Re: [TLS] Pull Request: Removing the AEAD explicit IV

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Thu, Mar 19, 2015 at 09:20:54AM -0700, Watson Ladd wrote:
> On Thu, Mar 19, 2015 at 4:33 AM, Brian Smith <brian@briansmith.org> wrote:
> > Watson Ladd <watsonbladd@gmail.com> wrote:
> >> If we're going to make a change this
> >> radical, why not make equally radical changes to simplify the protocol
> >> further if that's possible?
> >
> > That's already happening.
> 
> No it's not: the draft is still longer than the TLS 1.2 RFC, and seems
> to demand support for every single usecase. This seems at odds with
> absolute simplification, where we would throw out less important
> features, and radically reduce the complexity.

Got examples of features that could be removed or at least rendered
truly optional (besides things like 0RTT[1])?

> > Also, the proposed changes to the handshake state machine for TLS 1.3
> > are much larger. It seems we can't substantially simplify the protocol
> > proportionately increasing the complexity of implementations that need
> > to also implement earlier versions.
> 
> Adding new states and transitions to a state machine doesn't increase
> complexity that much: if the transition doesn't apply, you don't take
> it. But adding additional special casing all over the place to deal
> with TLS 1.3 does increase complexity much more.

Unfortunately, to fix the TLS handshaking mechanism, calls for handshake
totally different from one TLS 1.2 has.

The overall architecture of TLS 1.3 handshake looks good to me, the
divisions it makes look to harden the handshake a lot against various
attacks. Unfortunately, the handshake currently looks to have rather large
implementation security gap.

Additionally, in practice, the capablity to send a handshake that can
be downnegotiated is needed.



[1] If 0RTT was an extension with positive acknowledgement, server could
just leave it unimplemented and things would still work, albeit possibly
with extra RTT.



-Ilari