[TLS] Draft minutes for Tuesday

"Salz, Rich" <rsalz@akamai.com> Tue, 23 July 2019 22:12 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 091F012001B for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 15:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ky5biNTa4evk for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 15:11:58 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 624C1120996 for <tls@ietf.org>; Tue, 23 Jul 2019 15:11:58 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net []) by m0050093.ppops.net-00190b01. ( with SMTP id x6NM6l4R014312 for <tls@ietf.org>; Tue, 23 Jul 2019 23:11:58 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=gOFvRJV8O2X7Ot6plumaXEg538ceZ5KroHpEG9y3AT4=; b=SU/h4Hu/BxRkMDXoPRFIbs/h6JruX+GkBEZrR5470wGBIEL0Ghv40bnTHQl5GbhwM30t Y00kQPMX9DGrnzGCc3+tA1M/ADxcGq8aovVkgd8IulHV90e9zmwP2BKSY4QYKfy0Qn4b je8eKeAv1TVkTUNvbeTKaMq4022/KKX0J67d//e4U/42TkBpRKZYRmoVAA4gh4EWQkZz +uKT0l8FiqIVn0+3jJQMLj6E4Lve98zyFJRzMzcDzqn+eOIAw0h8Tl7rQLELho9Cw+E9 KqyyLzDtAjrsAUd97l2oQdep8LwqzZX6suGwdOjO4VVzaXxhY+jV6jYHpRrRdJeg8C2y 1w==
Received: from prod-mail-ppoint8 (prod-mail-ppoint8.akamai.com [] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2tx60s9296-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Tue, 23 Jul 2019 23:11:57 +0100
Received: from pps.filterd (prod-mail-ppoint8.akamai.com []) by prod-mail-ppoint8.akamai.com ( with SMTP id x6NM24U5018145 for <tls@ietf.org>; Tue, 23 Jul 2019 18:11:57 -0400
Received: from email.msg.corp.akamai.com ([]) by prod-mail-ppoint8.akamai.com with ESMTP id 2tx62xsjhu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Tue, 23 Jul 2019 18:11:56 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ( by usma1ex-dag1mb1.msg.corp.akamai.com ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 23 Jul 2019 18:11:54 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([]) by usma1ex-dag1mb1.msg.corp.akamai.com ([]) with mapi id 15.00.1473.005; Tue, 23 Jul 2019 18:11:54 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Draft minutes for Tuesday
Thread-Index: AQHVQaOiOnYooVK1akiP0x470c1W2Q==
Date: Tue, 23 Jul 2019 22:11:54 +0000
Message-ID: <63A3AC36-E5DB-49F2-AD42-7B6672538A2F@akamai.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_63A3AC36E5DB49F2AD427B6672538A2Fakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-23_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1907230223
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-07-23_09:2019-07-23,2019-07-23 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 suspectscore=0 spamscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1907230224
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XVmXbEGsMisQtVq2VuO4qiFIxNU>
Subject: [TLS] Draft minutes for Tuesday
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 22:12:11 -0000

Are on etherpad at https://etherpad.ietf.org/p/notes-ietf-105-tls

Cut/pasted here (but more readable there):
TLS at IETF 105


Status update (drafts, code points, etc) -- see the slides

CFRG working on PAKE selection;  integration with TLS is obviously important, come to CFRG meeting.

Delegated credentials

  *   Server side patch in boringSSL; NSS client side soon to be in FF nightly; FB work in progress

  *   Plan to drop LURK mention, remove PKCS#1 v1.5 (RSA PSS only) [Martin says needs more text for clarity]

  *   Plan was to not go forward without proof that this doesn't weaken PKI security; a by-hand one is in progress

  *   Refine "Delegated credentials" term to "Delegated authentication keys"

  *   Plan is to start WGLC, but make sure it isn't finished until the analysis is done and reviewed by the WG

Deprecate MD5 and SHA1 in TLS 1.2

  *   Make signature_algorithms mandatory in handshake; forbig MD5 and SHA1 algs in that extension

  *   Andrei says MSFT can't enforce now but willing to do so in the future

  *   Consensus in room is to adopt as a WG item; to be confirmed on the list

TLS Flags Extension

  *   TLS 1.2 has 46 extensions; TLS 1.3 has 28; more coming

  *   Many extensions have no data, just 1 bit of data (their presence) -- call them "flag extensions"

  *   Various methods (fixed-size bitmask, varying-size bitmask, array of bytes, etc)

  *   Can't re-do existing extensions (at least in clientHello), but server response and other messages could do so

  *   Consensus in room is to adopt as a WG item; to be confirmed on the list

Suppress Intermediates

  *   A new flag in clientHello says "don't send intermediates"

  *   Not clear what to do if intermediate ends up not being available; options are then ugly

  *   Server would ignore extension if it "knows" its chain is "unusual" ("weird" etc)

  *   There is interest, but not ready to ask for adoption yet

TLS 1.3 Impact on Network Based Security Solutions

  *   Network solutions sometimes insert a middlebox proxy between the client and the server, observers TLS metadata to do policy and access control. TLS 1.3 handshake changes affect these solutions.

  *   Incorporated feedback, has been stable since IETF 104. New commentary started today.

  *   Original plan was to ask for publication as informational even though it's not in charter.

  *   More people read this draft than any other draft; interesting and surprising factoid.

  *   Adjourn without action.