Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 27 July 2018 09:23 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60CCE130E14 for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 02:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ikhN-j8n-sq for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 02:23:20 -0700 (PDT)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEFE130DF2 for <tls@ietf.org>; Fri, 27 Jul 2018 02:23:20 -0700 (PDT)
Received: by mail-wr1-f48.google.com with SMTP id h9-v6so4372581wro.3 for <tls@ietf.org>; Fri, 27 Jul 2018 02:23:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=7txWMCjdAzrf+gClU9El9p9Uz3qdDZ9jI2V2z/83Yd0=; b=hppA55mYhpyWWTqNkIsKB7urWyfqrpdgHOcJ+1rRDqQ+Mfjsb0CtznEbdGbCw1rau0 glQlVE8DYfofwPrEpycUbe4fkwmf07LAiqM0HY6JbJtsGpALf68m5rF1myF5nTXc+PNw 7tDLJFwpx5DcO3a1MJfRS1+DN4yT95VLMrFYBbyckZ18J1I7R1u99ADi3rrmB/b4y+M1 AVzmxLNttx0wQehlh0xJ00EibQGDteh/fyOhyvrn/xJvcowRWXzhSMgey33Q3YbhJmfB 86Y3rW0ugI9XDYB8Qs1wpizB8WUGvLCZw375AfM22T/cw2LHPcbq8/8OyCWdvLkXcTR4 nRHg==
X-Gm-Message-State: AOUpUlEO/f99CNCcnBjhjQq/QolwpJdXfFYBS8HPcFjVzJH66uouMrCv d970ENwxD9uye5TknA7THcDj26Rpvks=
X-Google-Smtp-Source: AAOMgpfgRvTaV/OjYXpHBKeznT2h4+l72rm9m5FWBPF8dD2z8fS/83/XSMJL/PqdZaOf6hKB20R2LQ==
X-Received: by 2002:a5d:4e49:: with SMTP id r9-v6mr3927078wrt.27.1532683399096; Fri, 27 Jul 2018 02:23:19 -0700 (PDT)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id w204-v6sm4408491wmw.5.2018.07.27.02.23.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 27 Jul 2018 02:23:18 -0700 (PDT)
Message-ID: <98fd53a18dc6b06ecd750201239721e8f88d5e7e.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>
Date: Fri, 27 Jul 2018 11:23:17 +0200
In-Reply-To: <E1DD6812-9085-4FD4-98A4-1DE5B4E4DD72@vigilsec.com>
References: <797D67EC-9390-47CD-BD6A-75E34E5FE33F@vigilsec.com> <1524474119.4793.7.camel@redhat.com> <E1DD6812-9085-4FD4-98A4-1DE5B4E4DD72@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.4 (3.28.4-1.fc28)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IPmbePNhJixq3kVsgfaguAgJfiU>
Subject: Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 09:23:24 -0000
On Mon, 2018-04-23 at 15:30 -0400, Russ Housley wrote: > > > > In the presentation the main driver for it seems to be quantum > > computer > > resistance as temporary measure. If that's the main argument I > > don't > > think it is really significant. PSK can hardly be used with PKI, > > and as > > a matter of fact we use PKI because of PSK key distribution > > problems. > > If we switch to PSK for quantum computer resistance there is there > > a > > reason to use PKI? Probably no (I may be wrong here, if there is a > > reason for a hubrid model I'm missing, I'd be glad to know). > > I am not advocating for a pairwise PSK between every client and > server. If that were available to us, then as you say, we would > always use the PSK without any PKI. > > I envision a PSK being distributed to a group of clients and group of > severs. At some point in the future a large-scale quantum computer > might get invented, and if any member of the group has access to it, > then they can recover the traffic. However, parties outside the > group cannot recover the traffic because the large-scale quantum > computer does not assist with the discovery of the PSK. [going back to this thread, as I have missed that reply and only saw it after the request for adoption was made] It certainly makes sense. > > I could see the main driver for such proposal the replacement of > > the > > RSA-PSK ciphersuites. I know they have _some_ adoption, but I'm not > > sure whether that is significant to require update to TLS1.3. > > This is not my goal. > > > On the implementation side, why not use post-handshake > > authentication > > here? I.e., extend it to be usable from client-side, and on a PSK > > key > > exchange, have the client request server authentication after the > > handshake? > > I'm not sure why that is easier to implement. Can you say more? Current TLS1.3 implementations can do a PSK key exchange and authenticate the client's certificate with post-handshake auth. Based on that, what you'd need to make that authentication two-way (both server and client use cert) is the ability for client to ask the server for certificate. As PHA is fairly simple (server sends a certificate request to client if the PHA extension is seen), doing the opposite if another extension is seen, seems trivial (the bits and pieces are already there). regards, Nikos
- [TLS] draft-housley-tls-tls13-cert-with-extern-psk Russ Housley
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Nikos Mavrogiannopoulos
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Russ Housley
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Nikos Mavrogiannopoulos
- Re: [TLS] draft-housley-tls-tls13-cert-with-exter… Russ Housley