Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Nikos Mavrogiannopoulos <> Wed, 01 April 2015 18:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CCB181A8881 for <>; Wed, 1 Apr 2015 11:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.013
X-Spam-Status: No, score=-2.013 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OcvucdgeSWG9 for <>; Wed, 1 Apr 2015 11:53:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4E211A886B for <>; Wed, 1 Apr 2015 11:53:09 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id t31Ir7O9059803; Wed, 1 Apr 2015 14:53:07 -0400
Date: Wed, 01 Apr 2015 14:53:07 -0400
From: Nikos Mavrogiannopoulos <>
To: Sean Turner <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [,]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF31 (Linux)/8.0.6_GA_5922)
Thread-Topic: confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
Thread-Index: T4JENAzDlqDpBcUXUQEtkSX7gFLrZA==
Archived-At: <>
Cc: tls <>
Subject: Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Apr 2015 18:53:19 -0000

----- Original Message -----
> This message is to confirm the consensus reached @ the IETF 92 TLS session in
> Dallas and at the TLS Interim in Seattle to make the TLS 1.3 PRF be an
> HKDF-based PRF (see
> Please indicate whether or not you agree with the consensus by 2015-04-17.
> If not, please indicate why.  Also, please note that we’re interested in
> uncovering new issues not rehashing issues already discussed.

I believe the question is totally unwarranteed. No-one has presented any argument
on why the TLS PRF is not sufficient for its purpose. The only arguments presented
are theoretical advantages of HKDF, which are fine, but do they add value to TLS?
Does the advantages of HKDF translate into weaknesses of the TLS PRF?

So no matter the output of that poll the result will be an uneducated guess. In all cases
it is alarming to see the easiness with which the protocol is being rewritten completely.
Now its only similarity with TLS 1.2 is the TLS acronym. Would that rewrite bring value
in par with the efford needed for the rewrite? Would it make us safer in 2030 or are we
simply apply yesterday's technology today?