IETF Logo Mail Archive

Re: [TLS] Remove DH-based 0-RTT

Dave Garrett <davemgarrett@gmail.com> Wed, 24 February 2016 01:57 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7847E1B4170 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 17:57:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ilyi5Ff_jmh8 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 17:57:21 -0800 (PST)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E2D01B416C for <tls@ietf.org>; Tue, 23 Feb 2016 17:57:21 -0800 (PST)
Received: by mail-yw0-x22c.google.com with SMTP id e63so3891742ywc.3 for <tls@ietf.org>; Tue, 23 Feb 2016 17:57:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=mKz9kkpbU+lIVyGBTDbvhHkpZrRR7j6bzH8IKISzbYY=; b=xsZ4qNh9IMFlY/nCQLfFWjskdjsE7a1PW/XNkppoSRRUXsaxuqSDPugAiAiB5sGhP4 vaXwrpHajbIuJeQeqx6KVsNoa88FpW6sz+0FtjdcqLHozjZt4yzbYdGk2d9+qRH4KFVW hPp28TCXJn3lFh2tI2skTHtuTulTFsNodwk48p1AvY7cKSH8KA7Vox9Qum7RUGzNJCOo PeN76ZvCOD8gfxzyBP0subgHaaiKSUwVfJLzIO5iijEXREP8O70QCzscl8vCthgG+Vqu jDicl5pe2vJCf4A66+vgNaVixdgUS4COw8SdqTch/QBKz7HAvlabExAfYzUKldj0TZXK Tg9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=mKz9kkpbU+lIVyGBTDbvhHkpZrRR7j6bzH8IKISzbYY=; b=Osrqze5KTjIhJ9Athd/6GYi9nz2Rk611pCDzEqIk5uBfjmrIqzQB8tIFpPIPeg6XNV lfxd887d86zWHiOYAiIa78ofyREERjr6eao8IlBsNv7kt2n3d1Drzby5oue2hRiNPN4H M8hO949wqEr4OjQlrAEzuBrzFV5/tRETRhOZNyrk16/cDgF3mb/5m2ghuk/JZMV23Srr vmu9pDB/c47bR/iz6qTiJSurWCyGxwUg85D6oYsJ57SnldPU8R3agpysRU98MevCmui/ BAHsiYYFPNKB22n5B3LF40x8TeI4z1JYGb9hZAljDw5v7gtay1y5h1AkHH9dgbK6BSUr 5RLA==
X-Gm-Message-State: AG10YOQZyAOnSscj0cqM2yfYtXKEWKC7bZGnnD1ArvkBHvZ31DdfGAHTrvGOXG1wRE5LSA==
X-Received: by 10.13.192.130 with SMTP id b124mr20236974ywd.218.1456279040603; Tue, 23 Feb 2016 17:57:20 -0800 (PST)
Received: from dave-laptop.localnet (pool-71-175-20-227.phlapa.fios.verizon.net. [71.175.20.227]) by smtp.gmail.com with ESMTPSA id m188sm564481ywe.46.2016.02.23.17.57.19 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 23 Feb 2016 17:57:19 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Tue, 23 Feb 2016 20:57:18 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com>
In-Reply-To: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201602232057.18505.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ADQ6-jlLH8EifV6A3hCBqJEuS0o>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 01:57:22 -0000

On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote:
> I propose that we remove DH-based 0-RTT from TLS 1.3.
> 
> As ekr's previous mail noted, the security properties of PSK-based
> 0-RTT and DH-based 0-RTT are almost identical.  And DH-based 0-RTT is
> much more complex.
> 
> For those who love DH-based 0-RTT, and I know that some people are
> fans, here's something that might make you less sad about removing it
> from the core spec.  You can use DH out of band to negotiate a PSK.
> You might even do this as an extension to TLS, but that's of less
> value.

I think there is a good argument for moving DH 0RTT into a TLS extension. Implementations that are explicitly not going to use it should not be expected to implement it and risk screwing it up. If we accept that premise that online DH 0RTT will be unlikely in practice, then we would be specifying it at least primarily for out-of-band use, and doing it via an extension will probably be cleaner and safer.

I would still prefer it be defined in the TLS 1.3 specification document, though optional.


Dave

v2.23.0 | Report a Bug | By Email