Re: [TLS] Fixing TLS

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 12 January 2016 20:04 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1B91A8823 for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 12:04:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KybO7U7yJPpO for <tls@ietfa.amsl.com>; Tue, 12 Jan 2016 12:04:03 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0738.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:738]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85EE31A8824 for <tls@ietf.org>; Tue, 12 Jan 2016 12:04:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sXNHYJzwEsiBWk9bfytWlIdbEP4ihPbdnNQO0xQHA2o=; b=JxV6ptOyYqXmT8FnELj/S6wuJp3IHm83M2sinyWAGUOkYjSRFPivCwfjGKLdisDGejMHqA1491BOocSMt0Cz2D9bu6MQS62JQU2pxN7HDrVr9P5cJAvbHEh9lc6sKttcDQF5cWVtxuH/FLk2sc2TqZjDi0GU/Z9wsCcpzKn5Bt4=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1394.namprd03.prod.outlook.com (10.163.81.140) with Microsoft SMTP Server (TLS) id 15.1.361.13; Tue, 12 Jan 2016 20:03:42 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0361.006; Tue, 12 Jan 2016 20:03:42 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Dave Garrett <davemgarrett@gmail.com>, Bill Cox <waywardgeek@google.com>
Thread-Topic: [TLS] Fixing TLS
Thread-Index: AdFNQhHrFy3mVBx6TGiPN32I/iztzQAGPEwAAAUM0wAAAG06gAAAvcSA
Date: Tue, 12 Jan 2016 20:03:42 +0000
Message-ID: <BLUPR03MB13968C36D7067208424946018CCA0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <9A043F3CF02CD34C8E74AC1594475C73F4BC6849@uxcn10-5.UoA.auckland.ac.nz> <201601121202.26624.davemgarrett@gmail.com> <CAH9QtQFASZENynns9=o-zHk=orfR6PcqKL9v5ByirmVcTQAQeA@mail.gmail.com> <201601121439.15891.davemgarrett@gmail.com>
In-Reply-To: <201601121439.15891.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1394; 5:O7nE5O1Nf8ttPPrhZBCMbBeJn+aAGMSxn9d5go/7jkhlWXdWPm75PwbyK7cZ7bpLwFOwtOXpbx0Y2ZDNaHgpSPsq/LwHlfQRLo7ZwKkvqhd8mTN58Y7fpMDC7t5eTOlbIeAHd7sXNKBw+o4Tc0Oq6g==; 24:PJ4Po+3guel67j0pA6wlGxuJwkFV1qcamX0ah04pl6hNhVRRa2guEjP5skoBSLBcf2ewCtpQkz+y4jkmgc0VhiMb1Tco13N82CojZ+V7lPM=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1394;
x-ms-office365-filtering-correlation-id: 56b37b35-1fd8-4ffe-8230-08d31b8b7869
x-microsoft-antispam-prvs: <BLUPR03MB13949F89C9CDE514F8FF80838CCA0@BLUPR03MB1394.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:BLUPR03MB1394; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1394;
x-forefront-prvs: 081904387B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(13464003)(377454003)(24454002)(189002)(8990500004)(50986999)(93886004)(189998001)(40100003)(81156007)(5004730100002)(19580395003)(2950100001)(4326007)(5001960100002)(19580405001)(97736004)(2906002)(5001770100001)(76576001)(102836003)(10090500001)(122556002)(11100500001)(101416001)(1096002)(6116002)(54356999)(15975445007)(106356001)(10400500002)(86362001)(99286002)(10290500002)(74316001)(86612001)(105586002)(87936001)(5005710100001)(76176999)(5002640100001)(5008740100001)(1220700001)(33656002)(77096005)(5003600100002)(76534003)(92566002)(2900100001)(561944003)(586003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1394; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2016 20:03:42.1612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1394
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KMz4tnd21HpiTDtfKUs09sHUV7Y>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fixing TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 20:04:06 -0000

> I hope that Google's efforts to get QUIC as-is specced out go quickly and smoothly, and that it can be used as a basis to develop an official total TCP/TLS replacement.

If this were the path forward (and I doubt that it is), I would very much prefer Peter Gutman's evolutionary TLS 1.3.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dave Garrett
Sent: Tuesday, January 12, 2016 11:39 AM
To: Bill Cox <waywardgeek@google.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Fixing TLS

On Tuesday, January 12, 2016 02:27:02 pm Bill Cox wrote:
> On Tue, Jan 12, 2016 at 9:02 AM, Dave Garrett <davemgarrett@gmail.com>
> wrote:
> > On Tuesday, January 12, 2016 09:03:53 am Peter Gutmann wrote:
> >
> > I'll be the bearer of bad news and tell you that your proposal has 
> > come up in multiple forms. I suggested a similar thing a while back 
> > and far before me others have as well. The chairs have, however, 
> > long declared consensus that we want to focus on a single new 
> > version not leaving out other more complex changes, namely latency 
> > improvements. The primary argument is that TLS version adoption 
> > rates are horrible and we would be far better suited to one major 
> > upgrade rather than incremental changes that would likely inhibit 
> > adoption of the more complex changes that we also need. (just a 
> > quick summary from my view; someone else can chime in here if they 
> > need to)
> >
> > I can't dispute this position, though personally I think it's not 
> > the best move. That said, if we were going to do a more incremental 
> > TLS version, doing it along side HTTP/2 to avoid the messy TLS 
> > restrictions it ended up with would have been the way to go. That 
> > ship has sailed, and we're now well into TLS 1.3 development, so I 
> > guess I'm now on board with working to finalize the work that we're 
> > already doing (frankly, with a rename to TLS
> > 2.0 being a good idea). If you can somehow drum up consensus to 
> > overturn the previous consensus, more power to you, but I think 
> > that's not likely to be the best route anymore.
> 
> I'll just second what David said here.  0-RTT mode is here to stay, 
> and I don't see a simple upgrade path from TLS 1.2.  Speed matters, 
> and 0-RTT is a huge upgrade for users.  The trick is doing this securely...
> 
> My opinion counts little here, and TLS 1.3 is already nearly 
> completely defined, so I think it is too late for this discussion.  
> However, if it were not...
> 
> A clean-slate TLS 2.0 which reuses as little as possible, and 
> simplifies life as much as possible, would have been preferable, IMO.  
> I look at the QUIC crypto code and then go back to the TLS/SSL code, 
> and there is a night and day difference in complexity.  I think it is 
> going to be painful for some of us to watch the simple, clean QUIC 
> crypto code move to the archives and get replaced with TLS 1.3, which 
> is surely going to be a substantial bolt-on of code to the existing 
> TLS 1.2 code base.  It takes a super-genius just to see all the 
> potential pitfalls in the TLS 1.2 code as it is.  I think it will be even harder to analyze after the TLS 1.3 bolt-on.
> Fortunately, we seem to have a large number of super-geniuses working 
> in TLS, much of the present company on this thread included :)  
> However, if I personally were making changes to the code, it would be 
> maybe 4X faster to do it in QUIC crypto, and 4X more likely that I 
> would not introduce a critical bug in the process.
> 
> I think it is natural for many members of this email list to discount 
> this complexity issue in TLS 1.2/1.3, since many of the most brilliant 
> programmers see the existing code as not all that complex.  For 
> regular mortal programmers out there like me, we would very much 
> appreciate a clean-slate effort with minimal complexity, and there are 
> a lot of lessons you folks have learned over the years that could be included.
> 
> Maybe next time, in TLS 1.4? :-p

Personally, I hope this new version of TLS, save for possibly some minor update & extensions, is the final version. I hope that Google's efforts to get QUIC as-is specced out go quickly and smoothly, and that it can be used as a basis to develop an official total TCP/TLS replacement. (the early documentation for QUIC was horrible, but the current work is vastly improved) As far as I'm concerned, TLS 1.3 is a transitional measure which should only be used in the medium-term by those who adopt new tech very slowly, and in the long-term phased out entirely. It is a very important transitional measure that needs to be done with as high a security and performance as possible, but a finite one nonetheless. (well, arguably, pretty much everything is, given a long enough timeframe ;) We have to get through the short-term to get to the long-term, though.


Dave

_______________________________________________
TLS mailing list
TLS@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c882faa8317114da26f3e08d31b881439%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=mMYoE%2bpBJpL6NKES01ZsFsN%2bwsf%2f8G7OwBhRkfWWDpI%3d