IETF Logo Mail Archive

Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track

John Mattsson <john.mattsson@ericsson.com> Mon, 11 December 2023 15:39 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04B32C14CEFD for <tls@ietfa.amsl.com>; Mon, 11 Dec 2023 07:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.008
X-Spam-Level:
X-Spam-Status: No, score=-7.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8adgf8pYI2Sy for <tls@ietfa.amsl.com>; Mon, 11 Dec 2023 07:39:00 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2044.outbound.protection.outlook.com [40.107.7.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05188C14F75F for <tls@ietf.org>; Mon, 11 Dec 2023 07:38:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S9TS4URyh1CRPUMHYEtZt2rdJ4aOWKQUjWmOo/7+2J+Nq3SGqurkvHzmo/lka9IajLrpwhPjSzmpN/FZI9+2uwv/M3gE9/lQkVVNO9AaTJBpgquFSZpp8e2bND4gLKsLJVA6YdfAAVLnTdZfEDf7PtAhCB2+jv1L/6QvrYgCzISZO6WV2fniVOLD+qwpNOsTu/on9evIIvViEEbSBaKktBgJBfzBIVfcrPGxA7YVtpoyvQXQpk01MDCF7F7yN72sAOZal9KkLfTIZjtpwj8NOPnO8UpVjyt+26E5lVbiO4bcTe8mWQUA4mT8idOdeLFxhnp1CQHJJn5DY3xH2zV/7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WLgbSIbqZi9Iq9PSanslqdse6oMfPBD2lPlRw8zCX38=; b=gHNr8/crUq0oJ6MuYYIpBUFJ7uGSuTFxD1TaSDm0OIiQgfvLikrbkn0R+Yn06IHhOu+inJwsYKAc2qK5OC2Fw7xfL3RbiiN34cVyyAUIb1MjeEuUz8pQmfZDH3KhrNvGkInlDb10jaB3ZsKfxGrADAhBsJ7Bwcjw136q8ocavDpIu1SUd+DcHfk8d0nSiOFGdxZGAm+SgBgbO5rqbMPzvPK0RZku6jJZaNnMyBHEvbQVJ0ZKTPanuid52y/5KcngB7qGe3zcDUuJzxW/c5J1HT6MejxXE/qQKFyFy5swJxF1YZf3nfROIj+b/RPqnvJFrZ4ACQVdk+sEbTYmHrdsEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WLgbSIbqZi9Iq9PSanslqdse6oMfPBD2lPlRw8zCX38=; b=qirZwvSdsauEMPHzm8JTA4gqkqHFetLT1LFU4g6+JEQH00cHHsmHy7jfjw2feiHOPpQHgdTbCBDD1XIy2yMCGtHQP0ZsRiFhe5HqovZmJ5zxltg79P41kqOFBt8ej505deJ2UIYk/TdivJ1xuo4LbhZiVOp0Z1IfaHZycAM26N39U8pFgok+MxYlKotgBDyGVitB84rp618gOuK/GQVgde7W69/+QcQ998suhrgmydTw+vg1zbcuUvD4HUDWzu6EfFqKHIG/8t5jnlhzmWYtiJFzJuss5c47dT5J1bWXV2CerstP7M/B3Kd7EG+t/gHbv+QE6E0HFEa8pU2PYzpJUg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PA4PR07MB8551.eurprd07.prod.outlook.com (2603:10a6:102:26c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.27; Mon, 11 Dec 2023 15:38:55 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb%2]) with mapi id 15.20.7068.031; Mon, 11 Dec 2023 15:38:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
CC: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
Thread-Index: AQHaItv4oc4sWdFa2EK26ez1iW3DkrCcUJKAgAAvSqmAAEYygIACwB5TgABHtoCABGvNTw==
Date: Mon, 11 Dec 2023 15:38:54 +0000
Message-ID: <GVXPR07MB96786F06313B5DF6F5C368FA898FA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAOgPGoCV9VQD+hqtorrRGi8+2V6dHfKr_ifAwUzECLVzJE=ZHQ@mail.gmail.com> <aacbbdc4-fb28-22cd-1fbd-a1c6b844f2ee@lounge.org> <GVXPR07MB967852472870E05C04FB70F68984A@GVXPR07MB9678.eurprd07.prod.outlook.com> <4BB96C09-1EDD-4D58-8491-86623E93369F@vigilsec.com> <GVXPR07MB9678FA670AE897AD0EEC3240898AA@GVXPR07MB9678.eurprd07.prod.outlook.com> <4B2DD280-58C6-40C9-89E1-1A9C6163F851@vigilsec.com>
In-Reply-To: <4B2DD280-58C6-40C9-89E1-1A9C6163F851@vigilsec.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PA4PR07MB8551:EE_
x-ms-office365-filtering-correlation-id: 1c89f72b-33eb-4b08-b71c-08dbfa5f4877
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ztk0rsWD6fbwcQOVPs/YJRmrmryyRegXn9rY+lT3BwjhJfWi0mIHR4tCsSSzwqs9fgMLGJ1RSD+qhGA3VeR7cZwqlTqgiHtaTaYsa3gGpiotlrxZcgtp13QFCOsJNjYAeI10yWLj4R83/QKjtMnnZAU0qn+K6s7xWXXLloGpvJrJWn19KHvhdSDWWnCsy3GTPV9XniE4179Y5BBRXum7GskVXcp8lxwIBt4wgrJTDJchvGHGDkhWPFKc1Zmp03ML+YhhLqpOHXRojMTOujNNyrLZik/oA1DHAJ+fZaaeQaToTSyte9hbs4g9M2sRVoPyjfWMsms2X2NQZAswPY0zv/6gcBIhV+/WUx/oJZsBhEFQ+QIIDe1AdNSp5j1Mu/i/O9Vyn5rJUZytKnngBsf+Ua+nDs1DRZ08z00FM1BujJT4XGICGn6tW8U2W1ZMACMZPPEcV5REwSFEmCr2669AHAtxUo5+TePqupQWFCRT7oEqjwAnOA4ajcfiB5gTcWptc7x64VsRSZdjp76fEfVXdiHovsyS91djeA0onASX+W0WFjfShrWnTwsPDTPOa3CGO13BH2/6Q9OdzTlnoE5ZjlnxFQba+KaeIo/w0S2b6xoet3jxD282fpyiuUC8c888ZYX5NVdA2If6DFsR08TX1gW7KeWjzmSB8kuL49s6tXmWPuj+3V5lGrFwynyha8lMNe2yL8+rQQdkjavDsSwPO8rAEG7cysrIlSaY4Ila6M0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(136003)(396003)(376002)(346002)(366004)(230273577357003)(230922051799003)(230173577357003)(1800799012)(186009)(451199024)(64100799003)(71200400001)(55016003)(7696005)(33656002)(122000001)(82960400001)(2906002)(5660300002)(9686003)(30864003)(83380400001)(53546011)(166002)(6506007)(38070700009)(38100700002)(26005)(478600001)(66899024)(66476007)(66946007)(8676002)(66446008)(66556008)(76116006)(41300700001)(316002)(52536014)(8936002)(86362001)(966005)(64756008)(6916009)(4326008)(44832011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: avGPAlCf1EYFOqeTE3xsfDGH+HYIcvvrDSX2vOsQRAjfR7tdYClz/drkQnw4elaPGO7Wlk97cNSie9NhqztYhIByFqpJoPdn7z2WCuQ9j65N+wiLzZ4N9TAESSXFT0sDhpGDDt7VJPJ0zyO0Oj7soQkd2BuMDr/usKqcQCRTbxSorGOAtUlgib2/boCX54sKZUveVnjUFbMFmag+jAxi1KvZa84diHKbPmAaS1bkMQo2T7U50qnfTgEmHnJ1YVNUxLO+dBIVPwOZASU8nkGqx0MAcW8ROf5VqPJBpCi8G1WN4IibJRdQVGi8EgGjm2CAensppVOqEzvSCwSedEV7XrKB2ZJ3roJKO6qPZH0wsq10u24K4RF9GGIYPdfzstRR52otqOmM4gs4CETvA9Xg2oZYrJ3M/v7hP+ltsmskyuzGXF2SlmIGYFKxSQdfs7/LiSni8NYC/mtEuidwUSFtSXToznSRQ37EzGs3U9zvGwy1YGx2I+u2fxXTCDwNZYG2e8tp/lcDkhCQoIZ5h8TscJL3+QaeaYAJetNVRTWfWT0HFRWwAsPCOwaFySU/RQLXny+S9Wy20TlI7/I9K6LBc0vQ+SCM+BNuQ/50AyIVoRy7EvHYmFFOK4EgaAiI8PgQ5g15+ueUjBJxhwMVRY51gIynpo4dx280ga5KULyqRczEGu0V3x3AdDDJGTeDhHNKSba+kPRdvaK+DqVAopMVdSfi2Yyqi61c0YXv3zjQkuqD9Ag6mRlQ6Mpsm8q7gtO+0DC/FJAMiDB9B5owqeknsUJSb+6M4iuYuX5t4eMYf/PejL8K8MhBvRXIQFPHzg6fvAyKoMkUk6nE8llYFZNbS4rgIlqfRXaqQFxQg5lL5DLyrKwXSlAGrnru/TJT2aoP+ZVLEuOxucAU3aZV1PTetclZYXV9yJ3nkEfYa1dv5Qkdcgu1eDf87owKMTQzoMzowwKTJe+CcpXyxGERiycfHa4StHKFonYe9un8h9g8BJ6RwYBvsH4nKvTwbdUHe0R99BZrmK9uGU3NUKUu9bdS0k8wDVmvBRiQ9wBN1/e0QXk8XSqyLlOJCeYJadJ/DYtoePmN68UVvxQof+glbd6miTyHLOXnPVLg6wx2brJ0g/ybzenCP2hPvFpPIGMMtjFQIQtjU5ZesSFWoPntxk/TgjokcpZdxJD81518t1LydZ/30BMSJYTW2h/Cod+g5zQsWVwAnibBzUs8mw/fsghQ2NVJcLBiK83oe6tA4L6W0KP4T8vVf8p1IclzOPdMencD7hdbff+6A7Lir6Tu25bXcOiZdQsJWJFXk94uWNrWLwvkgae8PhWw65a1NqjW5TLAymEnebxA5w0CWQskNXnnTEG0zyp6mG7vQz5tUFK3V1CC4alyAljHN77R5MCg0P43gubvX2Mp2CQPvMF1xVRDRpvT17D+4Pl4hZif1XRizvPYt4PA432xSXsY8yWWc9XD3znvKBAy+QQD1vg6z8JJf45E2t/ZQS1oIBdbn9SUjk5kXQu8hGpVWMbCSTkG7ZA9ZyxUQmAmdnlDiliZt3cfYVYL1tE3EC4RbXOTpbHLOMl3lR9oywn2jqf4RxoXq/3H1w0iYUaa4b/jwZ650Lv8e8toBSKYEj9yzRmVSygAw0E=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96786F06313B5DF6F5C368FA898FAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c89f72b-33eb-4b08-b71c-08dbfa5f4877
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2023 15:38:54.7448 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: C94GLeyeZFhDEZ6xY7oWhhbUxig2AH8DRpQ/9j9NJpp7VnDiQLn5Odrf3e3iLTx3B++t8sjHOf8dwJsfU9eiarzF2cYRjzipSk5BvltSEaQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB8551
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZlgOWGDL_ylmmW4H3deEMKsbpuk>
Subject: Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 15:39:05 -0000

Hi Russ,

Seem like good suggested updates.

Russ Housley wrote:
>Can you point me to the 3GPP document that makes use of RFC 8773?  It should probably be referenced in Section 3.1 >as another example along with [I-D.ietf-emu-bootstrapped-tls].

Hi, Section 5.3 of TS 33.222 specifies "Shared key-based UE authentication with certificate-based NAF authentication". Other sections specified “Shared key-based mutual authentication” and “Certificate based mutual”. It was recently discussed in 3GPP if 5.3 should be updated to refer to RFC 8773.

But now when I look at TS 33.222 personally, I see that Section 5.3 actually uses HTTP Digest for the Shared key-based client authentication, not TLS PSK authentication. Must have been some misunderstanding. 3GPP does not use RFC 8773.

Cheers,
John Preuß Mattsson

From: Russ Housley <housley@vigilsec.com>
Date: Friday, 8 December 2023 at 20:08
To: John Mattsson <john.mattsson@ericsson.com>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
John:

Thanks for you thoughtful review.

Russ Housley wrote:
>   Appendix E.6 of [RFC8446] discusses identity-exposure attacks on
>   PSKs.  Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses
>   tracking prevention.  The guidance in these sections remain relevant.
>
>   If an external PSK identity is used for multiple connections, then an
>   observer will generally be able track clients and/or servers across
>   connections.  The rotation of the external PSK identity or the use of
>   the Encrypted Client Hello extension [I-D.ietf-tls-esni] can mitigate
>   this risk.

That seems like a good start. I think it would be good the TLS WG came up with additional guidelines/mechanisms/requirements for doing External PSK in a secure way that does not enable tracking. Using the same External PSK identifier for a long time should be discouraged. Maybe ECH is the solution. That would however be outside the scope of RFC 8773.

Some additional comments on RFC8773(bis):

- I think the abstact and introduction should talk about client authentication as well. Right now it only talks about server authentication. The external PSK provides both client and server authentication. The 3GPP use case for RFC 8773 is to use certificates for the server authentication and PSK for the client authentication.

Can you point me to the 3GPP document that makes use of RFC 8773?  It should probably be referenced in Section 3.1 as another example along with [I-D.ietf-emu-bootstrapped-tls].

Suggested Abstract update:

   This document specifies a TLS 1.3 extension that allows TLS clients
   and servers to authenticate with a combination of a certificate and
   an external pre-shared key (PSK).

Suggested Introduction update:

   The TLS 1.3 [RFC8446] handshake protocol provides two mutually
   exclusive forms of server authentication.  First, the server can be
   authenticated by providing a signature certificate and creating a
   valid digital signature to demonstrate that it possesses the
   corresponding private key.  Second, the server can be authenticated
   by demonstrating that it possesses a pre-shared key (PSK) that was
   established by a previous handshake.  A PSK that is established in
   this fashion is called a resumption PSK.  A PSK that is established
   by any other means is called an external PSK.

   A TLS 1.3 server that is authenticating with a certificate may
   optionally request a certificate from the TLS 1.3 client for
   authentication as described in Section 4.3.2 of [RFC8446].

   This document specifies a TLS 1.3 extension permitting certificate-
   based authentication to be combined with an external PSK as an input
   to the TLS 1.3 key schedule.


- When RFC 8773 was published, we did not have ML-KEM and ML-DSA, now we do. I think RFC8773bis should explain how and why the solution with External PSK is needed now that we have ML-KEM and ML-DSA. Is it needed when we get standard track ML-KEM and ML-DSA? CNSA 2.0 seems to indicate that ML-KEM and ML-DSA is enough for TOP SECRET, but I know that some european governments like to always combine External PSK with asymmetric crypto just to be on the safe side and to always get PFS.

I suggest an additional paragraph in Section 3.1:

   Quantum-resistant public-key cryptographic algorithms are becoming
   standards, but it will take many years for TLS 1.3 ciphersuites that
   use these algorithms to be developed and deployed.  In some
   environments, deployment of a strong external PSK provides protection
   until these quantum-resistant algorithms are deployed.

Russ



Cheers,
John Preuß Mattsson

From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Date: Wednesday, 6 December 2023 at 21:51
To: John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>
Cc: IETF TLS <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
John:

I respond to your three suggested changes below:

(1) How about a title of "TLS 1.3 Extension for Using Certificates with an External Pre-Shared Key"

(2) None of the normative references are paywalled.  Two references are not RFCs or RFC errata or I-Ds or IANA web pages:

[GGM1986] is free access at https://dl.acm.org/doi/10.1145/6490.6503<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-aef859da111c15a9&q=1&e=8b806035-f71c-4c87-ae4f-a3492b6bc616&u=https%3A%2F%2Fdl.acm.org%2Fdoi%2F10.1145%2F6490.6503>

[K2016] I found the same paper at https://eprint.iacr.org/2016/711<https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-d749c4274f4cadbd&q=1&e=f8567c67-e0dc-46bd-a090-f1ec71dd4d35&u=https%3A%2F%2Feprint.iacr.org%2F2016%2F711>.  I'll point here.<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-6e0c9e24a3cecc9b&q=1&e=8b806035-f71c-4c87-ae4f-a3492b6bc616&u=https%3A%2F%2Feprint.iacr.org%2F2016%2F711>

(3) The privacy considerations already talk about Appendix E.6 of [RFC8446].  I am please to add a pointer to ECH, but I do not think that ECH use should not be mandated.

I suggest:

   Appendix E.6 of [RFC8446] discusses identity-exposure attacks on
   PSKs.  Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses
   tracking prevention.  The guidance in these sections remain relevant.

   If an external PSK identity is used for multiple connections, then an
   observer will generally be able track clients and/or servers across
   connections.  The rotation of the external PSK identity or the use of
   the Encrypted Client Hello extension [I-D.ietf-tls-esni] can mitigate
   this risk.

Russ


On Dec 6, 2023, at 11:51 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:john.mattsson=40ericsson.com@dmarc.ietf.org>> wrote:

Hi,

I am quite convinced that the security properties are not worse than a mixture of PSK authentication, PSK key exchange, (EC)DHE key exchange, and signature authentication.

In some cases, this is very good. You get the quantum-resistance of the PSK together with the PFS of ECDHE, and the entity authentication and security policies of certificates. In other cases, it is not so good as the reuse of a PSK identifier enables tracking and potentially identification of both the client and the server. I don’t think that such a field enabling tracking belongs in modern TLS, but reuse of a PSK identifier is already in RFC 8446 so this document does theoretically not make the worst-case worse.

If RFC 8773 is updated. I think the following things should be updated:
- The title and abstract only talks about PSK authentication. The key exchange is likely more important to make quantum-resistant than the authentication. I think the title and abstract should talk about PSK key exchange.
- I think the paywalled references should be removed. I think paywalled references are both a cybersecurity risk and a democracy problem [1]. I don’t think they belong in RFCs unless absolutely necessary. RFC 8446bis recently removed all paywalled references.
- The document should refer to section C.4 of RFC8446bis that now includes a short discussion on that reuse of an PSK identifier enables tracking. I think RFC8773bis should have a warning early that the privacy properties are much worse than the normal certificate-based authentication. This could be completely solved by mandating ECH. Alternatively, it could be solved by sending the PSK identifier after flight #1 when things are encrypted.

3GPP specified the use of server certificate authentication combined with PSK authentication and key exchange for TLS 1.2. As that mode was not available in RFC 8446, 3GPP does not specify this mode for TLS 1.3 but there have recently been discussions in 3GPP about adding RFC 8773. I think the really bad privacy properties of PSK in TLS 1.3 is a significant problem for 3GPP. The bad privacy properties of TLS 1.3 with PSK have also been discussed several times in EMU WG. I think a mode that sends the PSK identifier encrypted would make a lot more sense for standard track.

I am not supportive of standard track unless the tracking problem is solved. If the privacy problems are solved, I am however very supportive. Adding an extra roundtrip is a small price to pay for privacy. Adding a field (psk identifier) that can be used for tracking to current certificate-based TLS is making privacy worse. I don’t think that is a good idea or worthy of standards track.

Cheers,
John Preuß Mattsson

[1] https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/6pgf5tFaAAAJ<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-1dad7286c4a2ace2&q=1&e=8b806035-f71c-4c87-ae4f-a3492b6bc616&u=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fg%2Fpqc-forum%2Fc%2FW2VOzy0wz_E%2Fm%2F6pgf5tFaAAAJ>

From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>>
Date: Wednesday, 6 December 2023 at 14:50
To: TLS@ietf.org<mailto:TLS@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track

   Hi,

   I approve of this transition to standards track and I am implementing
this as well.

   regards,

   Dan.

On 11/29/23 7:51 AM, Joseph Salowey wrote:
> RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with
> an External Pre-Shared Key) was originally published as experimental
> due to lack of implementations. As part of implementation work for the
> EMU workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there
> is ongoing implementation work. Since the implementation status of RFC
> 8773 is changing, this is a consensus call to move RFC 8773 to
> standards track as reflected in
> [RFC8773bis](https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis).
> This will also help avoid downref for the EMU draft.  Please indicate
> if you approve of or object to this transition to standards track
> status by December 15, 2023.
>
> Thanks,
>
> Joe, Sean, and Deirdre
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls

--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email