Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk

Nikos Mavrogiannopoulos <> Mon, 23 April 2018 09:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8BFA127241 for <>; Mon, 23 Apr 2018 02:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AP2hMO4pfbRd for <>; Mon, 23 Apr 2018 02:02:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1BBE120713 for <>; Mon, 23 Apr 2018 02:02:02 -0700 (PDT)
Received: by with SMTP id v15-v6so20887812wrm.10 for <>; Mon, 23 Apr 2018 02:02:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ys1LlnAdhYV6zIWFwlGWtTthoIyF63M78ThC+PJ/qlM=; b=oxhGtLz/ovYz7GctpSwbHPvh0xkIboYkzUm80XuWELiRMnEzb6zc/8iomeWz4q/1gF A+f5mPlEP+riSVLeKlPrtL9rFJRIwOAoMWRLQFTvQG68jbDm6xxBOXmkVLnNyqhtqxLH H4rMqS3RdTqWPhpAeZSpOnksWXjofUebxM+fuGDASOsAuLn1ZLicScuS89h7RVXTV4MW nes4Mosx5QVxfV7TOlgqzbR76423tD1pg+sqlA/dAgdGA1XZDrSE6buY7iZLaQOQB7Y+ 8s1+f4IdJH4uxImIBfO+SUGMUPRLB5nLfGIHEDcnqqRHhW+yq1h5eXGx+8A2dIwdbN2c O0tA==
X-Gm-Message-State: ALQs6tBTF1Fg6GXDL/kEi2ChTlnF3RuQlpp4e68otEP2MEcttOGFsvyr K9FJIZdtU0laEjsmODZ7tZ+5y+sAvfU=
X-Google-Smtp-Source: AIpwx49YcI12oWgIQMGz5fd8Vpi9eRAuSabpR8Ko7vpeIqL/2DoFLNxAdM07efM6iVH7Pnvw20PczQ==
X-Received: by with SMTP id u199mr8388714wmu.99.1524474121224; Mon, 23 Apr 2018 02:02:01 -0700 (PDT)
Received: from ( []) by with ESMTPSA id u138sm10662088wmu.24.2018. (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 23 Apr 2018 02:02:00 -0700 (PDT)
Message-ID: <>
From: Nikos Mavrogiannopoulos <>
To: Russ Housley <>, IETF TLS <>
Date: Mon, 23 Apr 2018 11:01:59 +0200
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.6 (3.26.6-1.fc27)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Apr 2018 09:02:05 -0000

On Wed, 2018-04-18 at 12:25 -0400, Russ Housley wrote:
> In London, I was on the agenda to talk about certificate-based
> authentication with external pre-shared key (PSK).  We ran out of
> time, and I did not get to make the presentation.  The slides are in
> the proceedings; see
> ls/slides-101-tls-sessa-certificate-based-authentication-with-
> external-psk-00.
> Please review the document and send comments to the list.
> I would like the TLS WG to adopt this document.

In the presentation the main driver for it seems to be quantum computer
resistance as temporary measure. If that's the main argument I don't
think it is really significant. PSK can hardly be used with PKI, and as
a matter of fact we use PKI because of PSK key distribution problems.
If we switch to PSK for quantum computer resistance there is there a
reason to use PKI? Probably no (I may be wrong here, if there is a
reason for a hubrid model I'm missing, I'd be glad to know).

I could see the main driver for such proposal the replacement of the
RSA-PSK ciphersuites. I know they have _some_ adoption, but I'm not
sure whether that is significant to require update to TLS1.3.

On the implementation side, why not use post-handshake authentication
here? I.e., extend it to be usable from client-side, and on a PSK key
exchange, have the client request server authentication after the