IETF Logo Mail Archive

[TLS] Re: Concerns about the current draft.

John Mattsson <john.mattsson@ericsson.com> Wed, 03 September 2025 05:47 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C0C565C7A6F6 for <tls@mail2.ietf.org>; Tue, 2 Sep 2025 22:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oqqZarRSxqX for <tls@mail2.ietf.org>; Tue, 2 Sep 2025 22:47:07 -0700 (PDT)
Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011019.outbound.protection.outlook.com [52.101.65.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7669A5C7A676 for <tls@ietf.org>; Tue, 2 Sep 2025 22:47:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yPtnPi296GEWYu7zDAiQCaCNVjBxkEhod1fkaU8TEhhyUU3vYxkeVnXH2gZDvLa4ZRkG2SMXIHArd+CALylBJdM/7DDUgroZSZtCp0kM/GgEtrDrmJd8wbj5VjiZBnt2QFp4GOCZN4wLPnMikaY0IN2MQicYdNwNNYgpr4mVMW4MQv0IN4G91QmfXAPxvou5RAEKkmUdDZq0cEzZhq/Hz7p1O7D4ue9UjWsP/O1ZiWE803jDaSW/0pCCaryJMWWMEDFRivE+b78Ta89xOe1gUEpTQvx9seb9ms6yR0nYEjyDCknTpq5otiyanf0ezOR7G1RdwPhVi+2UhuhUUq/PTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uXxUXUwZG3BR7pTqFUt88WjhAhSC3Q7SkqHpCpH9ZVc=; b=kMKMc7tJ9ujaoZsUUiE9F3gN6+W+bhoxbsCqK38ZHZUE55Vj/wevDde5TZz4b6pTl1y4Mx12Tl+eC/p9CZbXrNFD965mO+Rbe2KGrGCuaW3jKa4v1dLpHQEpSnxESMNjZn9k9+Q25tuKCnEIrJudgADafNo6pXkmRtRgzXmYZ3DVr2AjNvhJ1dmLudjq4RnF8JZmSM/0ZmdBGK3Tdo3pAZRNOD8cRO82iMDaw53kR9L0jXmivdegVkRzWqlDROn1b9FfdI98XYp3riW4de16TlFPyI2pIJsdEtAvsoT+IQHAzFDe//cHeErWefkSkz/3nsheb7rzEWhWNdklnkS8aQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uXxUXUwZG3BR7pTqFUt88WjhAhSC3Q7SkqHpCpH9ZVc=; b=sXXwg9AywYKLsC8Lg8FZmUyfoZ45LjdNaHU44csLrkc/V5ux7IJGA7VPAg5mDIsvafLSQdxhV7/RTAiAxPg6EOl84NYzXEwOrCCLtStAycroxPplN5Uch3ImPgTrtV1O6l7llTBON/bbjDntNHoP0hgoz7SmbJRA2LwHzLTY/3DoIJyXfQ6Bwk7dJfP8oRarvk+b4dM8FHzHwKavr8pwBI2D911+pSgR5NxyGZWSRF9cPQH8ROXsglzXF1js4b1sy6F9ckwyDE4qr9tkCCxPL1GNxlFBMh8mC5wBxgUgosGcrv74Btmpv8K03KC0NUyYsaVSfmn8yhQk2f3LcHQwnQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAWPR07MB9736.eurprd07.prod.outlook.com (2603:10a6:102:390::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9052.28; Wed, 3 Sep 2025 05:47:03 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%6]) with mapi id 15.20.9073.026; Wed, 3 Sep 2025 05:47:03 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: David Benjamin <davidben@chromium.org>, Martin Thomson <mt@lowentropy.net>
Thread-Topic: [TLS] Re: Concerns about the current draft.
Thread-Index: AQHcATD03sWs2BJdtE+pJgVO7rWscrR1uEGAgAEbGICAA0PugIAAANKVgAAfiICABh5yYIAAhgQAgAAT2wCAADY2vQ==
Date: Wed, 03 Sep 2025 05:47:03 +0000
Message-ID: <GVXPR07MB96783163EAD8186CB0AF6A118901A@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com> <20250829174621.213770.qmail@cr.yp.to> <GVXPR07MB9678CF53A08828BFB66A4600893AA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAEEbLAYm39hg6VA4Upbr6147syTdLzKiBFcKFRL8HqtCPsAT_w@mail.gmail.com> <SN7PR14MB64926B236A62E8F565D862128306A@SN7PR14MB6492.namprd14.prod.outlook.com> <cae69874-d886-4906-bfd2-2bc267dedfd3@betaapp.fastmail.com> <CAF8qwaAVoxJ-0dbweM1UgzOGzUOhcsJ6trkAf-FhXuE2Bv5hZg@mail.gmail.com>
In-Reply-To: <CAF8qwaAVoxJ-0dbweM1UgzOGzUOhcsJ6trkAf-FhXuE2Bv5hZg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAWPR07MB9736:EE_
x-ms-office365-filtering-correlation-id: 6176ed59-153e-4852-4d23-08ddeaad4ee5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018|7053199007|8096899003;
x-microsoft-antispam-message-info: Ko9q7m6aqvG4y5mmLxUAjx7eg95AF+QLbTmUzsf35WbXQyfsdOPmKTwH3zPbX63rR67OtiaSq0wEe5ZE3eke/6dzXoCnEb/mgMNccWxc3KM04GPFEiDgWgn7If8JURvJCi0BYk8/ZfIfl+lE8vuNYp+rmMKTdSfrRqTNS3poHJ8EnaMIYrL1wHUCoCvkCEZIIfyEay9kCngH30bT5wnQAW3Psp1hwL6Rd6R5aBraY7KDHU8yEHRjLniJwVEIW0ZWrORchnRhhYOvrlNIYizpw9ca8oCXgmaaaP9lgbMfUfofIhyrHNUEEzCkr+1GJVHwGjRr5+EAp2qIEhQ2Td1ghgwR1VPVVQwpN2Po7XslDOkViFTIVuqso3cQfBJiFIwF4bZ9AcJrAA/E56eij2/r6jkzKsbyaJpyPr57ljKPzkaXN+5lUIFjJ9DHqyRge7EcfjxedA9poKO1WOKz99163JqF063BFyn9psc2oTCSLVwrkICDdwkJrLw8V8La2lU2asWpwYsCbwas1jhAE3QS7cVhdFKLvuXFUSc7PjpcNy5RF185M3bRaWzUhLutpwGyDEWzPPK0PZ7ilDUU/t00E6tK+PMij1uf7JFMKQRNGAYBVApJsM0GVKo8haeY0EdjNFwXngIrrsD8grqdMEXj87ijA0Dkx2aX7+IU7Y4ZCd0jcjw6lkB9e5m9L3gX616dDEr6t/g1fQcTJL5eTWfMOki9m0/waB9tBeGEqn4Jp2PeM1etFE3oOcROQZ8e69jnvcz5llN2QVf2YLYyTWZXsFIWDEozmBf+9MkhjOa3NZa1siKDsBGh1+N/F/oR36NZwgKMCRzxLwiXjGK0Ghx7bC6NoL8MmlY9Do+4cO4B10o+wLXEFkf0DBJvHVTjoYFeBvgl2dXP4E6YLYkxxFiyx9FIO4KzjBmX4Qc5R5tGZN2VQEXKvBrDke+ee97Hm3LPlhrokbWMDCZYY1vUTypWU5DqMtUf6eWvKmgq8IXXudRJPMogYoJ4zOacb4uu2vW7co8gPizQKQJJ/uDie5gDf7gIH0vztzQDgzFGF7JvRiAIbu5N79ufeCnBhtO853nauvX5ZMwS+jhXbYKW22s2AvuCf1kU0Wqepl4tiL4jue8KC8yLLi3vgzns53UwLDFUtn/mCRPcwGttiP7+erePEUa0yVAEM3KczF5iZANrIGqamB8o3zZZM9vZ6vfKjf1d9zu6eDC46A0xU9Y7S24f0DGvOXd1F/TKyDVteDAfV8+KBemYFuszG04WPj0sa3V7YqAJKXAP4+uyFnXLtK+PuubKDtNRaW02y4jzEXMMU9fka5T7D8anAO+0KuByre7LXEnu5C3AiAVi/B2aG0IZnDGTgVlNR80rHMHO4n2qko3wwa+5l0rSK3zjssF4Wjg3yWXkHu5EueByINjSBwj5Dtr/bSNZ3hLoOC+81+C/dfuIrLDLEYMwqaV4tClWDLzmoQC1SfewF0+pgUQjcYi/N7j4vh1lCeAfgjjsys3jrmo=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018)(7053199007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uHbop6pwei2ZOrGC2b1L0MDsFP0WdP0rITAPoRP4wk9ji+7SpGeNMBz8hVOFVPKdSG5CPsf2CaYV18rIo8Wp/LjFS4NVhts+2V7m67XP0td0Hpiq8oS7DpMCaEF5zc29uEK9/vxoLGaePOhjjubaJ3X4Ap/3B6lIebEZCAbFxmE07J+weiqUEnzz1KVSsmfbkJZ58HCUKTQuIzWatmzM40HAHHLJeOdkmt9uauK5AhFT17krwOLbZ9LuLfPDqSm66Lu2tJ+9brqheOy9hMVVr+j5nyAZ1uEJJsphSkHf4xntAH7Su+BkP8Pt2/2HCKwEK6VyxMfzwp2ZBnkgLKv5w7DzWXNpBXk98hzFzwRBBxe4MlRjNPaSjWWjwPemN6wn3eYxNvhTN7BzmBOT6r4sUHgnoDjShLgAc3p4+QY+YFOROq0TUrWFZxF+6LiXwiAXBvWWFRvNgf0qT6yH2SfYm5pMIj/Pmd2Akfp36l8TIc7Hf2JNbcWymLiJDuAwqLpLgWsVHt7KRmlbZYyJYfkhVE865mF9GzH9ICDCzjWOZ1blNWJ4bHn+SiFqYU3x6BMKbhU6eipY9RoAGSEJTtZB3LoMfdv6IjegK9uawJ5bpgnHOg2Ktowg2GLTJFyc4wAy1l9x6COZ263WqxZyn9gHoAQcxwTodq7XPDTatxUnUBxvf3HLm7icCE0/3CMOcAXyVnehc9kk8pp6i4CJmigCBEkVBGWMgMR9EjL/zmF9n3orIItOPvZ7u9qIimu2pxdSPax0ksfnA752sDo7eGMn8q0ga+KXpTUqZD6TENEV0ARrBZcYUFjGCYWCeKbqr6FuLicb1FHVBqdDYozBVuWlRVI6vcSmY1cH2WfpkIHsCeX2mC0ey0hf5qxBS/Yqz0MHtsuxGlbMRJQFeNDwFAL4rZTPIIZhM1FabWyozCUcbMYPVW/at69dKVpM7nIaopE3NcRDDx3P2XojHDrbVq8ZgGvjxXt9b7hjUDqGrQZrwCj7FrxDuNexJ8sapY8QxDL6nsdQjpARHS9nH1HdfV0Qn3IMq0mC6OaWXg108GfXxv5GWdN0hxrhjbq9BJVeH9bFe/rGNsTD4rBjTLJeueck9HZgX/qDvbuTtpefAv/YKlXn2+ghfm1Z1cwVIRmPkvxOOaFOmKzI6i7jC+dhKDcP7K+UFRaZwwqw3EwU/b2qGHJKmcFNHhzunzkaXdJY9Wdw91FGpAhM4fW7yKQyNLR0ytNiieBSln+MYRuxCaWSxJpODrL860ai349NkZ/TZZi27NTXVnrkmmFzCmRH/nV5hsagxGg2Pff5j4hzxRp9mMXH070GW0oSS0M8w/G6TrKOIVtYDj8rdQGN6062OscqauPxqm5So8qJKGrrX3LiGvNkYPoBj52WpXg+/J5HUvWFDy4WhH0V5purLygCEkm+CApCl8/EOat+MtnuzrhL09sVKayuFe5wZbZ/bvFLN+tuSgeG3pjCWwQFteiJHehskRPWmnOSLJt1/PmvKq0XM/bDXmM2cnfKRjvjQs369nVl1UfVRjOOGDsb4UFqWO2lriB//PUPF7ytMisSPH0TVvpbdvvykSif9Q0cLUmZpBXSN+e7D/mkraVanJAp/H2MKR7QdS87nA7FTjoi4jDSVbs=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96783163EAD8186CB0AF6A118901AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6176ed59-153e-4852-4d23-08ddeaad4ee5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2025 05:47:03.0301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xsVZYIG2J0xVDOfR0/oM1u+rDIpxLchH6eGLLyLBZhpIFpKb5K8RNmgXce4PjN82RUGEehhyJd0Oqv8LEblERMWhD6ZyQ6JMabCNP4cZXdo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9736
Message-ID-Hash: URH24GR7QWGHRSTV4WEAQNLEKLHGCL5K
X-Message-ID-Hash: URH24GR7QWGHRSTV4WEAQNLEKLHGCL5K
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7OihuqRA5TZZM5N47QXIBayu87I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

David Benjamin wrote:

>RFC 9001 doesn't really use ECB. It uses the AES block cipher, a function that takes a fixed-length 16-byte input to a fixed-length 16-byte output. It's just that some (but not all!) cryptography libraries don't have an API for that

I completely agree, RFC 9001 does not actually use ECB. However, the fact that it mentions ECB is very problematic. As ECB is named in the QUIC RFC, people DO think it is acceptable to use it, when in fact they absolutely should not. The IETF should take responsibility not only for the security of QUIC itself, but also for the broader ripple effects that RFC wording cause.

In my view, there is no valid reason for QUIC to mention ECB at all. If a library lacks AES-ENC, then AES-CBC or AES-CTR can be used instead. In fact, the following four formulations all produce the same result:
1. AES-ECB(P = X)
2. AES-ENC(P = X)
3. AES-CBC(P = X, IV = 0^16)
4. AES-CTR(P = 0^16, IV = X)

Cheers,
John







From: David Benjamin <davidben@chromium.org>
Date: Wednesday, 3 September 2025 at 04:19
To: Martin Thomson <mt@lowentropy.net>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>, Sophie Schmieg <sschmieg@google.com>, John Mattsson <john.mattsson@ericsson.com>, <tls@ietf.org>
Subject: Re: [TLS] Re: Concerns about the current draft.
On Tue, Sep 2, 2025, 21:09 Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:
On Wed, Sep 3, 2025, at 03:12, Tim Hollebeek wrote:
> In particular, X-ECB is horribly broken and these days probably should
> not be used by anyone, ever. That advice is already a decade old or
> more, at this point.

Total distraction, but RFC 9001 uses ECB.  Defensibly so, I believe.  Though perhaps you might consider the use as part of a more advanced mode, HN-1.  Now for the tongue-in-cheek version: Absolute statements are always wrong.

To add to the distraction, this is really an example of compounded confusion in how to define things, not a legitimately good use of ECB.

RFC 9001 doesn't really use ECB. It uses the AES block cipher, a function that takes a fixed-length 16-byte input to a fixed-length 16-byte output. It's just that some (but not all!) cryptography libraries don't have an API for that, instead insisting on jamming unrelated objects into the same interface. That leads to always having a variable-length Mode(TM) on everything. (This kind of thinking leads to the infamous "RSA/ECB/..." APIs.)

Then the (not common) applications that actually need the underlying fixed-length block cipher are stuck using variable-length ECB as the only way to get at it, even though actually making use of the variable-length aspect would be a problem.

To that end, RFC 9001 would have been written better to say it used the block cipher, with a little bit of implementation guidance that, if you don't have an API for that, you might be able to call an ECB API instead. Indeed I remember, when I was helping folks implement this, the ECB wording caused a lot of confusion and I had to direct them to the block cipher functions instead. No sense in materializing all the extra machinery for a true variable-length ECB when you were just going to run the block cipher once.

David

v2.37.1 | Report a Bug | By Email | System Status