Re: [TLS] Industry Concerns about TLS 1.3

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 27 September 2016 00:20 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C7012B3A3 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2016 17:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByGZtr2f_rbw for <tls@ietfa.amsl.com>; Mon, 26 Sep 2016 17:20:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D415212B3A2 for <tls@ietf.org>; Mon, 26 Sep 2016 17:20:28 -0700 (PDT)
Received: from [172.31.24.203] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 0F6B4282FA6 for <tls@ietf.org>; Tue, 27 Sep 2016 00:20:27 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBNKzr7tmYPz2BBt=cSvLnhniUosSbHZCU8qS42bXoO=_g@mail.gmail.com>
Date: Mon, 26 Sep 2016 20:20:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <11BA66BB-3B08-4170-8F84-A06E1B4214AC@dukhovni.org>
References: <DM5PR11MB14191AABED7E43F904133787F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <r470Ps-10116i-4C64C69C85D443BF91A20D2FDB8F48E9@Williams-MacBook-Pro.local> <DM5PR11MB1419320109EC18605B1D2072F4CD0@DM5PR11MB1419.namprd11.prod.outlook.com> <BD40CD6E-568F-40A3-838F-C4AC9C9AF9C8@dukhovni.org> <CABcZeBNKzr7tmYPz2BBt=cSvLnhniUosSbHZCU8qS42bXoO=_g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GpbD8JHbrdtHPX0vMB8dgt_8ZHc>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "tls@ietf.org" <tls@ietf.org>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 00:20:30 -0000

> On Sep 26, 2016, at 7:21 PM, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> There are other ways to accomplish this.  For example, the server might
> use session ticket keys that are stored centrally encrypted under a
> suitable escrow key.  If clients always enable session tickets, then
> every handshake will result in the server returning a session ticket,
> in which case the session can be later decrypted if the session ticket
> keys are available.
> 
> This actually doesn't work in TLS 1.3 because the resumption master secret
> is not sufficient to decrypt the connection in which it was established.

Yes, I know that changed.  It was an example of something that works with
TLS 1.2 even when PFS is used.  With TLS 1.3 server or client implementations
can find other ways to retain long-term records of session keys.  The capability
to do that is not a requisite or desirable protocol feature.  Different user
communities will have different needs, and the best solution is to provide
security by default, and cede control of the result to the endpoints.

-- 
	Viktor.