Re: [TLS] OPTLS: Signature-less TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Tue, 11 November 2014 00:08 UTC

Content-Type: multipart/alternative; boundary="Apple-Mail=_5C3B657C-DB6C-4776-9832-011BA52A17D7"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com>
Date: Mon, 10 Nov 2014 14:08:06 -1000
Message-Id: <21EF390E-1F89-410B-8114-74C0A8D5502D@gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CADi0yUMM6C=NpvFsc67J6Dc6uEO3OZ490tFWhAYmD362mC+D4A@mail.gmail.com> <CABcZeBNKpTMg+xhMK5TnO_W99MotoPw+_m9yrTqTUSwqyPpUPA@mail.gmail.com> <CACsn0cnkRZ5ZzX0bHfVFsvsrNoJxU2Txs0O2YW386fsg9GF1vQ@mail.gmail.com> <CABcZeBMQc5Mb_FK3davMxi0oBgzawqCMaYp1DqGYgg3nEHYHHw@mail.gmail.com> <CADi0yUOZ8LqsJbTTZmYL6XgrTjWvTMqvFMd7euzv+xQPU9vPJg@mail.gmail.com> <CABcZeBM+CcG8Tr_+XZ6nkw4xJP8DGFXguvRvLGhTUXYdhEOUqA@mail.gmail.com> <87r3xdfzi1.fsf@alice.fifthhorseman.net> <CABkgnnWqppL-1VJORYfrwuKn8n=NO-rZX6LDTiq+-qxddsp1mg@mail.gmail.com> <87r3xawv8a.fsf@alice.fifthhorseman.net> <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Vxkt5Fc1A2JamNORKZMIpxtSs0U
Cc: tls@ietf.org
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
Precedence: list

> On Nov 10, 2014, at 1:45 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> 
> On Nov 10, 2014 3:30 PM, "Martin Thomson" <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
> >
> > On 10 November 2014 14:23, Daniel Kahn Gillmor <dkg@fifthhorseman.net <mailto:dkg@fifthhorseman.net>> wrote:
> > > i agree that X.509 is a disaster here, but i think making up a new
> > > delegation protocol won't necessarily be a non-disaster -- we could
> > > instead just rehash some of the sharp bits of the X.509 mess
> > > (revocation, duration, transparency, identity, etc) in a different
> > > format if we're not clear about what we're doing :/
> >
> > Prior to the discussion yesterday, I was really warming to this idea.
> > After it, particularly the discussion around the creation of a
> > delegation point, I think that I've been convinced that we shouldn't
> > do this.
> 
> Every 0-RTT solution involves a similar delegation, as the client is using data sent from the server in the prevoius interaction or OOB to encrypt the early data.
> 
> What exactly was the problem mentioned at the meeting?
> 
> 

The issue is that the server sends a certificate + a buffer that is a long-term DH public key signed with the private key associated with the public key in that certificate. 

Anyone who has that certificate and buffer plus the long-term DH private key can impersonate the server. It’s delegation in the sense that the server can sign a DH public key and let another node impersonate it. 

So the argument against it is that the new signed buffer is in effect a credential, a certificate. Except that this kind of certificate does not have the PKIX stuff. Specifically, there is no revocation for that signature. A compromised signed  DH public key can only be revoked by revoking the certificate.   As we are not currently prepared to work on TLS delegation, we don’t want to sneak delegation in through the back door.

It should be noted that CloudFlare manages to make delegation work ([1]) even without changing the protocol, but I wonder a little about that solution. Isn’t the latency horrible? How secure is the connection between CloudFlare and the customer? Does it create a sign-everything service?

Yoav

[1] http://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/

Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
[TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk