IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Eric Rescorla <ekr@rtfm.com> Tue, 11 November 2014 00:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F3171ACE6B for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 16:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvBhNc4XOSxx for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 16:06:13 -0800 (PST)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEFAF1ACE35 for <tls@ietf.org>; Mon, 10 Nov 2014 16:06:12 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id d1so82630wiv.3 for <tls@ietf.org>; Mon, 10 Nov 2014 16:06:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=B0udEbUY9tz1otcWG+1PGA/Ztv7QLhmsQED9VTzS0TM=; b=ZKO8mza4hrDkIdwaj9VqyTjtmWqCSBOYbsu8pCbqjQehSTKXXDc85NP5a2Efposr4+ l5cNGZqcN8hYrJW5pLHVf6/OC0gf/0ZrSFiIHHSnh27HxGl+rhmXLIF4wwTnfn5oi/u+ MCL6XJLeIykkoDVu0mTrrbpy/CD4aWiVu4GEo/gPHUvHbaVyeTcPQUZke8V130eVXHS4 jsHz80wdsj/WavgbNmAEYnkRN7HncU+mI6Wu/VxQNY2Lex+4I8lTWtByxqdw5zt7Ac2/ MosVZzuaRvURIjb+DiKGfBrskdGYwEoG8NDisoQCHJWOf+kCQH3EdZ81AbaxTgiWu4Mi th3w==
X-Gm-Message-State: ALoCoQk9PwU4IAu6wJMFI2vTByvdZ4y7U3BONLmiUbc3WlH46j1Zk2VJwZHkBxXyJBRqTI6Vpz40
X-Received: by 10.194.93.168 with SMTP id cv8mr24388977wjb.114.1415664371486; Mon, 10 Nov 2014 16:06:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Mon, 10 Nov 2014 16:05:31 -0800 (PST)
In-Reply-To: <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CADi0yUMM6C=NpvFsc67J6Dc6uEO3OZ490tFWhAYmD362mC+D4A@mail.gmail.com> <CABcZeBNKpTMg+xhMK5TnO_W99MotoPw+_m9yrTqTUSwqyPpUPA@mail.gmail.com> <CACsn0cnkRZ5ZzX0bHfVFsvsrNoJxU2Txs0O2YW386fsg9GF1vQ@mail.gmail.com> <CABcZeBMQc5Mb_FK3davMxi0oBgzawqCMaYp1DqGYgg3nEHYHHw@mail.gmail.com> <CADi0yUOZ8LqsJbTTZmYL6XgrTjWvTMqvFMd7euzv+xQPU9vPJg@mail.gmail.com> <CABcZeBM+CcG8Tr_+XZ6nkw4xJP8DGFXguvRvLGhTUXYdhEOUqA@mail.gmail.com> <87r3xdfzi1.fsf@alice.fifthhorseman.net> <CABkgnnWqppL-1VJORYfrwuKn8n=NO-rZX6LDTiq+-qxddsp1mg@mail.gmail.com> <87r3xawv8a.fsf@alice.fifthhorseman.net> <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 10 Nov 2014 14:05:31 -1000
Message-ID: <CABcZeBM0hPXPPuPqyaAyAVGP568Kk8izyrmUxc9qY6ejayJEQw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bb0399efbec4805078a0bc3"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FJaZduL9-i0w5R3PAdLdPWfsXRQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 00:06:15 -0000

On Mon, Nov 10, 2014 at 1:45 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

>
> On Nov 10, 2014 3:30 PM, "Martin Thomson" <martin.thomson@gmail.com>
> wrote:
> >
> > On 10 November 2014 14:23, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> wrote:
> > > i agree that X.509 is a disaster here, but i think making up a new
> > > delegation protocol won't necessarily be a non-disaster -- we could
> > > instead just rehash some of the sharp bits of the X.509 mess
> > > (revocation, duration, transparency, identity, etc) in a different
> > > format if we're not clear about what we're doing :/
> >
> > Prior to the discussion yesterday, I was really warming to this idea.
> > After it, particularly the discussion around the creation of a
> > delegation point, I think that I've been convinced that we shouldn't
> > do this.
>
> Every 0-RTT solution involves a similar delegation, as the client is using
> data sent from the server in the prevoius interaction or OOB to encrypt the
> early data.
>
Well, perhaps.

It's quite possible to have the server deliver a key in the initial
handshake that
is usable by the client for future handshakes. However, if the
authentication
of that key is part of the initial handshake (e.g., it's signed as part of
the
transcript), then the key won't be usable by other clients [or more
accurately,
the client won't be able to hand it to other clients and get them to use
it].

I suppose you could argue that this is a delegation, but if so it's a
different
sort of delegation than producing a freestanding credential that can be
given out to any new client.

-Ekr

v2.23.0 | Report a Bug | By Email