Re: [TLS] confirming the room’s consensus: adopt HKDF PRF for TLS 1.3

Eric Rescorla <ekr@rtfm.com> Wed, 17 June 2015 19:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D181A0024 for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 12:07:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_ieBv218sNL for <tls@ietfa.amsl.com>; Wed, 17 Jun 2015 12:07:02 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5191B2CEB for <tls@ietf.org>; Wed, 17 Jun 2015 12:07:01 -0700 (PDT)
Received: by wiwd19 with SMTP id d19so1187730wiw.0 for <tls@ietf.org>; Wed, 17 Jun 2015 12:07:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=sGysoD5rmDd/J0f9Nn9IFM7PjChjnTFe/Hreii21yVw=; b=PdtG3edGe2ysyquIbVnyZ69FyZZAqU/K+fGcpqCfMdHd9wjxz5snPXPdzXbwW1CBDn cezuFAzszcA3EFmPvl96wQbnb3k19PMK0hLdj3at2pqRJOLs1sqKWF7smZ7ZguGipPHr hK+G4j6zeeru26kkyZp4N0+1xr/J/7io81lI7I4QdqmDS072KoMWRD7tEeGyTCYS/tBh xwrZj79mr3WP4yeefrmBqnMvNetQX1xcNAJMlisIkwnnpJEqUEJy129PNP2Kg+x7/L0m OEy1oknQ40kWWeZGX8msKTxpYKJG//UKxvBlS30+8yFCbSzL+HCa1Tca3OPHfU/4cchA ylzQ==
X-Gm-Message-State: ALoCoQnYM/tPOBVRyOfuxOzMhpWOCLC+l5ey78gyGQXB8ztl82AkNvdk/hkAeTvSvGFEv/KRiAcL
X-Received: by 10.194.133.73 with SMTP id pa9mr8560209wjb.148.1434568019949; Wed, 17 Jun 2015 12:06:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.225.14 with HTTP; Wed, 17 Jun 2015 12:06:19 -0700 (PDT)
In-Reply-To: <5EB44559-367E-4173-833D-69E806D33587@ieca.com>
References: <4A5C6D8F-6A28-4374-AF1F-3B202738FB1D@ieca.com> <5EB44559-367E-4173-833D-69E806D33587@ieca.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 17 Jun 2015 12:06:19 -0700
Message-ID: <CABcZeBPAzw0e53YXJCUHaZB44oHBw3qiDAfvx4a8m0491SoaAg@mail.gmail.com>
To: Sean Turner <turners@ieca.com>
Content-Type: multipart/alternative; boundary=089e011771a93c4fed0518bb65ee
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Prf5gmr7sIyQrO4l_eeW1vu0MHI>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] =?utf-8?q?confirming_the_room=E2=80=99s_consensus=3A_adopt_?= =?utf-8?q?HKDF_PRF_for_TLS_1=2E3?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 19:07:04 -0000

Chairs,

I will work with Hugo to develop an appropriate proposal based on this
direction.

Thanks,
-Ekr



On Wed, Jun 17, 2015 at 12:03 PM, Sean Turner <turners@ieca.com>; wrote:

> All,
>
> The consensus of the WG is to replace the current TLS PRF with an HKDF
> PRF.  Being more specific (and using Brian’s wording), the TLS 1.3 will use
> an HKDF-Extract, then HKDF-Expand, with suitable parameters, as recommended
> in RFC5869, to build the keyblock that will be partitioned into keys.  The
> TLS extractor will also use HKDF in a similar way for new versions of TLS.
>
> WRT the downref issue, this seems entirely procedural and can be dealt
> with during the WG/IETF LCs; we’ll call it out in our WGLC,  get our AD to
> do it during the IETF LC per the procedures in RFC 3967, and assuming
> consensus is reached we can normatively refer to an informational RFC.
>
> WRT msj’s technical comments about including the length L of the output
> key material to the info string, it seems like we are free to do so if we
> choose to.  I want to avoid having a consensus call on every issue so if
> somebody is really against adding the length L of the output key material
> to the info string - please start a thread and say why not.
>
> spt
>
> On Apr 01, 2015, at 14:00, Sean Turner <turners@ieca.com>; wrote:
>
> > This message is to confirm the consensus reached @ the IETF 92 TLS
> session in Dallas and at the TLS Interim in Seattle to make the TLS 1.3 PRF
> be an HKDF-based PRF (see
> http://datatracker.ietf.org/doc/rfc5869/?include_text=1).
> >
> > Please indicate whether or not you agree with the consensus by
> 2015-04-17.  If not, please indicate why.  Also, please note that we’re
> interested in uncovering new issues not rehashing issues already discussed.
> >
> > Thanks - J&S
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>