:f3:3b:c4:c9:1d:a4:53:cc:0e:
>>>>       79:ae:3c:92:d3:ac:9f:6f:34:5d:b6:78:92:29:27:
>>>>       70:a7:14:4e:26:ed:76:aa:81:ea:27:79:37:68:3c:
>>>>       20:4e:11:8a:30:c3:ff:93:c9:ee:24:a4:29:2a:44:
>>>>       bf:40:c2:1e:bd:cb:f7:1d:c6:f2:81:16:14:73:a8:
>>>>       88:09:10:bc:95:56:62:17:8c:db:55:ce:14:b0:70:
>>>>       d0:69:54:84:20:5e:b7:35:74:91:8d:1c:c0:3d:95:
>>>>       be:41:c0:6e:d4:34:6c:eb:25:7d:fd:c9:45:9c:e6:
>>>>       e6:9e:07:dd:28:22:70:34:7d:80:8d:43:6f:26:88:
>>>>       80:81:8c:02:95:dc:6f:3e:8f:ee:c1:df:95:a0:b8:
>>>>       58:78:15:bf:47:67:c7:b4:07:22:3e:ca:04:5e:3f:
>>>>       01:f7
>>>>   Exponent: 65537 (0x10001)
>>>> ---
>>>> SSL handshake has read 1066 bytes and written 444 bytes
>>>> Verification: OK
>>>> DANE TLSA 3 1 1 ...09d33c971c3f8f7cec48cd1b matched the peer raw
>>>> public key
>>>> ---
>>> However, there is no server msguru.eu listening on port 25. Instead you
>>> are connected to Viktor's mail server at mx1.imrryr.org which supports
>>> server authentication with RPKs and has a DANE record published:
>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.nslookup.io%2Fdomains%2F_25._tcp.mx1.imrryr.org%2Fdns-records%2Ftlsa%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011672455%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=5fOcEehL0Jvs%2BpWSfnMg48AgWguHbCHzEebbLtnOc2c%3D&reserved=0. Thankfully, most ISPs block outbound port 25 and therefore Viktor's mail server is not suddenly going to see a massive spurt in traffic. The fact that someone can publish a different MX record as their own and that the SNI can be used to detect such situation was already pointed out by Viktor in his email: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftls%2Fey_rNTC8Um1OMD5cxjkpZ1OyInQ%2F&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011685911%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=PZvTQjjMyNngU8UwXtczBy6L3GIFxv7tWO36uP8c%2Bvc%3D&reserved=0.
>>>
>>> The lesson here is the same countermeasure for all misbinding attack -
>>> be explicit about the identities and check them. We have created a pull
>>> request for 8446bis adding a reference to misbinding attacks and
>>> countermeasures when using RPK. The goal was to keep the text to a 
>>> minimum:
>>>
>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftlswg%2Ftls13-spec%2Fpull%2F1366&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011699130%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=mhVDtiV57hO5rQtTtx%2FCvKg0EJgvy52PNxZ%2BpHOfg1o%3D&reserved=0
>>>
>>> Feel free to modify the pull request and use! We welcome any further
>>> discussion.
>>>
>>> PS: We have some other results we are working on and will be happy to
>>> present them together at one of the upcoming IETF meetings (likely 123
>>> in Madrid).
>>>
>>> On 4/16/24 12:30, Tschofenig, Hannes wrote:
>>>>
>>>> Hi John,
>>>>
>>>> I missed this email exchange and I largely agree with what has been
>>>> said by others before.
>>>>
>>>> I disagree with your conclusion since the “identity” in the raw public
>>>> key case is the public key.
>>>>
>>>> With the self-signed certificate there would the danger that the
>>>> self-asserted identity in the certificate is actually used for 
>>>> anything.
>>>>
>>>> Ciao
>>>>
>>>> Hannes
>>>>
>>>> *From:*TLS <tls-bounces@ietf.org> *On Behalf Of *John Mattsson
>>>> *Sent:* Thursday, March 28, 2024 4:22 PM
>>>> *To:* TLS@ietf.org
>>>> *Subject:* [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
>>>>
>>>> Hi,
>>>>
>>>> I looked into what RFC 8446(bis) says about Raw Public Keys. As
>>>> correctly stated in RFC 8446, TLS 1.3 with signatures and certificates
>>>> is an implementation of SIGMA-I:
>>>>
>>>> SIGMA does however require that the identities of the endpoints
>>>> (called A and B in [SIGMA]) are included in the messages. This is not
>>>> true for TLS 1.3 with RPKs and TLS 1.3 with RPKs is therefore not
>>>> SIGMA. TLS 1.3 with RPKs is vulnerable to what Krawczyk’s SIGMA paper
>>>> calls misbinding attacks:
>>>>
>>>> “This attack, to which we refer as an “identity misbinding attack”,
>>>> applies to many seemingly natural and intuitive protocols. Avoiding
>>>> this form of attack and guaranteeing a consistent binding between a
>>>> session key and the peers to the session is a central element in the
>>>> design of SIGMA.”
>>>>
>>>> “Even more significantly we show here that the misbinding attack
>>>> applies to this protocol in any scenario where parties can register
>>>> public keys without proving knowledge of the corresponding signature 
>>>> key.”
>>>>
>>>> As stated in Appendix E.1, at the completion of the handshake, each
>>>> side outputs its view of the identities of the communicating parties.
>>>> On of the TLS 1.3 security properties are “Peer Authentication”, which
>>>> says that the client’s and server’s view of the identities match. TLS
>>>> 1.3 with PRKs does not fulfill this unless the out-of-band mechanism
>>>> to register public keys proved knowledge of the private key. RFC 7250
>>>> does not say anything about this either.
>>>>
>>>> I think this needs to be clarified in RFC8446bis. The only reason to
>>>> ever use an RPK is in constrained IoT environments. Otherwise a
>>>> self-signed certificate is a much better choice. TLS 1.3 with
>>>> self-signed certificates is SIGMA-I.
>>>>
>>>> It is worrying to find comments like this:
>>>>
>>>> “I'd like to be able to use wireguard/ssh-style authentication for my
>>>> app. This is possible currently with self-signed certificates, but the
>>>> proper solution is RFC 7250, which is also part of TLS 1.3.”
>>>>
>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fissues%2F6929&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011711560%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=fhVNHXyapg6cwMt3ULeBI44%2B0c%2B7UIe%2Fir3%2BzzfKOm8%3D&reserved=0
>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fissues%2F6929&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011724475%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=OK9zJywpgVUjciYWA%2B%2FXU41PW0nxPN2OO5ApHfueeaE%3D&reserved=0>
>>>>
>>>> RPKs are not the proper solution.
>>>>
>>>> (Talking about misbinding, does RFC 8446 say anything about how to
>>>> avoid selfie attacks where an entity using PSK authentication ends up
>>>> talking to itself?)
>>>>
>>>> Cheers,
>>>>
>>>> John Preuß Mattsson
>>>>
>>>> [SIGMA] 
>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-540-45146-4_24&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011736175%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=OodiXeD%2FyOFd20muZPVfqhRpNXtlYYOHqyho%2F4dBcb4%3D&reserved=0
>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-540-45146-4_24&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011748055%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=YVWhb%2FnkjnMAhaIMYZOgBH6KgQPY2UPlO09ggTmepA8%3D&reserved=0>
>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C02%7Cmohit.sethi%40aalto.fi%7C382b365d77294342590f08dd079e1485%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638675098011759747%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=kzIwp6tblZWGoLhmy87B%2BAd8psnNqxUFVSYgFJDIYjs%3D&reserved=0
>>>
>>> _______________________________________________
>>> TLS mailing list -- tls@ietf.org
>>> To unsubscribe send an email to tls-leave@ietf.org
>>