Re: [TLS] Rethink TLS 1.3

Nico Williams <> Fri, 28 November 2014 19:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 258251A00B1 for <>; Fri, 28 Nov 2014 11:11:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r5xkgbayhL2n for <>; Fri, 28 Nov 2014 11:11:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 56EAA1A0089 for <>; Fri, 28 Nov 2014 11:11:31 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 1EE462006D30D; Fri, 28 Nov 2014 11:11:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=XtRL8v69y4hTLC AVRFRpLjT0S50=; b=BcpWgtMZOYcHiCdET+tg9CL2WtJR41pNS3W6fWW6KhJFbE O4CWNw8Xa2vKN4i1FTv1D3M5OhzeX4o9QYj426rhT61VPZxEvsV6q1N/iZ+13s/x KDgt230T1J12YhACCJiq3T5l6vHJOgWCdfIeD22nFIFloqn+KMdiJHW0T9Gck=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id BE13D2006D30A; Fri, 28 Nov 2014 11:11:30 -0800 (PST)
Date: Fri, 28 Nov 2014 13:11:30 -0600
From: Nico Williams <>
To: Peter Gutmann <>
Message-ID: <20141128191127.GE3200@localhost>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "<>" <>
Subject: Re: [TLS] Rethink TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Nov 2014 19:11:34 -0000

On Fri, Nov 28, 2014 at 08:45:00AM +0000, Peter Gutmann wrote:
> Nico Williams <> writes:
> >Yes, it's quaint.  It's also as best we can do, unless...
> If that's the best we can do then it's better to have no threat model at all
> than something that misleading, because all it's doing is giving a false sense
> of security.  It doesn't even begin to capture semantics like:
>   Alice will perform arbitrary scripted operations at the request of Mallory,
>   directed against herself and/or Bob.
> a standard feature of every web browser out there.  As a model against which
> to measure the security of an application or implementation, it's only
> slightly less useless than nothing at all.

That's changing the subject.  Where have I argued that the web security
mode is great or even permitted by the Internet threat model.

The web security model is... unlike anything produced by the IETF, and
it wasn't produced by the IETF.  It's an alien as far as we're concerned
here.  You'd be hard-pressed to find fans of it at the IETF.  And it
would require torturing logic to say that the Internet threat model
allows the web security model.  From where we stand we can't really go
fix the web security model either, much though we'd like, but we can
make TLS 1.3 not fail spectacularly (BEAST and others) in a web context.

If you want a holistic approach, well, I agree, but that means getting
people in the same room who usually don't do that, and it means getting
people to agree to things that they aren't inclined to.  Let's!  (Any
ideas as to how to?)