Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Martin Thomson <mt@lowentropy.net> Sat, 30 April 2022 11:20 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34CCC159526 for <tls@ietfa.amsl.com>; Sat, 30 Apr 2022 04:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=SvBgXQX+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=BX1K6At4
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wOQcmKGfIzFu for <tls@ietfa.amsl.com>; Sat, 30 Apr 2022 04:20:45 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37214C14F612 for <tls@ietf.org>; Sat, 30 Apr 2022 04:20:45 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7FD6B3200911; Sat, 30 Apr 2022 07:20:40 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Sat, 30 Apr 2022 07:20:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1651317639; x=1651404039; bh=iL IDqI5ty1g4NeMMMDqc51o5neKiBtnz/S3HpbI1R6E=; b=SvBgXQX+GodWhmz+xd BqG2SWz2rp2u8yk9QL2QZVaeCjhuDrRjkjRvSG48DgeyAw+ad01HAXspjH6JlLaS pRwo62sAidhfQ0k2oGM/8iRgmqKWGGPFgiqwq8wCecLUabzIHwuhEJtVQcS4pO3r UOtk4w4hzInCJZ/aStBjBOguv34wmxJJrYBiQZVUc20gBAvCdFKDNJEE9kcVggWH UOBXFK2MvVWkuvQKrRG1ed2y3pb10HujF+fKODrlOzos3ZVh1BZrvnIHMX1LW2ov qDtmgrngiR7PiKL5H0cbqy8vMKIBA5DeuGC4d6F2e9tqhyd9muuK7Z+QSm7sRmQj O/0g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1651317639; x= 1651404039; bh=iLIDqI5ty1g4NeMMMDqc51o5neKiBtnz/S3HpbI1R6E=; b=B X1K6At4aZbtECzm9xzIQeGqBSu6gsbYe7p6moAe6XWa3bizVGJZejdCcCxW9gEig bajlzUZ+USfg0UgMdoG80ffej4JIYX2ZYRs4LdiLLU3UPjAllCtK7vJVrQRVkfUf xqQJpMkfPbPqUqmtLicJYE3M9PHWRjNg3KSGTQTBSgtCjYGrkqrG2Pnn5kg44+TB Qvsey8dkWgzk69ny5dN9hfw2YhQTetvv4NYMLElEfSygBNOZS19GbY2CvpY/XZfn 5VgW8JC3ky4TGBRy2pWLfBCky6tr5fMmoM7YYQ9FEpFs91w6D06LKM7GmOsTNYfO 4JoRSvTII4CtbsO14v8WQ==
X-ME-Sender: <xms:hxttYmeOLZAJ3LSqIxe4qMlK3hti13poSpml6_JsBTSTK_Y7L6d9iQ> <xme:hxttYgNIQDKNWUVwViolULmzoV-_aQZHsbsWmYkq9iYX6oC-PtoL9FoqjyCG3fCyG IVbQjBKHybdsfQkEBc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvddugdefkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepudelueeftdfhgeeiieeikeekjedvjefgveduffegfedvffelveef keduieeikeelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:hxttYnizNRqIT-97ztqAEp8HOhQBVC_KU1Z8-c8i7Zm45Dj0cjNh7A> <xmx:hxttYj-mni_Jon7wsUbMw_v4gfXc__W_9_pX9FTXWuhOWoejsQKV4w> <xmx:hxttYisnQfB3m6CDGzlUIUpnoYP_Db6RmXB6FsyYlBaLIAGnkzwt4Q> <xmx:hxttYj5YNhy_Rk5yvl7DaVdQTS2fPfGyRertsHIrQc01gf9mgzJl5A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B9A193C0246; Sat, 30 Apr 2022 07:20:39 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-591-gfe6c3a2700-fm-20220427.001-gfe6c3a27
Mime-Version: 1.0
Message-Id: <265b475a-8b0d-4c2f-b1c6-807614671fd8@beta.fastmail.com>
In-Reply-To: <9D8771DE-3668-4D26-A927-E9BF871CE2FD@gmail.com>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <96daf32f-dbdb-4e56-8617-d27f53abdff0@beta.fastmail.com> <9D8771DE-3668-4D26-A927-E9BF871CE2FD@gmail.com>
Date: Sat, 30 Apr 2022 21:20:19 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: "Douglas Stebila" <dstebila@gmail.com>
Cc: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/61VDuWc4K_ypW0-01DTgRHsoOxg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Apr 2022 11:20:49 -0000


On Sat, Apr 30, 2022, at 00:24, Douglas Stebila wrote:
> Thanks for the feedback Martin.  I see what you're getting at regarding 
> phrasing it in terms of KeyGen[i], Encaps[i], etc.  This is a good 
> point:
>
>>> For a hybrid key exchange, the key_exchange field of a KeyShareEntry is the concatenation of the key_exchange field for each of the constituent algorithms. 
>> 
>> I think that this text is a mistake as it implies that the component key exchange algorithm has a defined key_exchange format.  What you want is a definition in the form above, or as HPKE has it.
>
> Indeed it makes sense to be able to define a hybrid key exchange method 
> independent of whether the all of the component algorithms are already 
> defined standalone key exchange methods in TLS 1.3.  I do however want 
> to tie back somehow to the idea that, *if* one of the algorithms is 
> already defined as a key exchange method in TLS 1.3, then the value 
> that should be put in the key share concatenation is just the key share 
> that was used when it was a standalone method.  Is that okay?

Definitely.  It's just that - for now at least - it seems very likely that some of the component algorithms will not be standalone key exchange methods (or groups).

>> With something like this, I'd like to see the implication that the TLS key schedule is changed by this draft can be removed (in Section 3.3 specifically).
>
> I don't read Section 3.3 as implying that the TLS key schedule is 
> changed.  It says how one of the inputs to the key schedule is 
> computed, but otherwise I think it's just saying: put this concatenated 
> value into the obvious place in the existing key schedule.  Can you 
> point me to where you read it as implying more changes to the TLS key 
> schedule?

The diagram of the key schedule (which really needs a figure number) is quite obviously a diff.  Apart from that piece, it's probably OK.