Re: [TLS] Universal PSKs

Hubert Kario <hkario@redhat.com> Fri, 15 June 2018 11:14 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81195130DE8 for <tls@ietfa.amsl.com>; Fri, 15 Jun 2018 04:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFAhVgR62B0R for <tls@ietfa.amsl.com>; Fri, 15 Jun 2018 04:14:18 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 190BE130DDD for <tls@ietf.org>; Fri, 15 Jun 2018 04:14:18 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2368140122A1; Fri, 15 Jun 2018 11:14:17 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.34.246.36]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8195C2166BB2; Fri, 15 Jun 2018 11:14:16 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 15 Jun 2018 13:14:09 +0200
Message-ID: <2132206.KQKFhKinhY@pintsize.usersys.redhat.com>
In-Reply-To: <CAF8qwaB3GH8WbXD=snEwjA==Jx02gtWejyNTXXO6nVW0Cp1YHA@mail.gmail.com>
References: <CAF8qwaB3GH8WbXD=snEwjA==Jx02gtWejyNTXXO6nVW0Cp1YHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart10927423.CvsMzcAbIB"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 15 Jun 2018 11:14:17 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 15 Jun 2018 11:14:17 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EqqGTa678O5bC_OproNKWtp_Is8>
Subject: Re: [TLS] Universal PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 11:14:20 -0000

On Thursday, 14 June 2018 21:46:27 CEST David Benjamin wrote:
> Thoughts? If the WG likes this design, I would suggest:
> 
> - Most folks who want to use TLS 1.3 with external PSKs should probably
> design their protocols to provision universal PSKs instead, after it
> stabilizes.
> 
> - Folks who want to use TLS 1.3 with existing TLS 1.2 PSKs should use the
> compatibility derivation in this draft, after it stabilizes.
> 
> - Folks who want to ship TLS 1.3 before then and have a TLS 1.2 PSK API
> should not use the 1.2 PSK as a 1.3 PSK. For now, just turn TLS 1.3 off by
> default if that API is used and, in a future release, use the compatibility
> derivation after it stabilizes.

that's not workable.

the reason why implementations chose to use old API to provision TLS 1.3 PSKs 
was to make the upgrade process as smooth as possible, disabling TLS 1.3 is 
quite antithetical to that


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic