Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1

Ryan Sleevi <> Thu, 12 December 2019 15:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AB385120921 for <>; Thu, 12 Dec 2019 07:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zgfr8k8SHmZR for <>; Thu, 12 Dec 2019 07:26:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 99E4912092F for <>; Thu, 12 Dec 2019 07:26:54 -0800 (PST)
Received: by with SMTP id v16so2127658edy.6 for <>; Thu, 12 Dec 2019 07:26:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c0WAHVsOuBj8unqrCGdbQ6KWbDoxYQpdSFdatKXVaiw=; b=RY2XUC1hNw7I9ZW+lEeOp73q4p85HZnuTDO7QdWgkN6phL0Wea+yOvifF7dwq6AqD2 fj44nM5nHWueQgZHHK08kiaynJkRx4qj75qnIl2lHOehIof9hKlHzbgq/9ZNgS0wM9Cy jp0lUBKlPO/Mb00lYk6bTzaHEK/V2cX9PpdXwiWbmLvmHc6/Fvs5PkK1lAc0rQhXCzSV XmLHougtCMkeeis9VBlqXCRgrdMUvQ9d0lSS0zRRnxJdW/V8ZIR1QojyB2Zr8Qe8Kp0C 41vKG1gyF2Mk5A3yfrA+4CxkEZ6r/TVotV8rfh7mvXl+CyTuN45cUkAmXa4uJ7pqHcKh S/IQ==
X-Gm-Message-State: APjAAAV39jTNs32QzaXL28Nc+jDDazgyDPrrYcOO2GCfPI+tAezs5DAG 9x495aLo7jiyWE8zMtTCTANqmrAz
X-Google-Smtp-Source: APXvYqwPkYvqxn3a++9nT3UeV7mxkCoFnEAWzQeeAjXblMAbmQ7s/IOs6HMX3Dgca40OlqN0dtbjlg==
X-Received: by 2002:a05:6402:148f:: with SMTP id e15mr10156605edv.254.1576164412644; Thu, 12 Dec 2019 07:26:52 -0800 (PST)
Received: from ( []) by with ESMTPSA id x8sm124210eds.88.2019. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Dec 2019 07:26:52 -0800 (PST)
Received: by with SMTP id y11so3176075wrt.6 for <>; Thu, 12 Dec 2019 07:26:52 -0800 (PST)
X-Received: by 2002:a5d:6748:: with SMTP id l8mr7139189wrw.188.1576164412077; Thu, 12 Dec 2019 07:26:52 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <20191207102017.GA1754124@LK-Perkele-VII> <> <20191211142155.GA1879660@LK-Perkele-VII> <> <>
In-Reply-To: <>
From: Ryan Sleevi <>
Date: Thu, 12 Dec 2019 10:26:41 -0500
X-Gmail-Original-Message-ID: <>
Message-ID: <>
To: Hubert Kario <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000e3c0200599835f6f"
Archived-At: <>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Dec 2019 15:26:59 -0000

On Thu, Dec 12, 2019 at 6:51 AM Hubert Kario <> wrote:

> If TLS 1.2 was looking insecure, I would be with you on this one. But given
> that TLS 1.2 can be configured to be as secure as TLS 1.3, I think
> introducing
> weak points to TLS 1.3, weak points we will have to live with for the next
> decade, if not two, is counter-productive and will only delay deployemnt
> of
> RSA-PSS capable HSMs. Not allowing PKCS#1 v1.5 in TLS 1.3 puts actual
> pressure
> to replace that obsolete hardware, without exposing users to unnecessary
> risk.

That risk calculus doesn't seem to make sense, or even be internally

If we apply the logic you're applying here - that the non-existence within
TLS 1.3 somehow exerts pressure on organizations to replace - then that
pressure only exists because the value proposition of TLS1.3 to these
organizations is greater than the cost of replacing that hardware. But as
you seemingly state, the value proposition of TLS 1.3 is not significant,
because "TLS 1.2 can be configured as secure as TLS 1.3". So what's the
pressure these organizations would face that would have them wanting to
adopt TLS1.3? It seems that, at least with the information provided, the
existence or non-existence of PKCS#1v1.5 in TLS1.3 cannot be the force that
exerts pressure.

Similarly, this argument implies organizations are rational actors that
evaluate these protocols based on the security strength. If they are indeed
rational, then the presumed weakness of PKCS#1v1.5 (and not TLS 1.2 vs TLS
1.3) would naturally exert a pressure on organizations to replace this
hardware, in order to leverage the better security of RSA-PSS. Thus the
existence within TLS1.3 does not actually meaningfully change the calculus
for security or for organizational pressure.

Setting aside for a second arguments about whether RSA-PSS vs PKCS#1v1.5
(in the context of client certificates) is a significant security
differentiator, or whether the security properties of TLS1.2 vs TLS1.3 is
are significant enough to exert pressure, it also seemingly overlooks the
privacy value afforded by TLS1.3's encryption.

If we're trying to make cost-based assumptions here about what pressures
will be exerted, I feel like we have ample evidence from the TLS 1.3
adoption that benefits in security and privacy do not actually exert
pressures on organizations to change, because the incremental value they
provide is outweighed by the costs. The middlebox challenges are a
case-study in this. This draft attempts to reduce those costs, making it
possible to take advantage of those incremental improvements made in 1.3.

The distinction isn't going from good to going from bad, which seems to be
implied by arguing against adoption, it's going from worse (TLS1.2, with no
privacy affordances and the ample considerations around the key schedules)
to something meaningfully better (TLS1.3), even if it's not ideal.