IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-prediction next steps

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 10 September 2024 21:50 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3332C151710 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 14:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smF53lhwj1dE for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 14:50:17 -0700 (PDT)
Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11020082.outbound.protection.outlook.com [52.101.56.82]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D75A2C151095 for <tls@ietf.org>; Tue, 10 Sep 2024 14:50:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YLIilJcXineN5IXHDIBrMhKJySogmMVy6TcQAjtsRezsi1XtwR9pybAeY+L0rGnmlSGhYWOxlOzgPQDkA+jZGG3hF0T1+dm4mPzFe44rljgMObpcX7VQxYDQn35i7tKM+kG6Rqq/UhiEuvoukIFJYVVR9VOBu870SB3gVI6JYEv8FQFHmJhnqVzs50OHOFqy/8SpjQQPlwtOBOOxxLCDWk7L6JgOE79AzPafFa+vhzlyDlC53YD4I63DkTHLZakOUMy+Qn26J07xLZkn7Qgb2TKlcuXFeVqB6E6CXvxf/Xy5pls8UCD5kfrRO6JNffAKoBokLglSV2Y479XMp+XXPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tOqPx20b2UayqCOiZWsw/WqLYgFe7+0cTBPeYsLNi8A=; b=xar+nDBmkEX1sEDiYdmsKiAaN/6+A/kpgrO4qo0AEM18VRvq+t5vs1+h9KiAhP13AwuNxcuF9rjJuODdMZbz+NIHzvSSgV33ZQT4cnh/JoG3a8qm1qp57VXtEH9n8D6VJSzpt5zo3JYw3UkdbtLrq2m6E8ipG1BviH6GzTxmhfPKSx3sxG9m6GWjgdGEu9c3WOvB5xoP+JUN826ODCDKCw/vu5g92RYn4K0DoIx0DeNno5pDrJOzdFNLcy0tKL5uluS+l1zXcBpLO9/SLEj71dg/Y6SWZBMVZ8lGZJKuyqGGettv2uJ1WqcK/+/xYRcoSLEIqRbqC0WnfIy12tO7SQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tOqPx20b2UayqCOiZWsw/WqLYgFe7+0cTBPeYsLNi8A=; b=jECTmZ+ZFH7+N+7OSGcnRe8ldV4VxLv2f0qv6/tnfrt8B01xgxIbWtAKJz0aqoIL1wwFLNgR/gcJFWlhhiGfIH2EpICcl98JvUoCn5xNx0fNdIkqtepx0aFxiALHfyPxSNE13OgDACJnL5UoRRCJsVPkz0iiE4ErIAla7SEJYEI=
Received: from DS7PR21MB3716.namprd21.prod.outlook.com (2603:10b6:8:92::21) by DM6PR21MB1515.namprd21.prod.outlook.com (2603:10b6:5:25d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7982.6; Tue, 10 Sep 2024 21:50:14 +0000
Received: from DS7PR21MB3716.namprd21.prod.outlook.com ([fe80::4a60:3e47:4b24:914]) by DS7PR21MB3716.namprd21.prod.outlook.com ([fe80::4a60:3e47:4b24:914%4]) with mapi id 15.20.7982.003; Tue, 10 Sep 2024 21:50:13 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [EXTERNAL] [TLS] draft-ietf-tls-key-share-prediction next steps
Thread-Index: AQHbA8o0EpQuDQ+5HEyHyUEfr7n3m7JRjgGw
Date: Tue, 10 Sep 2024 21:50:13 +0000
Message-ID: <DS7PR21MB37163D5C728E7917A939E30D8C9A2@DS7PR21MB3716.namprd21.prod.outlook.com>
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com>
In-Reply-To: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=aa26f6ff-5ffa-47e5-b36c-3b94ed474440;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-09-10T21:45:46Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS7PR21MB3716:EE_|DM6PR21MB1515:EE_
x-ms-office365-filtering-correlation-id: 0822ba10-f096-4f11-aee0-08dcd1e28cd8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: XQzkxhGVv0DsFmpkGW6JB7hQK5dK84h5DPgxh5TXBD/UQWf/jcpXtF1y1EZZgG87LOh4avyl/2AGMjpOO51z5/+zTQeYOUsnd9js7dPQjSxKBjSQF07HSGQvwVRhkXfjmcowKb9bAjjc1lWuLGrP8WX33Tsu2DVsuURPRBcIi46Fd89XqfnqZdxGKc3n05zk6bFDIXJn7WfsREROlcu9A+OXXRf0P8M5nVSIZtWjREtAGSAyPapDsk0b6DFuncgEWjqZUYgvGIUkt3T3r9pnzoY3LKjq/QBU5UMW4Qei6Luy0wE+lj+3k3Iv68J7cfBN99YbVT5dREj+EdC8bZr83A7zxbopHr50pxFfNR8Jo4h6EwqRjjRK3bLcZmpBVdG1reMI5vP1OeaV65i68fnP7EzjGM9UBqbCMwVFBj6kLQpcSusjSrqMxBO3rOzgPqdHyOU3kiLvx6oXYsKJX5MRXLRq32q99YD51lS+TUlFzmcgRBzyebWTGIMWcx3XqXurKbi1cs3k2pql24vBuq8loihbqPd01eFleJLsvytuwCwsHjbPQQ1Z6WvocML+gEwBc7zYDMuNFgYBM7ibUdyyQSxmKbxRttB4hPJRDdmrlGJNUnZkzcUMxN9GRWXa5CpV0ou8ttIrZkelacbbSmTDvcgNZYbeAx5wbLYo0s52f6yQui8Fqc0qH4Y2v0fYnE9cMuKFB5CGmwmIiro7SfWo0bpspHdi2bNQCpqfCMS3SVqanpUnsjYJN6ArpmjMmjocErWPayLJM7yNl1bcd7xj5AkSs4658hk5ELsaTYCe5ZrAmCoK+Q+kQFW6P8tJN8j7jl6mjXiLh/A3xzFAvgFllV3of8Kuglpttayj2uhsvAp9ILECmhf1FDu+7fMvt4lbxQ1BR3ZcFKC0+8UP5p6YKT2hju9GRytZtlv8aU1UJBA+LaH4YOuQBNz/KVJUnMGA48oYGO40/w8eCGHvS4mODE6ZAM4qIa/yrvqqDvnUoAcUIDE3MiGz5zKc4r+L6K9wAZ9cMgMX9vHzBxihrVKc3Iv0ehP8JpSKWr5u5rYBPEtWgaLOxqISXEswRT/Ng15SBcLFETL0CWkSoABPr6V4lgtueYp12tLc/e4YmQBidD1UMWmqECJH1nuitCJ47qgfgi8DNJIAqP51LynPcFL2Mxb1/JK8KlqBGXXin7P9jE3q/6sKI88yvfRzv8mGMbIPc9O4RBkg3pUtREnLyqpnF7B6ndDFwhO+P0XjWvnFK8gGDsu8M0f52Y9oHywRuDOG9L7reefeY1CyPRbGokJSM8vqE00ER5kQM12v3AfJjqOkZyaU9qRdoqyftxbzZs/6PDyghYtQZ36vWhWcbUYXpicaM8PsF/6LkY22NVJbwQ5MCosRX45NMWXHMiDqBgyiOUDuZrCBk59qfewfr/hShshCCAfg2JfR+x2nu902Kxs=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS7PR21MB3716.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7WOZyE8m08tX9TEkdzaq97+jNz3Sh9SLSRFgFZg5gkpwk0V5+xrW1t7RduFwsznuTIfdGheSJ5WUykc035sS30i3/dkMJLgHIyQPBXAIHe+Cu/AhXE7xuo0R4itmkhli4rQIXfZ7+uScZ9JbUT18mw/cRajWyPqqtE+BwTV0zIUKhk3M+dl9a6Fg86Jh4dK1CwO3BjbLCdG7sTwzFmpQjevCz8g7CYcWQDrn/tMVAUwuHlSMmYb+e292fdFaInmoJaveOKhKmGwQPxVEv/WSpK6HAmjxQUqryEh/F1xp6WfvOwC7E9YWCihYhNictw/jYBfSNo69hp9a0iq+C40YdlPuq9zubktjX2suukqda99Q0q0uNr1YMc9yeNmZlN5GgjQvwr6sjgm9a/EossFv1z18HVQlsjevgZW4TRCSL3dPo52RFc3asuwT1w61FsMRO8apRKK9XSrwPMOj9mG6GwbPYiQvVKc9loiYQCxlsWYKhanRiV9vKSrgy4HADJFDBf3YLoEpPPUoaWR/ZtICB9YR0+vnH9Oi9gf4YW6LH0nBli7WlDIjvWAIG27ct+JzDOLs+rzjDqxjo6mhII7o2dt1LKq9w7wgigvn6UItxrIwPtoc11PR5sYAOywGCravoWuGU7Z10jvG5NpbHVLKJwuFeiotIX75IiCTsnhyg389EvSPwmtxHMVAByIQKvn4xI888BC4CWlHjuqIrxwToPF8IH+Yq0OrfidkNrbqtNANRWQLV3Oo5Ma/EMVk7Miy8mjquiCVJC0iBHvMxlpynBXMxmIC14cIHWkp8ZZcq6kprrvqJi0Tr7x3cWIr7t7fCclp7Nkv+oWfB1W8J+WzmAUNKIMzhfhv0hKs8jBJ00CoqQlEPX3Qc+SKWbb51P3WLq1/1kSXpWWxW+XIdTBh52QjCEXR8HF/CncRxMeCwUFd1tgtSBHTcrfRWV7Q/tCYsSPXljeeaNynZhNw0070sZ7OM0F1mGv8lgan053Y9jfAjY4V7sukbKIrQNHIxw2+4Mm9DuzNYibvrUUpJGHbjDOz6Y13BWkEgpA6t+4UC5OqqrQfEQIH2W2kFYcIi/OMuG1DPtm8X0BHERR6MI5zYy1UyBPFkTCWIjUV0x/n2M1emhGuQd1OqVRqTjeg2mJLSTOpNKEWpr81/QbX2dZPZ2YCLpsoQFS1rtr1XUz8IXxi7jMOT9OaK1QlUmOmGBC9pJsvyJo3xfEn/rjV+zqg0q1no3+pkxvA/Le9zMxpod8BThrrfzYkwnRJzgF0wnJSyl3Hy/4N+eZJbwdTYDiugG3BWgMFy95/vvRT0GOf/my7qzRFdcVrR5Q8MLxL/vDOxD3fn94oGsqUy4GeZAh/b3amS2hiex4CJyy9xqEL4amRCCbYXIQNJbffEkkVoJviiXocGfIVCo5elpOlfkK7kSwwH/bvfHwpr2AVKu5ZSSLO2X1PSUYhHAQvIhqKszaJpUWRgWLs4/x9wStTlxOKuhO27VFo8j87ssv2yKBCzPiWj7gldVM5VMnPTdiNB1wVucmC0mtSedtPKGirugia2okzKLyFevyGO9C6N6FQHYdsM9DTRsmydoSGzVN/aC0Ept3RJSeVuMqSKdKqrk91ETTAX/VTC0zEo4aLbf0EKHKjlmlc35JGqOY8z8BiicSl
Content-Type: multipart/alternative; boundary="_000_DS7PR21MB37163D5C728E7917A939E30D8C9A2DS7PR21MB3716namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS7PR21MB3716.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0822ba10-f096-4f11-aee0-08dcd1e28cd8
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2024 21:50:13.5138 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: awu7G4H67jl870y8u0L8IGdIslh17TuEj5fJMrPPDc5shRQ9Y8QzOaQp0hZ3RK5qVpQksY6GIe/NLOFcM3FnWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR21MB1515
Message-ID-Hash: 227IDORLNKD26S5AG3X2ATHXVU2CUHDM
X-Message-ID-Hash: 227IDORLNKD26S5AG3X2ATHXVU2CUHDM
X-MailFrom: Andrei.Popov@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9J0Es4zos_6hQQ0c1vFquJsOBxc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I support staying the course, continuing work on the key share prediction draft and allocating the code point.

Cheers,

Andrei

From: David Benjamin <davidben@chromium.org>
Sent: Tuesday, September 10, 2024 2:40 PM
To: <tls@ietf.org> <tls@ietf.org>
Subject: [EXTERNAL] [TLS] draft-ietf-tls-key-share-prediction next steps

Hi all,

Now that we're working through the Kyber to ML-KEM transition, TLS 1.3's awkwardness around key share prediction is becoming starkly visible. (It is difficult for clients to efficiently offer both Kyber and ML-KEM, but a hard transition loses PQ coverage for some clients. Kyber was a draft standard, just deployed by early adopters, so while not ideal, I think the hard transition is not the end of the world. ML-KEM is expected to be durable, so a coverage-interrupting transition to FancyNewKEM would be a problem.)

We adopted draft-ietf-tls-key-share-prediction in June to address this. There hasn't been a whole lot to do on it since. I've cut a new draft, draft-ietf-tls-key-share-prediction-01, with some very minor changes that were queued up in GitHub. I'd like to sort out next steps and move forward.

Beyond that, there are a couple of minor issues in the issue tracker. I don't believe either of these need to block getting a codepoint.
https://github.com/tlswg/tls-key-share-prediction/issues/4 - unless folks think otherwise, I plan to just leave this alone and close this
https://github.com/tlswg/tls-key-share-prediction/issues/7 - unless folks think otherwise, I plan to just leave this alone and not require the receiver to check

Finally, there's the question of downgrade protection:
https://github.com/tlswg/tls-key-share-prediction/issues/11

For some background if folks have forgotten, the original key share prediction draft included a ton of complexity to accommodate existing server behavior that would preferentially pick groups out of key_share even if an otherwise more preferred group was in supported_groups. Depending on what the server was trying to do there, this could be perfectly fine (if the server believes the groups are comparable in security) or a downgrade risk (if the server actually believed they were in different security classes---PQ vs classical---but implemented a key_share-first selection algorithm anyway). Pre-adoption, my original draft took the position that it was ambiguous and we cannot safely assume the server knew what it was doing. It designed a scheme to clarify the semantics going forward and use codepoints to ratchet in whether the server implemented the new semantics.
https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html

After WG discussion, I think we broadly concluded the semantics were actually already present in RFC 8446, and it was not worth the trouble to second-guess the servers here. That led to the much simpler draft, which simply discusses why this is OK in security considerations:
https://www.ietf.org/archive/id/draft-ietf-tls-key-share-prediction-01.html#name-security-considerations

As I wrote that text, I unsurprisingly agree with and am fine with this outcome. :-) But there was some chatter about it in the adoption thread (see GitHub link), so I filed the issue so we continued to discuss it. I think perhaps now is the time to discuss it, if we're going to. Do folks want to discuss it? Are there alternate proposals, or should we just stay the course? Unless we have an alternate proposal, I propose we just stay the course and go with [what I understand the conclusion to be from] the previous WG discussion.

If there are no further significant changes that folks want to make, I would like to propose we get a codepoint for this and unblock implementation. The earlier this is ready, the more likely that we will be prepared by the time the next KEM transition happens.

Thoughts?

David

v2.39.1 | Report a Bug | By Email | System Status