Re: [TLS] Rethink TLS 1.3

Nico Williams <> Mon, 24 November 2014 10:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 284F21A1E0C for <>; Mon, 24 Nov 2014 02:17:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o1k37yUTCE5F for <>; Mon, 24 Nov 2014 02:17:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D0AAB1A1B24 for <>; Mon, 24 Nov 2014 02:17:47 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 07DA143807E; Mon, 24 Nov 2014 02:17:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=000mNcx3VY0uLv eoxlyWvUfuCEs=; b=Jo9NYbUDqBhVLB/jFwvH3cCi3ea0aGfLZ1Obj1nFVSkaMC 2iscEaUEUjI28p7abEVg9dOtGZHS1yJoepVLMxLF4/LLLB/MEwfHmmuWZDAd4KnN mehsJMv9ta6ef61lXbcJ7YPwB5zmikk6PVVsp/07unqYy5xi8QVA2nRU0ceMU=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id B0EF643801C; Mon, 24 Nov 2014 02:17:46 -0800 (PST)
Date: Mon, 24 Nov 2014 04:17:46 -0600
From: Nico Williams <>
To: Watson Ladd <>
Message-ID: <20141124101744.GC3200@localhost>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "" <>
Subject: Re: [TLS] Rethink TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Nov 2014 10:17:49 -0000

On Sat, Nov 22, 2014 at 02:15:30PM -0800, Watson Ladd wrote:
> It's clear what the security claims of TLS are be: a TLS connection
> between two parties ensures that data sent between them isn't
> intercepted or manipulated, and that they are who they claim to be.
> This is a fairly standard notion, clearly present in research by the
> late 80's, and intuitively sensible.

It's the standard Internet threat model.  Aside from needing to be
updated for massive adversay capabilities, the standard Internet threat
model has held up well.  What hasn't held up is TLS:

> Of course, past versions of TLS haven't provided it.
> > In a sense, *every* protocol has the potential of becoming broken,
> > unless it is unambiguously defined what is proper and improper usage
> > of the protocol.

We don't have a crystal ball.  All we have is fairly decent (but almost
certainly incomplete) public understanding of cryptography, and a
fairly decent idea of today's applications' needs.  We can imagine the
near future and plan accordingly, but further out we run into trouble.

I don't think we necessarily need, e.g., an explicit statement that
resistance to BEAST/CRIME style attacks is required: the standard
Internet threat model implies it.  Though it doesn't hurt to list all of
TLS's (and other protocols') vulnerabilities, of course...  It also
helps to design application protocols where BEAST/CRIME type attacks are
of little use.  I.e., we need better session continuation for HTTP than
plain cookies.  But we can't make that happen from the TLS layer, and we
must act accordingly (besides, improving HTTP session continuation has
proven to be a very difficult task).