Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
Russ Housley <housley@vigilsec.com> Mon, 23 April 2018 19:30 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F4512D93F for <tls@ietfa.amsl.com>; Mon, 23 Apr 2018 12:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2NUWa0jesQVq for <tls@ietfa.amsl.com>; Mon, 23 Apr 2018 12:30:56 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91C32126B6E for <tls@ietf.org>; Mon, 23 Apr 2018 12:30:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7AB1D300A0C for <tls@ietf.org>; Mon, 23 Apr 2018 15:30:54 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id W3TLoR40vV8h for <tls@ietf.org>; Mon, 23 Apr 2018 15:30:53 -0400 (EDT)
Received: from new-host-4.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 480F4300434; Mon, 23 Apr 2018 15:30:53 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1524474119.4793.7.camel@redhat.com>
Date: Mon, 23 Apr 2018 15:30:54 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1DD6812-9085-4FD4-98A4-1DE5B4E4DD72@vigilsec.com>
References: <797D67EC-9390-47CD-BD6A-75E34E5FE33F@vigilsec.com> <1524474119.4793.7.camel@redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DutpJwhrkTMCw_YOO2RhFWpp8lc>
Subject: Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 19:30:58 -0000
> On Apr 23, 2018, at 5:01 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > > On Wed, 2018-04-18 at 12:25 -0400, Russ Housley wrote: >> In London, I was on the agenda to talk about certificate-based >> authentication with external pre-shared key (PSK). We ran out of >> time, and I did not get to make the presentation. The slides are in >> the proceedings; see https://datatracker.ietf.org/meeting/101/materia >> ls/slides-101-tls-sessa-certificate-based-authentication-with- >> external-psk-00. >> >> Please review the document and send comments to the list. >> >> I would like the TLS WG to adopt this document. > > In the presentation the main driver for it seems to be quantum computer > resistance as temporary measure. If that's the main argument I don't > think it is really significant. PSK can hardly be used with PKI, and as > a matter of fact we use PKI because of PSK key distribution problems. > If we switch to PSK for quantum computer resistance there is there a > reason to use PKI? Probably no (I may be wrong here, if there is a > reason for a hubrid model I'm missing, I'd be glad to know). I am not advocating for a pairwise PSK between every client and server. If that were available to us, then as you say, we would always use the PSK without any PKI. I envision a PSK being distributed to a group of clients and group of severs. At some point in the future a large-scale quantum computer might get invented, and if any member of the group has access to it, then they can recover the traffic. However, parties outside the group cannot recover the traffic because the large-scale quantum computer does not assist with the discovery of the PSK. > I could see the main driver for such proposal the replacement of the > RSA-PSK ciphersuites. I know they have _some_ adoption, but I'm not > sure whether that is significant to require update to TLS1.3. This is not my goal. > On the implementation side, why not use post-handshake authentication > here? I.e., extend it to be usable from client-side, and on a PSK key > exchange, have the client request server authentication after the > handshake? I'm not sure why that is easier to implement. Can you say more? Russ
- [TLS] draft-housley-tls-tls13-cert-with-extern-psk Russ Housley
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Nikos Mavrogiannopoulos
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Russ Housley
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Nikos Mavrogiannopoulos
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Russ Housley