Re: [TLS] OPTLS: Signature-less TLS 1.3

Martin Thomson <> Thu, 06 November 2014 17:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id ACC901A88AC for <>; Thu, 6 Nov 2014 09:06:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TUpvIsEcCtg4 for <>; Thu, 6 Nov 2014 09:05:59 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BD7811A889F for <>; Thu, 6 Nov 2014 09:05:58 -0800 (PST)
Received: by with SMTP id u10so1234976lbd.25 for <>; Thu, 06 Nov 2014 09:05:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gK0iVxXY9KAivzal8ajhwCcJ0yJWO8fe9E63CTrqoqI=; b=gZ5j2XWa+Yb/756YcK+ZBu+j8687Qz9JCZKWqOv8a8Pk33WVvlH7VarxaPl4yd5oxM 1tLtIco4Q/6+7oYuS1DTqNmBPcS5OEU4E8yh7IBSoTBhns85kjZp65uvjS/Ci9v34Y79 TmozfF6DGjE3Ihl251VQzaBBhH9x6WzaoH6+UHJZoAI8OPajF51Qb+Dbt7N3jy1yTZo3 /wowKBROHAZAwaMz06U4bPsAO4c9JSby3VCsKtkfdz4Z+Mz6S93HD9jNc6evaKdgBo3f pQp4h+sK+zc/HD1fqnlqmxcrxxbeOj+dxQBnEwDQWU0/ldJAhUwFYi6Z2r+VYDz5uMbE NSng==
MIME-Version: 1.0
X-Received: by with SMTP id kx3mr6222466lac.53.1415293557193; Thu, 06 Nov 2014 09:05:57 -0800 (PST)
Received: by with HTTP; Thu, 6 Nov 2014 09:05:56 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Thu, 06 Nov 2014 09:05:56 -0800
Message-ID: <>
From: Martin Thomson <>
To: Hugo Krawczyk <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Nov 2014 17:06:00 -0000

On 6 November 2014 01:34, Hugo Krawczyk <> wrote:
> Regarding the problems with insecure time, it seems that we are reaching
> agreement that this should not be a distraction for judging this proposal
> (in particular since it does not make things worse than the reliance of time
> synchronization for accepting certificates - and it can actually make things
> better by having shorter validity periods for the static DH key than for the
> long-term certificate).

I think that, based on this discussion, I've concluded that there
needs to be some sort of expiration bound to the signature over g^s.
That at least allows servers to limit the duration of an exposure in
the cases where g^s has to reside outside the HSM.  At worst, the only
concern is clock skew if the server wants to closely replicate online

Adding an expiration is a fairly trivial tweak.  Other than that, I
think that I'm happy with this being - on balance - worth doing.  I
haven't made up my mind whether the lack of a signature over a peer's
credentials is a good or bad thing entirely.  I like the idea of
deniability, but non-repudiation in general is a hazardous business.