IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 30 April 2022 15:49 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F863C157B4B for <tls@ietfa.amsl.com>; Sat, 30 Apr 2022 08:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.856
X-Spam-Level:
X-Spam-Status: No, score=-3.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjrBRHjl6SiC for <tls@ietfa.amsl.com>; Sat, 30 Apr 2022 08:49:09 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0724.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9040C14F746 for <TLS@ietf.org>; Sat, 30 Apr 2022 08:49:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=htlNwP/JRZLtRa7IqM82ze8ueNQv6H6JVDWq8Ys4CtKpxgB0zniMKN8zRsZXyypXh2l1a24I8GmZZ8MY0vq7EwXsLrkzqu1YFlSr0/HOGXu4zepOlDQCebFCeFbePcruXLqCcohs/OJ2NA9kXCY6Vh/xiPfPwIsxcU2DkVD+7t2+9oNW2dPZt6cpOpzFsX7H8X6ydTZ8YURL+ee05GURC65RS7hUsWBze9yccONIUVgU83tjeg5rxEm0zYwXNzFapL8+e9PaTfBbzNfiBA9TXenRykqFyeo+Ye2YBkPwQKKtzQkVF6RtNpIS5vxCfjp44d9CP1gPFWDOIfh1RdXvmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JTwPBsfrFesO2/tCfg7sNMCfHWPndoqcCrUqIVV3W+w=; b=Ik4QS7gkB8W1iFgFQIJEs0Y1jksgcmtYs+LV22NqAaIFAgY0qBWH2Xj9NUrJFOH6reqOXlJ1aXoQOOH7GmlwqDJl8shQ5h0njJGPKv3oTcTcktY7mlST8Az5jAN9bCxrWrTRwwcL2KV4LPzukOCUOq84JI4uROP/aqGIMF3yfNLt8n2SLh7WD5NtTlDyiLR1z1g/Zw5j0Z0dMJtRTDwg8POi5Yo6qr25nbt99DDg/J5SwmvOt6faIy/7+V9Z2n9HSCkrhQLNMRVdFWN0Y/cv5nKWqwtHaPpI7tjoTm3SdsJorEqrNM2JbWhnYXDfA9fRLndciVvza4zTgAGsdczsbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JTwPBsfrFesO2/tCfg7sNMCfHWPndoqcCrUqIVV3W+w=; b=Q6pgsUp7IbbHPj4vUJ1tkDalLCGPlnLAZacJgqWyL4WKB9qegIIIFIdWhwSpIMRFbmp1+kdUQR9usJRdLCQXR5vsZL0HQR/5wzqcZXpu7VqXRjqS/vQYpD7TAhVRxiAqN4QN3Fd0cjnH0EZ3i3zWflaHj6nYWBmgLACv+bYfNC1OCy+0/Y65dSfsd4dHkBFuGRBHs0w6YeI3vz1CzlVN2846GbjADwAHhtn/XAtSBl7+Q/bTGkLl8Uw2taB9PTG3JI3smzt5PpI4TPK2LkwHdcqEU88KNjGw5eA2QNqJ26bAr8Dj9m9Cj9a5sdR59g9RltojRNucQijCCwQgmSDL+Q==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB7PR02MB4758.eurprd02.prod.outlook.com (2603:10a6:10:5b::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.28; Sat, 30 Apr 2022 15:49:01 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::a5a1:25f2:186c:f15c]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::a5a1:25f2:186c:f15c%7]) with mapi id 15.20.5186.028; Sat, 30 Apr 2022 15:49:01 +0000
Message-ID: <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie>
Date: Sat, 30 Apr 2022 16:48:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1
Content-Language: en-US
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "TLS@ietf.org" <TLS@ietf.org>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------xzVFacOTpg3Unq0u5VwfXZFY"
X-ClientProxiedBy: DU2PR04CA0290.eurprd04.prod.outlook.com (2603:10a6:10:28c::25) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a3e91940-9673-4882-d233-08da2ac0f1b5
X-MS-TrafficTypeDiagnostic: DB7PR02MB4758:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB7PR02MB4758DE6CBC1FAA79790CE7DDA8FF9@DB7PR02MB4758.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IW4+Ibe9RVpohfPY+677RP7NSpyMnuxbYiWY6Nk4pHhy7xLW34fwBLlERmrwFS9T8VJ7zGEfz6f6UL4waHH5LdnnLLmnICYzxlsi6lGmwQmmCm1EkZg+lsr0CHH013+ZIqTTsCQX/A7RvyknHyteFDDnRixrJ0+4NSTnlajtiIJJOOT02cmQ05VOfDZC54v4dRxxh/AmKiz7Pkq+XA99+qpAuC9rarXvbj7XLpdar4iK4xhExhOz3SVEDzIBvRaWKue+QWJSsVgktUiNc7LEyYzr02RasammiRwH7dG+7qyDZe1/Cl0PBBXf5yMIG5lrfZCNeA2/cntFP/vdySnJFB1nFpvwg+mPAYQr86fxkcWnUqBe9K6SFbe02pB8C3Tri6CtzIGc1FX/7mUWH1M/muwakefuY7iMREdUJOA819XChpYNumEVw1XU3zw35ITJPCAtoItG1FIL/oSxQqsjLKBczYbjkx/sjcHAHKhSZiT3+/vBpBMfHj9IHyFC2OsaS8+xH7ajoW8EMIqzJjYjvB/Bi+DErI2K3Yb/kvOVr9iGl8TyDvis4J/vrHE/kA/0zJjsocH0OlYrd3vDuIu7E+QiNdCifyIOfR3/4Nv7mEDqORHqTOUXfu/wFYz7i/Tp29CvgpIopVtmD93DdXLWJWnfEwDhsxycsIZWrfnnm2gpeRcfkELN+/7MC2ZYSR4LSmuPpi0ZX3w3aA04nv94ZyAwDB5qz9P/P8m8Fq/82lX9dhg0ZNs7C+ds11hEucmwBAmZ14gwBUU9y/ifR7NVyLqzxdpQSiCswCzvkeXVkUgIQtzAxQLWyKKyoOY8juIC
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(53546011)(21480400003)(966005)(6486002)(2906002)(508600001)(8676002)(6512007)(66476007)(66556008)(66946007)(83380400001)(44832011)(31696002)(235185007)(5660300002)(186003)(8936002)(6506007)(33964004)(86362001)(2616005)(38100700002)(36756003)(110136005)(31686004)(786003)(316002)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: WjykTcd4LzNzpDwfhJmlaHBUKqI3sawgL1jm5hKg7N9K/TZTs0umdFAbzlRRgYZdbrDVtjeBa0cEpcDsH1pmvtMHl9RyDeaG4vQ22aO/kGmMvuYepC6sZZBZY8XM7cGMnimDVUF8RgiqQbKvBZZ94WabT0LRSwGmuSYqEXFI6lXDb8fO9Uh20UitJYY6/+33q2rguLztetBxPPSFAk0BwXWQ74GUyobx9PPulC+jgjd4glNlmWASKtuT9jFLc+67zVHGYgACn/sniRuF+UfVuLs18cgYgaOHn2MEg61Cf7RtXHkMEBgd7W9BfV2waleiTzR/G0D0M6aalezJWxDeLMDih13K0gYNWyE9JouVTpe4VUQTJsTuaePj8ImABTCdGjOzMd9YyeqCQve5W7UgpVaIJjqL3JckUKedvzSDBD3NdOoH97ZWxRVgmoCI51YH8BEnn56glkRa17YCJ5JqJG32M+2a2nHkUSAzT+KZfz0k3BjSHHCEZrJFmGgdiKdZhaZnmdtv8sY1mIFtYBAed5K7ucaT9egQCKSRSpyr7KtlFcoWAJoBwZe+oc3Uv1odcxI5iislGcrHpNi/dGz+mHkuSvf7eC1AAGxwScV1HG/CNCG9klERBAF5u/64LJcA47Blns9yM1UYOGvDzgUp6C7woJcAkXzviYfXdZ/MmeiUuZojQ+w7HJQjdt++1V5C4V9t/IVFzbnz/dB/OUPkbwU3vOGFG5h6QYqyNIm47WFmgY32tWILiuiaJ6InsykY0z5aIk/SKHxpQLxvAjO8kznXz0uUIQ9XZyRMVt9sMDdt9rM0DYHFI6j0SB43zyWwgpUnYjjeSfl61IWaNiAB5HqmzNCjh7hSOVWf84MdKs3Jg8ML/QcrpA0mjnmwORZefkspUg60+MhQvbctI8/cUBpmzOYN6OgnOjTp+W4sQcetOVrsY6AWSqrFCHPORniT5cRjZ1ihlM7rrnYmVxy/qHih/I4No+YlEabWwe3TPj7VTEYlYmeKKEmRNA/2C4TkzGyG9D/GCoC/m1V15aXG8x2FZYW7yT7BppJunJK0mfZ0gt4NTZKr4tvXEZzML+rgMVVli4Qga22gJyF2/fTaYHfTZtnCcSYcBBRpLNxWkdb7Tb++WzpPcPyz3kL0V8XdPx747IdrkQTbYvCJvzBRk8Q15sywbC7OdjV7dV8soZta7odf4PHnDlyWnpBN/nOBxrT3/zf/qRaG2hmJRZrwBlM5yzT/pb6V7n1xtcfk885tN+dgJiJk0pFiWlg7dEO2lRIBrXovaj0QTBf8LD/YiFbga2oDF3niCCuBtgC4PYKUCiwlqpKAVGHmKqOAS9HcPqYuYjWunv27+Nn+giGyeU2fl00Q6vMYcA2dUQLq1nRuDsk1T0XSkAMbe2DAchQqJRSesrkfYIGOF/KaOxscCbWS9KNv553MIVs0Zgkr0231MZKS2UDu54gByx1iJbyM/cWE1snDYnsAy/hUW4ordZU3X47WuRt6jcuBjhLpg0vdhBDQ+k8cxUmAhBli0KItf+65pfVkcJfuTPswO/ay/odD41Hy68YHwuy+PfTADayOvkxLyaTIaNrQ7wwR69SOM/8Tu0VS642FRenvnJWl2m4TiUBMHbAzPOiFJ4No14S7jZOwNLGHVd0gU4X+X7cs+KgcYIi1S+rX64zAPLSKGQyjBg8MFzeZFDyV70ZsVg8yjqfo4wUg8pwZ1APu257/6T9Fen4wfRWCEoMjwUBXOB+7xKard/MKZwWOB4ZdYqr4nTFfheGTUEBiYPRk4Q88iu4hJ9Gc
X-MS-Exchange-AntiSpam-MessageData-1: mh58W/IWjYlf/A==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: a3e91940-9673-4882-d233-08da2ac0f1b5
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2022 15:49:00.9439 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: hw3odbv4NHM7gERWy7F75RV5rgmRgW+RaYkxXovHmZRe2CpwtlFD0MSUWTIo24uS
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR02MB4758
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Nf1oC7XFo47r1Txh6dPn8r9hH3I>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Apr 2022 15:49:13 -0000

Hiya,

On 30/04/2022 10:05, Ilari Liusvaara wrote:
> On Sat, Apr 30, 2022 at 01:24:58AM +0100, Stephen Farrell wrote:
>>
>> Hiya,
>>
>> On 27/04/2022 16:27, Christopher Wood wrote:
>>> This email commences a two week WGLC for draft-ietf-tls-hybrid-design, located here:
>>>
>>>      https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>>
>> As I guess I've said before, I think progressing this draft
>> now, even with this WGLC-then-park approach, is premature.
>>
>> However, I seem to be in the rough on that so can live with
>> this ad-hoc process (teeth grinding mind you:-) so long as we
>> park this for a sufficient period *and* are open to changing
>> anything at the end of the parking-lot period.
>>
>> Even so, I think this is not yet ready for any such ad-hoc
>> parking-lot:
>>
>> - section 1.5 implies a wish to reduce the number of
>> octets sent - ECH creates a way to point from one part
>> of the (encrypted, inner) ClientHello to another (the
>> outer ClientHello). I don't think we want two such
>> mechanisms, or one mechanism defined in ECH but none at
>> all here, or even worse a second method. For me, that
>> implies not "freezing" the structural work here 'till
>> we see if ECH gets widespread deployment at which point
>> we should consider re-use of the ECH mechanism. (Or maybe
>> even consider both cases of re-using octets and invent
>> another thing, but not 'till we see if ECH gets traction.)
> 
> I don't think compression method like ECH uses would work here.

Possibly so. But I don't think we want two potentially
interacting compression hacks do we? My main point is that
this draft isn't yet in a place where all one needs later
is codepoint registrations and PQ alg implementations. I
think this aspect demonstrates that lack of readiness, no
matter how one resolves compressing, unless one never
compresses, which seems undesirable to me.

> 
> However, I did come up with compression method:
> 
> 1) Sub-shares in CH may be be just replaced by a group id (two octets).
>     The replacements can be deduced from length of the whole share.
> 2) First sub-share copies from first octets of share for the designated
>     group.
> 3) Second sub-share copies from last octets of share for the designated
>     group.
> 
> This can be decoded regardless of if the sever knows what the referenced
> groups are. The compression can also never run into loop, as recursive
> references are not allowed.
> 
> 
> So for example, if one wants to send x25519, p256, x25519+saber and
> p256+saber, one can do that as:
> 
> - x25519: <x25519 share> (32+4 octets)
> - p256: <p256 share> (65+4 octets)
> - x25519+saber: <x25519 id><saber share> (2+992+4 octets)
> - p256+saber: <p256 id><x25519+saber id> (2+2+4 octets)
> 
> Total overhead is 22 octets. 16 for 4 groups, and 6 for the compression
> itself.

So yes that could work. We'd need to think through how
it'd interact with the ECH scheme were both to end up
standardised.
>> - section 2: if "classic" DH were broken, and we then
>> depend on a PQ-KEM, doesn't that re-introduce all the
>> problems seen with duplicating RSA private keys in
>> middleboxes? If not, why not? If so, I don't recall
>> that discussion in the WG (and we had many mega-threads
>> on RSA as abused by MITM folks so there has to be stuff
>> to be said;-)
> 
> No. The private key is held by the client, and client sends the public
> key to use in its client hello. Furthermore, every connection should use
> different public key.

Ok. (Sorry I was looking at [1] too and had that in my head
when writing the above, which ought be ignored as mine was a
silly comment:-)

    [1] 
https://datatracker.ietf.org/doc/html/draft-perret-prat-lamps-cms-pq-kem

> 
>> - similar to the above: if PQ KEM public values are
>> like RSA public keys, how does the client know what
>> value to use in the initial, basic 1-RTT ClientHello?
>> (sorry if that's a dim question:-) If the answer is
>> to use something like a ticket (for a 2nd connection)
>> then that should be defined here I'd say, if it were
>> to use yet another SVCB field that also ought be
>> defined (or at least hinted at:-)
> 
> Whatever public key the keygen() operation outputs.

As above.

> 
>> - I'm also HRR-confused - if we don't yet know the
>> details of the range of possible PQ KEM algs we want to
>> allow here, how do we know that we almost always continue
>> to avoid HRR in practice and thus benefit from a mixture of
>> classic and PQ algs? (It's also a bit odd that HRR,
>> much as I dislike it, doesn't get a mention here;-) I
>> think the problem is that we don't want HRR to push a
>> client back to only "classic" groups, if the client but
>> not the server is worried about PQ stuff while both
>> prioritise interop.
> 
> Well, avoiding HRR impiles that client is willing to bloat its client
> hello even for servers that do not support PQ. And for such clients,
> using PQ at all requires servers to priorize it (send HRR even if
> acceptable share is present).

I don't understand the above sorry;-)

ISTM one would need to analyse/guess what'll happen with
this scheme and HRR before being done. Maybe someone's
done that but if so, I'm surprised there's no mention in
the draft.

> 
>> - section 4: if this cannot support all NIST finalists
>> due to length limits then we're again being premature
>> esp. if NIST are supposed to be picking winners soon.
>> We'd look pretty dim if we didn't support a NIST winner
>> for this without saying why.
> 
> Just yeet McEliece. Its keys are just too large for it to be practical
> in TLS, even if the keys did not bust hard limits.
> 
> After removing McEliece from consideration, all the finalists and
> alternates can trivially be supported (albeit FrodoKEM busts some
> soft limits).

Nonetheless, this is another respect in which the draft
text has to remain incomplete because we're IMO progressing
it too soon.

>> - section 5: IMO all combined values here need to have
>> recommended == "N" in IANA registries for a while and
>> that needs to be in this draft before it even gets
>> parked. Regardless of whether or not the WG agree with
>> me on that, I think the current text is missing stuff
>> in this section and don't recall the WG discussing that
> 
> I think that having recommended = Y for any combined algorithm requires
> NIST final spec PQ part and recommended = Y for the classical part
> (which allows things like x25519 to be the classical part).
> 
> That is, using latest spec for NISTPQC winner is not enough. This
> impiles recommended = Y for combined algorithm is some years out at the
> very least.

I agree, and something like the above points ought be stated
in the draft after discussion in the WG.

Cheers,
S.

>   
>> Nits etc below:
>>
>> - TLS1.1 and earlier mixed hash functions when deriving
>> keys on the basis of then-suspected weaknesses in MD5, yet
>> there were arguments made that that ad-hoc mixing wasn't
>> useful, so we moved away from that in TLS1.2+. I don't
>> see an argument or pointer in this draft to a justification
>> that this (also seemingly ad-hoc?) catenation approach
>> won't suffer analagous infelicity. Absent that, ISTM trying
>> to finalise the structural parts of this now may be a
>> cryptographically bad plan. (Even if in practice that's ok.)
> 
> The intuition is that if you concatenate the shared secrets and feed the
> result to a KDF, unless the KDF is really broken, predicting the output
> is going to require predicting both shared secrets.
> 
> There is no similar intuition for TLS 1.1 and earlier hash combiner.
> Just running the same data through both would give something that turns
> out to be as strong as SHA-1, but the combiner does not do that. It
> instead does something else that is cryptographically completely
> unsound.
> 
> I am bit surprised I never saw anyone claim that the TLS 1.0 and
> TLS 1.1 (IIRC, I checked that the combiner had not been inherited from
> SSLv3) hash combiner was a backdoor. I have seen much less weird things
> called backdoors.
> 
>> - section 2: the tendency to document APIs (e.g. "KeyGen()")
>> in protocol documents seems to me a bit of a double-edged
>> sword - it should help some implementers but OTOH might
>> mean we fail to consider how implementations with other
>> internals might perform, so I'd prefer we are more clear
>> as to how those APIs are optional, but that's really a
>> matter of style I guess
> 
> The keygen() operation is defined by the generic KEM model, which
> NISTPQC uses. So all the candidate specifications define what the
> keygen() operation does.
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email