[TLS] False Start and TLS 1.3+

Brian Smith <brian@briansmith.org> Wed, 10 December 2014 06:12 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6AB8F1A1B85 for <tls@ietfa.amsl.com>; Tue, 9 Dec 2014 22:12:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AkK2Kys354dj for <tls@ietfa.amsl.com>; Tue, 9 Dec 2014 22:12:11 -0800 (PST)
Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375BF1A1B73 for <tls@ietf.org>; Tue, 9 Dec 2014 22:12:11 -0800 (PST)
Received: by mail-ob0-f174.google.com with SMTP id nt9so1861992obb.5 for <tls@ietf.org>; Tue, 09 Dec 2014 22:12:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=XO0S4VJFJRW1k6dNcH7lKdMkNThlkre+S5FYdqvhCRg=; b=UHanIGLGLER4m29wzpfj0RBbSkeAZSVHk55/93emtTsNA7/ajpU0XuuGMO7HJHzgDI KON+YDpsm3ZC6EgWIdKmHKmI1DI0GszgZR/J/ORfzco4guO/t4HmGIOPVunOvKW18pzX 1xK7UXBnd3mCPGQ/vwC+mER4nPbNwv6wT/mpRxgpcPHnYD26fx9lT+6lPswPL/3NpFVz 8+0cUkr/rpYgbkKcyJ5JxTlEza5qecrLAI97omMe/i8u3YnDeS70H2Xn8FhuAL8IZHC9 NZ89UGcDJtqHLGFKS/QrR9pVNhGzFfJcLiXjFeA2cuSri64i/1mwjD9f6t1GhqX+KOl2 iy9g==
X-Gm-Message-State: ALoCoQnOXAQZu6nkxtWDLtlaDykPYsAN8gqHi0pjNNJUrOUsHacU12H1jnpGYRCCLfprM3E3EwD6
MIME-Version: 1.0
X-Received: by with SMTP id 136mr1265368oij.89.1418191930538; Tue, 09 Dec 2014 22:12:10 -0800 (PST)
Received: by with HTTP; Tue, 9 Dec 2014 22:12:10 -0800 (PST)
Date: Tue, 09 Dec 2014 22:12:10 -0800
Message-ID: <CAFewVt6YrC9ab4Er1sh0YWHsYmYRMdODx0Sy7k97QeHB3ziz_w@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Uyw7l9kWC4hWrOCriHHzuN5gUq0
Subject: [TLS] False Start and TLS 1.3+
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2014 06:12:12 -0000

1. TLS 1.3 will have its own 1-RTT mechanism, so it makes less (no?)
sense do do False Start for TLS 1.3.

2. During the development and testing of TLS 1.3, it is far from clear
that a TLS 1.3 handshake will be as secure as a TLS 1.2 handshake. It
seems likely, in fact, that for some handshakes, due to implementation
bugs, and/or problems in new parts of the protocol, that TLS 1.3 could
be a security downgrade from TLS 1.2, at least until TLS 1.3 gets its
RFC number.

3. During the development of TLS 1.3, my understanding is that an
extension will be used to negotiate which draft of TLS 1.3 is being
spoken. This extension would only be safe for False Start if every
draft were equally secure, which is unlikely.

Because of these reasons, the False Start draft should be updated to
say that False Start MUST NOT be used for TLS 1.3 and later.