IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls-13-17 posted

Kazuho Oku <kazuhooku@gmail.com> Thu, 20 October 2016 19:43 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096101296DC for <tls@ietfa.amsl.com>; Thu, 20 Oct 2016 12:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PopMFRGjutB6 for <tls@ietfa.amsl.com>; Thu, 20 Oct 2016 12:43:36 -0700 (PDT)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1AA81296B6 for <tls@ietf.org>; Thu, 20 Oct 2016 12:43:35 -0700 (PDT)
Received: by mail-lf0-x22f.google.com with SMTP id x79so106187024lff.0 for <tls@ietf.org>; Thu, 20 Oct 2016 12:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iNh8REcsHhnOXF2W9O65o2MYN6LuCiARtCk7WfzFylY=; b=HImnwI05V8fzYTAzAUPvlff3l7gS+GmwUzB3Xihf8mFSG7WNybLow/qg05c/H3wN8S kLb2jirfo1wqADYFOstlG66SA0t9weDrxu03dlFq2Bx1hYtz5Vhc2KH0aboaq2FMzsgy kshnxUuHt7h9TvtDQrK8paMDWvyrP+CCBDfb6vMqk+XqplKkeaORtrLq0EWgATMBf8ss SO6mTXH6Iwo0HYUNwHsF5JwEoeUANUuZf67+eqtlHLbrcAO/WLouxML+ceyPglvVI/jf Md9hlwMwAacsJNcdULeKyDCj5NR31sRbEKz4QJKkf7OFfnCnDNjTnphZ27Mfh8vbQvco Ofyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iNh8REcsHhnOXF2W9O65o2MYN6LuCiARtCk7WfzFylY=; b=m5uyMI3/c8uSwffgKuNsYoBiXTV/uzCjGxicn1LPAyMEj/1HXMT9tZ989ZpYMHA0g1 FZz+Q93R28oxayLvN1T+KpQB5E+SUUza2uPc3hHb9Qq2dw6+Vj4rn2x+92UcOCAlnpul QD85b7dlW9OtN8IsMbBVuqffUNNTGI0QCJ5RTz/NbDQ61TrzkCAgFc+xEOmJMq2bbj9k SUKcfZ3mhOJHt+NK97Uv0wxgAb8w9ULLZh3dooV9HN4KVISDt84zx7Hr5YXofTGWBbet JqBVHI2To37D7K6391n0NSKamKhhCMuyL/iFj9Avsxp1zxWup0GLA9yOYH4+7Q5Xdjqm Euvw==
X-Gm-Message-State: AA6/9Rl/NkW/HNgfJlf5Bo2qwG3jxBckKtjSkV2i4Gy3eyaBPRGlkOJBNJiUnJFuZUTuTVU2jb9K8kWr/eAOXQ==
X-Received: by 10.28.64.133 with SMTP id n127mr7061124wma.31.1476992613879; Thu, 20 Oct 2016 12:43:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.163.69 with HTTP; Thu, 20 Oct 2016 12:43:33 -0700 (PDT)
In-Reply-To: <CABcZeBP6pzqtcT3rmmpjr_4R+fb6ZyiAduxQiJ87B9hnRzVBXA@mail.gmail.com>
References: <CABcZeBP6pzqtcT3rmmpjr_4R+fb6ZyiAduxQiJ87B9hnRzVBXA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 21 Oct 2016 04:43:33 +0900
Message-ID: <CANatvzybB2LGPP+H_n+5kx++RDN70Xe29_jXT73foT_V_OCd4A@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Wwcsmfn9HUvCNq7sBzQCEUym7uI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-tls-13-17 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2016 19:43:38 -0000

Hello,

It's great to see draft-17 being published. Thank you all for the effort.

Maybe the addition of extensions field to the Certificate message got
lost in the changelog?
https://github.com/tlswg/tls13-spec/pull/654

My understanding has been that it was a post-16 change and it changes
the wire protocol.


2016-10-21 1:32 GMT+09:00 Eric Rescorla <ekr@rtfm.com>:
> Folks,
>
> I have just uploaded draft-ietf-tls-tls13-17.
>
> The major change in this draft is the removal of the 0-RTT Finished
> and resumption_context constructs and their replacement with the
> psk_binder. This has a number of side effects:
>
> - Binds in the original transcript into the resumed handshake
>   whenever resumption-PSK is used.
>
> - Provides proof of possession of the RMS by the client (subject
>   to replay issues). I've moved the obfuscated_ticket_age field
>   out of the early_data_indication so that it now provides the
>   same limited anti-replay for non-0-RTT PSK.
>
> - Removes the need for any early handshake encryption. This change,
>   along with the dual key ladders we introduced in -16, also allowed
>   us to simplify the traffic key expansion so we don't need explicit
>   labels for each key (they are already used in Derive-Secret).
>
>
> Other changes included:
> - Tweaking the PSK key exchange modes a bit (and removing the
>   inoperative ability to specify PSK auth modes, while leaving
>   a hook to do it later).
>
> - Cleaned up the cipher suite requirements for resumption and 0-RTT.
>   You can resume/do PSK as long as the PSK KDF matches, but to do 0-RTT
>   you need the whole cipher suite must match.
>
>
> This revision resolves all the outstanding technical PRs [0] and all but
> one of the non-parked technical issues (#144, whether we should remove the
> redundant TLSCipherText.opaque_type and TLSCipherText.record_version
> fields). We are pursuing measurements to resolve whether this will
> be a compat problem but we don't have them yet.
>
> As usual, comments welcome. We are already working on implementing
> -17 in NSS/Firefox and should have it before Seoul.
>
> -Ekr
>
> Full Changelog
> - Remove the 0-RTT Finished, resumption_context, and replace with a
>   psk_binder field in the PSK itself (*)
>
> - Restructure PSK key exchange negotiation modes (*)
>
> - Add max_early_data_size field to TicketEarlyDataInfo (*)
>
> - Add a 0-RTT exporter and change the transcript for the regular exporter
> (*)
>
> - Merge TicketExtensions and Extensions registry. Changes
>   ticket_early_data_info code point (*)
>
> - Replace Client.key_shares in response to HRR (*)
>
> - Remove redundant labels for traffic key derivation (*)
>
> - Harmonize requirements about cipher suite matching: for resumption you
>   need to match KDF but for 0-RTT you need whole cipher suite. This
>   allows PSKs to actually negotiate cipher suites. (*)
>
> - Explicitly allow non-offered extensions in NewSessionTicket
>
> - Explicitly allow predicting ClientFinished for NST
>
> - Clarify conditions for allowing 0-RTT with PSK
>
>
> [0] The two remaining outstanding PRs are:
> #680: Forbid post-handshake authentication except when permitted by
>       application profile. This is almost entirely a requirements-level
>       change, though it would allow clients to send "unexpected_message"
>       when receiving an unexpected CertificateRequest.
>
> #612: TLS 1.3 -> TLS 2.0
>       This has no change on the wire format.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email