Re: [TLS] WGLC for "Guidance for External PSK Usage in TLS"

Russ Housley <> Fri, 22 January 2021 20:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A72F63A14E5 for <>; Fri, 22 Jan 2021 12:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 36ZIZ7eCEyTV for <>; Fri, 22 Jan 2021 12:27:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34B6A3A14E4 for <>; Fri, 22 Jan 2021 12:27:10 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9C9F4300BA8 for <>; Fri, 22 Jan 2021 15:27:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id bB62ROqtHwCS for <>; Fri, 22 Jan 2021 15:27:05 -0500 (EST)
Received: from a860b60074bd.fios-router.home ( []) by (Postfix) with ESMTPSA id 42803300B82; Fri, 22 Jan 2021 15:27:05 -0500 (EST)
From: Russ Housley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F36716D7-87FE-47B0-886A-5BF49C9C4FC7"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Fri, 22 Jan 2021 15:27:06 -0500
In-Reply-To: <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <>
Subject: Re: [TLS] WGLC for "Guidance for External PSK Usage in TLS"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 20:27:13 -0000


Thanks for you review and comments.

> We've only had one review in response to the last call so far,  I'd like to see a few more reviews of this document before moving it forward.  Are there any volunteers who can commit to a review in the near future?
> I've reviewed and have only a handful of minor comments.
> Section 1, opening: Password and key comparison seems rather weak, unless low-entropy PSKs are used. If low-entropy PSKs are a focus, then perhaps make this clearer, which will simultaneously strengthen the comparison. 

There is guidance on many other aspects of security as well.  Maybe this comparison is setting inappropriate expectations.  Maybe the first paragraph should avoid the comparison altogether.  I suggest:

   This document provides guidance on the use of external Pre-Shared
   Keys (PSKs) in Transport Layer Security (TLS) version 1.3 [RFC8446].
   This document lists TLS security properties provided by PSKs under
   certain assumptions and demonstrates how violations of these
   assumptions lead to attacks.  This document also discusses PSK use
   cases, provisioning processes, and TLS stack implementation support
   in the context of these assumptions.  It provides advice for
   applications in various use cases to help meet these assumptions.

> Section 4, "These keys do not provide protection of endpoint identities (see Section 5), nor do they provide non-repudiation (one endpoint in a connection can deny the conversation)": Perhaps relate to other modes of TLS which do provide such protection.

I suggest adding:

   Protection of endpoint identities and protection against an endpoint denying
   the conversation are possible when a fresh TLS handshake is performed.

> Section 4, "If this assumption is violated": The assumption has two aspects, namely, "each PSK is known to exactly one client and one server" and "these never switch roles." The following paragraph explains what happens if each PSK is known to more than one client, server, or both. But what if roles are switched? Whilst maintaining the former aspect of the assumption.

The only cases where that I have come up with where it is possible for the client and server to swap roles (like TLS between to mail servers) do not actually cause any trouble.  If a browser and a web server got confused about their roles, it could be a problem, but that does not seem likely to happen either.  Does anyone have a suggestion here?

> Section 4, "then the security properties of TLS are severely weakened": Perhaps add "as explained below" or similar.

Good idea.  Added.