IETF Logo Mail Archive

[TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement

Joseph Salowey <joe@salowey.net> Mon, 23 September 2024 20:49 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B0DC1D875C for <tls@ietfa.amsl.com>; Mon, 23 Sep 2024 13:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X44VC9cFiAVF for <tls@ietfa.amsl.com>; Mon, 23 Sep 2024 13:49:37 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71EB7C180B54 for <tls@ietf.org>; Mon, 23 Sep 2024 13:49:34 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2f759b87f83so50250161fa.2 for <tls@ietf.org>; Mon, 23 Sep 2024 13:49:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1727124572; x=1727729372; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=QEG7SFrUVfbfzTg65elq3uGBgwC6I6CyPULCVw3/RGY=; b=rcdpdoZR5efxrpbv7JRiLh1Zkd7oqDb5g3l+1MVYmJgMONmNkuzFaqNFsC54GkOC3E Ql9qzRl+GsIGxG1h5FUSAycRtCf4Ltcw6xWXymTCR6ece5CdM4A17gVaqrCsrVerq/fz CriyhSb8xoWc4BuYtW6W8AxUWgYyespwHh8NBMLAhBW0PgMBFy09AIAicdd+UZkgMyzH im8oaMzrFZuWBXE363yQwzIpvy/pHRYL7kjNJVqBBCeaDIRTfVsgBO93Q5qy0l/Zb1+2 6GpjJZFroN/4oAef4K1r1lNzobmDqsrJI2KEwTWPhNrkPiMpwq7fCEOPCwUzEBhjyMP1 UeIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727124572; x=1727729372; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QEG7SFrUVfbfzTg65elq3uGBgwC6I6CyPULCVw3/RGY=; b=LSLoD1GXUpM9bEOuyF136hGSU+dxl9rZK2G54yg9ps2aE7eycFcAPb3W7+5OzBP7w7 NELkbz1BpvfhNPI6Gnxk2g/LJ0vumje/Ovb7omUq7HNy40+VXxPJ0b1UtZRXy80QPu4h kcLZQTDbGPX2Z9SEajtveUeSyr5QuAPloCOXSwiq2g428SFiCDp2ppZy0OHdHRGwNw5E uj6w5799uBnw/yGFq22/QxcNWkk5qGZIFYJRK3m+qEQOMQO/a/5QheKD+e8jpLYREEnK puV/SslLhgrDMp7T7I7YqIUxjHifsYPh3vLoBKab9IRXiKFGKOI4Jr1IINWpDA0+LWdh LrGw==
X-Gm-Message-State: AOJu0YwRybwWfpzviti9xdoFSxd/n6ErMCDSiCK9Y+XnDzfAD7LIxbPm iMCtabWUdp5k/+SJyTQWK1g7Ubs0jvHpt1/Bh75/9u525LdbcMkaGO4hLUG2gEg8+eBCtLWw/c3 Esfm0nzZ1wDgvNtKreJQnYM0DJ+Q0cBuaCHFx35QT2sNmE1bpRUwWfg==
X-Google-Smtp-Source: AGHT+IFGsC3IkZFcn2Rf8v2VX6nRpVbUk644VXpUkc1oY7f0/IIQ3O/5Ra9fkRQQT3H2v+RErqiY15gOa6GXuli4qY0=
X-Received: by 2002:a2e:a551:0:b0:2f7:7d69:cb5d with SMTP id 38308e7fff4ca-2f7cc2bdc29mr66597291fa.0.1727124571059; Mon, 23 Sep 2024 13:49:31 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
In-Reply-To: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 23 Sep 2024 13:49:18 -0700
Message-ID: <CAOgPGoCLnLHbO9mTbaqjERbpFtoGyJeVk=mjDvxkJYe8nySTvw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008a96a60622cf86f5"
Message-ID-Hash: KX2RTZEC5KWXIKODW5OGGYGQBYGBE25M
X-Message-ID-Hash: KX2RTZEC5KWXIKODW5OGGYGQBYGBE25M
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RFdX_v9DFkw0U-JGjEzg2kymygQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

There is rough consensus that the document should have additional formal
analysis before publication. Ekr proposed the following for the
authentication property, which seems like a reasonable clarification

"I think the right analysis is one in which the attacker knows the PSK. For
instance, say we have a company where everyone shares a PSK (as some kind
of post-quantum protection) and you want to make sure employee A cannot
impersonate employee B."

At this point it is up to the authors and working group to address the
request for additional symbolic analysis in order to move the document
forward.

The consensus call also indicated that there is a need to continue to work
out the process for formal analysis triage which we are working on as a
separate topic. See interim scheduling poll from Sean.

On Fri, Aug 23, 2024 at 10:30 AM Joseph Salowey <joe@salowey.net> wrote:

> In regard to moving RFC 8773 to standards track the formal analysis triage
> group has provided input on the need for formal analysis which was posted
> to the list [1].  The authors have published a revision of the draft [2] to
> address some of this feedback, however the general sentiment of the triage
> panel was that there should be some additional symbolic analysis done to
> verify the security properties of the draft and to verify there is no
> negative impact on TLS 1.3 security properties.
>
> The formal analysis is to verify the following properties of the proposal
> in the draft:
>
> - The properties of the handshake defined in Appendix E.1 of RFC8446 [3]
> remain intact if either the external PSK is not compromised or (EC)DH is
> unbroken.
> - The public key certificate authentication works as in TLS 1.3, and this
> extension adds the condition that the party has possession of the external
> PSK. The details of external PSK distribution are outside the scope of this
> extension.
>
> This is a consensus call for the working group to determine how to proceed
> between these two options:
>
> 1. Require formal analysis in the symbolic model to verify that the
> proposal in the document does not negatively impact the security properties
> of base TLS 1.3 and that the additional security properties cited above are
> met
> 2. Proceed with publishing the document without additional formal
> verification
>
> Please respond to the list with a brief reason why you think the document
> requires formal analysis or not. This call will end on September 16, 2024.
>
> Thanks
>
> Joe, Deirdre, and Sean
>
> [1] https://mailarchive.ietf.org/arch/msg/tls/vK2N0vr83W6YlBQMIaVr9TeHzu4/
> [2]
> https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-00&url2=draft-ietf-tls-8773bis-02&difftype=--html
> [3] https://www.rfc-editor.org/rfc/rfc8446.html#appendix-E.1
>

v2.41.0 | Report a Bug | By Email | System Status