[TLS] Rethink TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Sat, 22 November 2014 00:57 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF241A9125 for <tls@ietfa.amsl.com>; Fri, 21 Nov 2014 16:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCATM7FVRits for <tls@ietfa.amsl.com>; Fri, 21 Nov 2014 16:57:54 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D34BD1A911A for <tls@ietf.org>; Fri, 21 Nov 2014 16:57:53 -0800 (PST)
Received: by mail-yk0-f172.google.com with SMTP id 131so2792802ykp.31 for <tls@ietf.org>; Fri, 21 Nov 2014 16:57:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Y0a5az1APzMSSF3ANHApG/dcjucvrvsTrPeVjp4FTjY=; b=bdRc2KfoqtL3uo+XeVh0xoQ2B9f9Q3I22xr15A2giY792UiXf00Cp5KFn7vMP33PD3 UQuOZWc1eVWBux3lujL6fvndQA2h1Y/cF3qoCABugECg9fU73nSRqaB8tcqkpk25AtU5 ESmlMCvPbQ2wpVyYlVpqwBSArZtfixaRR8PSxCVIoOqXggSg6JPq86MFQST322xfJM+B k+L2ALayew4GTjS57LZzvUuKgUHNP3b3smujyluPpJtNFTsSJowad5laFDPKLKXBb6sC ZGWNqoG87ojW84uc78vH5SRZeGnDx5rvHyQCbU8GG4bGYL/9zDP6F2w+qHOOt5XFNazN RPLw==
MIME-Version: 1.0
X-Received: by 10.236.53.69 with SMTP id f45mr5745039yhc.65.1416617873139; Fri, 21 Nov 2014 16:57:53 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Fri, 21 Nov 2014 16:57:53 -0800 (PST)
Date: Fri, 21 Nov 2014 16:57:53 -0800
Message-ID: <CACsn0ckmYrx+S--pP6P7VgjsmqQsoYnp+m-9hTPT-OJ9waUtkA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FNiz5Eyr-VOpLlkz_JctNcubdD4
Subject: [TLS] Rethink TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 00:57:56 -0000

Was the TLS 1.3 draft written by a cryptographer? No.
Has it been reviewed by cryptographers? Unclear.
Are the mechanisms secure? Unknown.
Is it easy to analyze TLS 1.2? No.
Was TLS 1.2 secure? No.
Has TLS 1.3 fixed flaws in TLS 1.2? Some: session_hash remains
unincluded, but the record layer is finally fixed.
How long will it take to analyze TLS 1.3? If past experience is any
guide, a decade.

Can we fix problems in deployed protocols? No.
Will TLS 1.3 be deployed? Yes.

Putting this together, it seems clear that substantially more
attention needs to be paid to TLS 1.3 before we deploy it. A delay is
inevitable. Even if we decide not to proceed with OPTLS, we need to
make sure that there is a substantial degree of analysis of the
protocol before, not after, it is deployed, and that it is designed to
help, not hinder, analysis.

The current draft is not in a state where it describes a protocol that
we can analyze or implement. The sooner it gets to that state, the
sooner we can start seriously finding problems or showing there are
none. But we shouldn't expect that this process will be overnight:
it's much faster to start with a good protocol and serialize each of
the messages, instead of starting with mystery, figuring out what it
actually does, and trying to show the result is correct (and
discovering it isn't).

Sincerely,
Watson Ladd