Re: [TLS] OPTLS: Signature-less TLS 1.3

Nico Williams <> Tue, 11 November 2014 16:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0B8F61A0053 for <>; Tue, 11 Nov 2014 08:50:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TaSWwJkZhYx7 for <>; Tue, 11 Nov 2014 08:50:26 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 490431A0027 for <>; Tue, 11 Nov 2014 08:50:26 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 878F81B4059; Tue, 11 Nov 2014 08:50:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=IeYgRg5a4WcR/f jaKnE4+Tn3Jiw=; b=TY8O5dZUIu6AJ2bFS7+FT9oeFx6RPYgzWrWxsL/+8CeFvU 9a8aoaN5RevYnIxNsWgxyjJbQl8Rg0+VQCK4xwuLEIS/jCxsu6Pbi0aHLeQJ4Wb7 shfnNhJdQ3TiouEE2oHiZL0Hl31IkFcJYxYupQoWPYu7nZXE+hLiPjcoDA7bw=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 463311B4058; Tue, 11 Nov 2014 08:50:25 -0800 (PST)
Date: Tue, 11 Nov 2014 10:50:24 -0600
From: Nico Williams <>
To: Daniel Kahn Gillmor <>
Message-ID: <20141111165022.GI3412@localhost>
References: <> <> <> <> <> <> <20141111005220.GG3412@localhost> <> <20141111021201.GH3412@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 16:50:27 -0000

On Mon, Nov 10, 2014 at 07:51:25PM -1000, Daniel Kahn Gillmor wrote:
> On 11/10/2014 04:12 PM, Nico Williams wrote:
> > The time should be relative, as a TTL.
> relative to what?

Relative to the time the server made the signature.  The signature might
need to be taken over a payload that includes a timestamp (see NTP
thread) and/or a nonce from the client.

> If the credential is standalone (e.g. in such a way that the signing key
> can be kept offline) then the TTL established can be replayed by an
> attacker who takes control of the DH secret to extend the lifetime of
> the delegated credential, right?

It has to be tied to the delegation act, the signature made with the
delegator credential.

> if the credential isn't standalone (i.e. if it's accepted by the client
> based on its inclusion in the signed handshake which has been
> authenticated by a signature from the signing key), then we aren't in a
> signature-less TLS scheme.

Well, sure we are: most of the time, just not all of the time.

> if it's not relative, but it's long-lived, then we introduce a new
> revocation problem.  if it's not relative and it is short-lived, then we
> introduce interesting clock skew issues (though perhaps those are the
> same as OCSP-must-staple clock skew issues?)