Re: [TLS] Remove DH-based 0-RTT
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 25 February 2016 14:03 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3691ACD8D for <tls@ietfa.amsl.com>; Thu, 25 Feb 2016 06:03:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGBkyEy3UBKz for <tls@ietfa.amsl.com>; Thu, 25 Feb 2016 06:03:35 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id A0EA61ACD7E for <tls@ietf.org>; Thu, 25 Feb 2016 06:03:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 39270B88; Thu, 25 Feb 2016 16:03:34 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id RDrBNA-fzNvh; Thu, 25 Feb 2016 16:03:33 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-151-39.bb.dnainternet.fi [87.100.151.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 01719C4; Thu, 25 Feb 2016 16:03:32 +0200 (EET)
Date: Thu, 25 Feb 2016 16:03:28 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Message-ID: <20160225140328.GA29904@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com> <201602232057.18505.davemgarrett@gmail.com> <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8iCsG_iewuMfhTTssXLLEEptAhI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 14:03:42 -0000
On Tue, Feb 23, 2016 at 10:39:37PM -0500, Hugo Krawczyk wrote: > On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett <davemgarrett@gmail.com> > wrote: > > I suggest to also define TLS 1.3-EZ. > A subset of core safe functionality that should address the majority of the > usage cases. What restrictions should there be for that subset? I think at least the following: - No 0-RTT (if you are looking for "exciting" security analysis, this is the best place to look at). - Server waits until ClientFinished before sending data (see the 0.5-RTT thread about excitement if you don't). - No Server configs (but this might be going anyway). - No post-handshake client auth (dangerous if used wrong). - No SHA1 hashalgorithm (broken!) - No TLS-Unique (deprecated due to breakage in earlier versions) The rest of potentially troublesome stuff seems to be extensions, e.g. anything defining new handshake messages (except OCSP extensions, since those messages presumably will be folded to Certificate messages). (There's plenty of crap in the registeries, but most of it has gotten killed off from TLS 1.3 anyway). -Ilari
- [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Wan-Teh Chang
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Andrei Popov
- Re: [TLS] Remove DH-based 0-RTT Dave Garrett
- Re: [TLS] Remove DH-based 0-RTT Bill Cox
- Re: [TLS] Remove DH-based 0-RTT Hugo Krawczyk
- Re: [TLS] Remove DH-based 0-RTT Watson Ladd
- Re: [TLS] Remove DH-based 0-RTT Eric Rescorla
- Re: [TLS] Remove DH-based 0-RTT Subodh Iyengar
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Watson Ladd
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara
- Re: [TLS] Remove DH-based 0-RTT Martin Thomson
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara
- Re: [TLS] Remove DH-based 0-RTT Karthikeyan Bhargavan
- Re: [TLS] Remove DH-based 0-RTT Ilari Liusvaara