[TLS] Kicking off the TLS 1.3 formal analysis triage panel
Deirdre Connolly <durumcrustulum@gmail.com> Thu, 18 April 2024 15:37 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4039C14F6FF for <tls@ietfa.amsl.com>; Thu, 18 Apr 2024 08:37:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ACxBow5Dj88B for <tls@ietfa.amsl.com>; Thu, 18 Apr 2024 08:37:16 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6BBEC14F5EF for <tls@ietf.org>; Thu, 18 Apr 2024 08:37:16 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-516d4d80d00so1293043e87.0 for <tls@ietf.org>; Thu, 18 Apr 2024 08:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713454634; x=1714059434; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Xob7gPMLzDtxgimj9hN2qKvZkxbAg1W6SB5tQ/9y0v0=; b=frWm+nkGme6qCS6NyaXsgc96poOuOlQVtGnhifSVIqaHKjmGIHNNhDDMh36JWCBDsg m9SXkgyfrLaAPnevAomX5jxW0Vbfei2ekGvMx3HhWzf7CdRAYv9kji2MXpr5TSRNDEes tL0e37ZQNSg2nDMkL7UNWxuL+mp1bn1UT+aQacLCSaT/vaLEmhWuFSJat7qUlbaP5/sX 3yzNdbCclRTKpaV6cE0BVfFrstu0zmHXdBJfkD1sVL5cKMRxXQ6T5v6yhdNp5GCtCYxj Oqux00I5rJ14j4v2IFpBDwLsoQ99SMK8m5BBc3IJ/AeYriWPl2npjpxUPTlh83k7a3xH iB8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713454634; x=1714059434; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Xob7gPMLzDtxgimj9hN2qKvZkxbAg1W6SB5tQ/9y0v0=; b=PMTXuosTD33Kma8CWx5aTitmn17+6uXWbW5Sz/XEzbbACFLsxGAzKK/2IswtuWztEn 5HAtcl4IgJHAbXu82mJrutF7ywif2Ar4Bilp0TpizSYPTY6a5I484m2uLv/EYGGFnYVm bn5ZaUnLp/CrDJT1mi/LP22ePuNQX3RF8Zwu9Yrnvb3hyC5zke4kE4cqoMOq9QNsYKSV UfYlckv3cBsDJXbO932GslyMW/4XZiPabIUv4O8e9PlrgH26Kx+DwPFJhY9/fNwThObW iKKLL07Zpqgr9vnEKvBmhZWqHdm7FL1+tulXms5CDLRxxQHf/Ij0e0G9MKVWm1MM4EE5 OUDw==
X-Gm-Message-State: AOJu0YyygrEstjAQVtEF8Yks48Ai/pZ2BGzD9NCyVEdOF26VFrIYBPAF gZ2f/lLOso1/mZRIXzDGKjDueISEnzSUIxh3Wq/nOM45ESPhTI6T/VXmx8MQnJGHBzg2RCOdp2F PDKHIhXZMtEA0V1khB9G6WAK/RDg0HbvN
X-Google-Smtp-Source: AGHT+IGR28AX17tVC9z3ADUlf9ZzI86J8I9jdq3+iBGwKrh+QbiueEkqpRK4JeS3npb0WGiyaLxDN+41ybyB1bcHmG8=
X-Received: by 2002:a19:e049:0:b0:513:ec2a:8fd1 with SMTP id g9-20020a19e049000000b00513ec2a8fd1mr2082468lfj.47.1713454633811; Thu, 18 Apr 2024 08:37:13 -0700 (PDT)
MIME-Version: 1.0
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 18 Apr 2024 17:36:36 +0200
Message-ID: <CAFR824zDWTGB_SoTxK+fuRXpPf1+4=3t=ghEUkGtPXDBM5nqoA@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c988f8061660bebf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FhhICSR3qlLHjFcf1cA7Iry11CA>
Subject: [TLS] Kicking off the TLS 1.3 formal analysis triage panel
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 15:37:20 -0000
Hello everyone! We're kicking off our TLS 1.3 formal analysis triage panel. We have these volunteers participating: - Douglas Stebila - Dennis Jackson - Franziskus Kiefer - Cas Cremers - Karthikeyan Bhargavan - Vincent Cheval Some of them are on this list, some are not, major welcomes and thank yous all around! I will link to my write up to the working group <https://mailarchive.ietf.org/arch/msg/tls/RupKEHeJdAzxpNEZnRgerk4en1c/>and the recording of the most recent meeting <https://youtu.be/Oo1UzQtfRYw?feature=shared&t=1485> for more context if you want it. The goal of the triage panel is to maintain the high degree of cryptographic assurance in TLS 1.3 as it evolves as a living protocol. To paraphrase a recent analysis of Encrypted Client Hello, one can see three prongs motivating formal analysis of changes or extensions to TLS 1.3: - Preservation of existing security properties: the authentication, integrity, and confidentiality properties that have already been proven are preserved - New, stronger security properties: such as improved privacy demonstrated by ECH, prove that extensions satisfies new goals - Downgrade resilience: prove that active attackers cannot downgrade the changed/updated/extended protocol to bypass/remove the new guarantees These are especially salient for new features like Encrypted Client Hello, but I would say the top bullet is the front of mind for most proposed documents coming through TLSWG: people want to use TLS 1.3 in new settings, in updated contexts, and want to tweak it a bit for their use case, and we want to make sure these changes do not degrade the already proven security properties of TLS 1.3. Here's how I envision this going: every few weeks or so, more likely than not spurred by a document introduced at a (March, July, November) IETF meeting, we chairs ping the triage panel directly with document drafts that we'd like a first pass sniff test on whether these proposals: - imply a change to previous security analysis assumptions (via pen and paper, formal methods tools, computer-aided provers, any/all of the above) - whether such a change behooves updated analysis - if updated analysis is recommended, of what type, what scope, and estimated time to complete, given such and such a person or team We (the chairs) will collect responses, collate them, and bring them to the working group as part of an adoption call or other working group discussions about a document. If this process did not occur (say something was adopted long ago and has been dormant but now is being revived etc) we may come back and run a similar procedure again. If the working group agrees on requiring formal analysis for a document before it goes through a last call, we will ask the triage panel for recommendations or advice on trying to match the project with a group or a researcher who can work with the document authors on delivering the analysis. The first thing on deck is 8773bis <https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/>, with more to come. Hopefully this is useful. Yay! Deirdre, for the chairs
- [TLS] Kicking off the TLS 1.3 formal analysis tri… Deirdre Connolly
- Re: [TLS] Kicking off the TLS 1.3 formal analysis… Muhammad Usama Sardar