[TLS] Rethink TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Sat, 22 November 2014 00:57 UTC

MIME-Version: 1.0
Date: Fri, 21 Nov 2014 16:57:53 -0800
Message-ID: <CACsn0ckmYrx+S--pP6P7VgjsmqQsoYnp+m-9hTPT-OJ9waUtkA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FNiz5Eyr-VOpLlkz_JctNcubdD4
Subject: [TLS] Rethink TLS 1.3
Precedence: list

Was the TLS 1.3 draft written by a cryptographer? No.
Has it been reviewed by cryptographers? Unclear.
Are the mechanisms secure? Unknown.
Is it easy to analyze TLS 1.2? No.
Was TLS 1.2 secure? No.
Has TLS 1.3 fixed flaws in TLS 1.2? Some: session_hash remains
unincluded, but the record layer is finally fixed.
How long will it take to analyze TLS 1.3? If past experience is any
guide, a decade.

Can we fix problems in deployed protocols? No.
Will TLS 1.3 be deployed? Yes.

Putting this together, it seems clear that substantially more
attention needs to be paid to TLS 1.3 before we deploy it. A delay is
inevitable. Even if we decide not to proceed with OPTLS, we need to
make sure that there is a substantial degree of analysis of the
protocol before, not after, it is deployed, and that it is designed to
help, not hinder, analysis.

The current draft is not in a state where it describes a protocol that
we can analyze or implement. The sooner it gets to that state, the
sooner we can start seriously finding problems or showing there are
none. But we shouldn't expect that this process will be overnight:
it's much faster to start with a good protocol and serialize each of
the messages, instead of starting with mystery, figuring out what it
actually does, and trying to show the result is correct (and
discovering it isn't).

Sincerely,
Watson Ladd

[TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Eric Rescorla
Re: [TLS] Rethink TLS 1.3 Henrick Hellström
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Henrick Hellström
Re: [TLS] Rethink TLS 1.3 Hanno Böck
Re: [TLS] Rethink TLS 1.3 Henrick Hellström
Re: [TLS] Rethink TLS 1.3 Ralph Holz
Re: [TLS] Rethink TLS 1.3 Jeffrey Walton
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Henrick Hellström
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Henrick Hellström
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Florian Weimer
Re: [TLS] Rethink TLS 1.3 Martin Rex
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Martin Rex
Re: [TLS] Rethink TLS 1.3 Martin Rex
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Salz, Rich
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Brian Smith
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] Rethink TLS 1.3 Yoav Nir
Re: [TLS] Rethink TLS 1.3 Hubert Kario
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Hubert Kario
Re: [TLS] Rethink TLS 1.3 Bodo Moeller
Re: [TLS] Rethink TLS 1.3 Joseph Salowey
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Peter Gutmann
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] Rethink TLS 1.3 Ilari Liusvaara
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] Rethink TLS 1.3 Watson Ladd
Re: [TLS] Rethink TLS 1.3 Peter Gutmann
Re: [TLS] Rethink TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] Rethink TLS 1.3 Ryan Sleevi
Re: [TLS] Rethink TLS 1.3 Nico Williams
Re: [TLS] Rethink TLS 1.3 Peter Gutmann