Re: [TLS] WGLC for "Guidance for External PSK Usage in TLS"

Russ Housley <> Sun, 21 February 2021 01:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 937D53A11BC for <>; Sat, 20 Feb 2021 17:28:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kF_FNQ1OMsUh for <>; Sat, 20 Feb 2021 17:28:04 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A0573A11BD for <>; Sat, 20 Feb 2021 17:28:04 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D93D8300BDF for <>; Sat, 20 Feb 2021 20:28:01 -0500 (EST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id 2q4TDTgBYRut for <>; Sat, 20 Feb 2021 20:27:58 -0500 (EST)
Received: from a860b60074bd.fios-router.home ( []) by (Postfix) with ESMTPSA id 4672D300B5C; Sat, 20 Feb 2021 20:27:58 -0500 (EST)
From: Russ Housley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_663C80AB-4CA2-415E-8A82-A1A8D65827B5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Sat, 20 Feb 2021 20:27:59 -0500
In-Reply-To: <>
Cc: IETF TLS <>, Ben Smyth <>
To: Sean Turner <>, Joe Salowey <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <>
Subject: Re: [TLS] WGLC for "Guidance for External PSK Usage in TLS"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Feb 2021 01:28:08 -0000

Sean and Joe:

The revision to address Ben' comments has now been posted.

I believe that all WGLC comments have been addressed.  I think this document is ready to go to the IESG.


> On Jan 22, 2021, at 3:27 PM, Russ Housley <> wrote:
> Ben:
> Thanks for you review and comments.
>> We've only had one review in response to the last call so far,  I'd like to see a few more reviews of this document before moving it forward.  Are there any volunteers who can commit to a review in the near future?
>> I've reviewed and have only a handful of minor comments.
>> Section 1, opening: Password and key comparison seems rather weak, unless low-entropy PSKs are used. If low-entropy PSKs are a focus, then perhaps make this clearer, which will simultaneously strengthen the comparison. 
> There is guidance on many other aspects of security as well.  Maybe this comparison is setting inappropriate expectations.  Maybe the first paragraph should avoid the comparison altogether.  I suggest:
>    This document provides guidance on the use of external Pre-Shared
>    Keys (PSKs) in Transport Layer Security (TLS) version 1.3 [RFC8446].
>    This document lists TLS security properties provided by PSKs under
>    certain assumptions and demonstrates how violations of these
>    assumptions lead to attacks.  This document also discusses PSK use
>    cases, provisioning processes, and TLS stack implementation support
>    in the context of these assumptions.  It provides advice for
>    applications in various use cases to help meet these assumptions.
>> Section 4, "These keys do not provide protection of endpoint identities (see Section 5), nor do they provide non-repudiation (one endpoint in a connection can deny the conversation)": Perhaps relate to other modes of TLS which do provide such protection.
> I suggest adding:
>    Protection of endpoint identities and protection against an endpoint denying
>    the conversation are possible when a fresh TLS handshake is performed.
>> Section 4, "If this assumption is violated": The assumption has two aspects, namely, "each PSK is known to exactly one client and one server" and "these never switch roles." The following paragraph explains what happens if each PSK is known to more than one client, server, or both. But what if roles are switched? Whilst maintaining the former aspect of the assumption.
> The only cases where that I have come up with where it is possible for the client and server to swap roles (like TLS between to mail servers) do not actually cause any trouble.  If a browser and a web server got confused about their roles, it could be a problem, but that does not seem likely to happen either.  Does anyone have a suggestion here?
>> Section 4, "then the security properties of TLS are severely weakened": Perhaps add "as explained below" or similar.
> Good idea.  Added.
> Russ