Re: [TLS] OPTLS: Signature-less TLS 1.3
Watson Ladd <watsonbladd@gmail.com> Thu, 13 November 2014 15:43 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 569AE1A897B for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 07:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3O1gGXckXYMt for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 07:43:02 -0800 (PST)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79C91A8980 for <tls@ietf.org>; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
Received: by mail-yh0-f54.google.com with SMTP id 29so3933395yhl.41 for <tls@ietf.org>; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Ut9sa0cWEiuttQdQAj0yWW9NvslFO5J7Lof6AP6FNL4=; b=MSLifgb3KIxpmuI5m5XtUxjiTU2EzygZlGGBBSMDzRmaJ9odzgRe9yLtw7EX2ZSQ2K y6ZTcsgHStfTvCAB1zT/7iRX+Znvt35QJauKU4eLAEm2HbruwCSAzyi7SZVXm6RZGF9Z j35wipzBI0+nGK/dbim79mmAhS4zzKr9sKvcDRSrwSgecGyi2fvIPY0cRyFVsgym/XEw lhHa8p3S2mX1gZDkD2eQS/IQ+cXsP3H1VmuOR8cri7TpIAVSJxOLqu08IU+EtycO7mhS SmbCC7StVlP6RqwRKx6BVMom4mm2h6me821UDsFKiRn1//hevTh+XXq8AeaXKNZ0V4Qv 8IvQ==
MIME-Version: 1.0
X-Received: by 10.170.100.215 with SMTP id r206mr4072113yka.19.1415893367036; Thu, 13 Nov 2014 07:42:47 -0800 (PST)
Received: by 10.170.195.203 with HTTP; Thu, 13 Nov 2014 07:42:46 -0800 (PST)
In-Reply-To: <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
References: <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost> <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com> <20141111021201.GH3412@localhost> <5461A3DD.4030102@fifthhorseman.net> <CADi0yUO4Q8=FkmAXH0na2gd6MADb4JSCGUGju7mYYm-qxqEKQw@mail.gmail.com> <20141111173325.GK3412@localhost> <4008860D-58A7-4A48-A4FC-A5823D94B791@gmail.com> <20141111203740.GN3412@localhost> <CADi0yUOELWqkOrrYh24Kcaiz8h27DxC=a5X4piLwxyr2N-1SqQ@mail.gmail.com>
Date: Thu, 13 Nov 2014 07:42:46 -0800
Message-ID: <CACsn0c=J-0sB5uyBBuf9tqmviD2CGF3e+PhQt_gcxm2EQfcfjw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VlkSglWBM7HdXyjBxtZyoq1YW4w
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 15:43:10 -0000
On Wed, Nov 12, 2014 at 8:02 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: ><snip> > > * Assuming that servers will not want to get certificates for use with TLS > 1.3 > only (why not?), then we need to address the above subcert forgery > scenario > where the atacker gets limited access to the signing key. An imperfect but > effective solution is to only issue subcerts with short validity period, > i.e. where the difference T2-T1 is small. In this case the attacker with > temporary access to the signing key can only create a limited number of > subcerts covering a limited time span. > > Operational note: It is the servers' responsibility to create such > short-lived > subcerts but it is the clients' responsibility to check the subcerts are > indeed short-lived (otherwise an attacker can generate a long-lived subcert > that the client will accept). > > * Clients with clocks with significant deviations from the correct time will > have trouble accepting valid subcerts and may be induced to accept old (or > into-the-future) subcerts. I can imagine this to be a problem. But is it > enough to abandon the benefits of a ECDH-based solution like OPTLS? I don't think this is quite right. An attacker might root a box connected to an HSM, and sign several thousand short term shares: to the HSM this looks like the website being popular, and will cover a large range of time. There doesn't seem to be an easy way to limit the time the signature was made, and such a limitation could be counterproductive in some scenarios. However, I don't think this is a real problem: HSM usage on major sites is extremely low, and OPTLS makes it easier. Sincerely, Watson Ladd > > On Tue, Nov 11, 2014 at 3:37 PM, Nico Williams <nico@cryptonector.com> > wrote: >> >> On Tue, Nov 11, 2014 at 09:47:23AM -1000, Yoav Nir wrote: >> > > On Nov 11, 2014, at 7:33 AM, Nico Williams <nico@cryptonector.com> >> > > wrote: >> > > That the "sub-cert" needs either a revocation scheme (not likely) or a >> > > short lifetime. The latter puts this on a par with session >> > > resumption, >> > > thus making one (well, me) wonder what the advantage to the static DH >> > > concept would be. >> > >> > There is a revocation scheme. If the private ECDH key is lost, you >> > revoke the certificate, thereby invalidating the delegation. >> >> Ah, good point! >> >> > > We could put static DH keys in DNSSEC and learn them that way, which >> > > would get us 0rt. >> > >> > Another possibility is to place the ECDH public key in a certificate >> > extension. This gives it a lifetime as long as the certificate, and it >> > doesn’t matter whether the “regular” certificate public key is RSA or >> > ECDSA or anything else. >> >> Sure, certs could have multiple subject public keys. That'd be a very >> nice. A cert could have an encryption key, a different signature key, >> and a key agreement key. >> >> > It removes the need to use signatures at all by the server. Not even >> > once. >> >> Yes. I like this. >> >> Nico >> -- > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk