Re: [TLS] New Internet-Draft: draft-housley-tls-tls13-cert-with-extern-psk-00
Russ Housley <housley@vigilsec.com> Thu, 01 March 2018 22:14 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E32EA12FAD0 for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 14:14:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qyda9iN_uMhD for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 14:14:47 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0F312FACF for <tls@ietf.org>; Thu, 1 Mar 2018 14:14:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 79E57300687 for <tls@ietf.org>; Thu, 1 Mar 2018 17:14:45 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Gw5ITwGSAP2j for <tls@ietf.org>; Thu, 1 Mar 2018 17:14:44 -0500 (EST)
Received: from new-host-5.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 41E55300435; Thu, 1 Mar 2018 17:14:44 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CABkgnnVdUbsf6RQ9TY_KOaO5Kf1L-bd7nDFDxLRi7hXBZA=d1A@mail.gmail.com>
Date: Thu, 01 Mar 2018 17:14:45 -0500
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F349D2F-EF26-4001-A77C-C21D700F053D@vigilsec.com>
References: <151993882481.21672.8815898642665419019.idtracker@ietfa.amsl.com> <1DD2B1C1-23E7-48F7-A1FB-76D3DFCEA755@vigilsec.com> <CABkgnnVdUbsf6RQ9TY_KOaO5Kf1L-bd7nDFDxLRi7hXBZA=d1A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LlSxslDujFfWKUA7ezhvYbooR_8>
Subject: Re: [TLS] New Internet-Draft: draft-housley-tls-tls13-cert-with-extern-psk-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 22:14:49 -0000
Martin: > > This seems like a welcome addition. I'm not sure why you think that > PQ needs are a good motivation for this work though. Managing > external PSKs is so unwieldy that it almost seems like this would do > more harm than good in that regard. I find this more interesting from > the perspective of providing continuing proof of possession for keys > while also permitting the use of 0-RTT (and session continuation more > generally). The key management would be pretty onerous if a different external PSK is distributed to each client-server pair. I was pretty careful to make sure that the key schedule would work out even if the external PSK is know to a group of clients and a group of servers because the (EC)DHE key will be pairwise. If the external PSK is not pairwise, I do not think it can be used for 0-RTT traffic, which is why the I-D does not allow early data. > FWIW, I don't see any reason that this approach would be a problem > given that it is additive, the problem that Sam Scott et. al. from > before was a result of important contextual information being omitted > from the transcript. I did not see a problem, but we should make sure that there is not something subtle. > Why didn't you consider a new codepoint on psk_key_exchange_modes that > permits/requires use of the certificate? The purpose of that > extension is to signal that a) you want PSK, and b) what additional > things are permitted alongside that PSK. Because of this text in the TLS 1.3 base specification: ... Implementations MUST NOT combine external PSKs with certificate-based authentication of either the client or the server unless negotiated by some extension. That steered me toward an additional extension. > It's not clear from your text on client certificate authentication > whether your mode permits the server to omit its Certificate, but then > send CertificateRequest. You should clarify that one way or other. That was intended by: When the "tls_cert_with_extern_psk" extension is successfully negotiated, authentication of the server depends upon the ability to generate a signature that can be validated with the public key in the server's certificate. This is accomplished by the server sending the Certificate and CertificateVerify messages as described in Sections 4.4.2 and 4.4.3 of [I-D.ietf-tls-tls13]. But I see that it should be reworded to include a MUST statement. Russ
- [TLS] New Internet-Draft: draft-housley-tls-tls13… Russ Housley
- Re: [TLS] New Internet-Draft: draft-housley-tls-t… Martin Thomson
- Re: [TLS] New Internet-Draft: draft-housley-tls-t… Russ Housley
- Re: [TLS] New Internet-Draft: draft-housley-tls-t… Martin Thomson