[TLS] RFC 8773bis status
Joseph Salowey <joe@salowey.net> Tue, 11 March 2025 04:43 UTC
Return-Path: <joe@salowey.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CC9A69D4E0C for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 21:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9AO9F4MjBfC for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 21:43:55 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E8C3E9D4E05 for <tls@ietf.org>; Mon, 10 Mar 2025 21:43:55 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-307c13298eeso59437491fa.0 for <tls@ietf.org>; Mon, 10 Mar 2025 21:43:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1741668234; x=1742273034; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=N/9PyDkBNH5MBnh4zyDXePMK86GFtE9Peryic7V67DE=; b=is+FDiarE+haaBXfCoyJc9lLbQSBUhZoeAJIyI1TjA2JU0m+YMRqS4wpNu3UX9nphS 5/yy7DaMr25tpT//50vLodAmHMom+qiF5jZSYKyCtJrCTWPJ25oMxsyyDoxHOZDN+fPG PUxo9h2nOS5gpnoQU2byzmivvroR7JLELz9g9psuVvfx7DQn03sgO7b7Du9CIPBmGHMt pNpXtKJhYB+SJ4aPgww5rATqKc78fXd26siSmjV/OhX6xRAkT32AKzPeeEIfb1/h0DAd fiGvpAljciPgxJO/BAzlajVLf4dzx0BOFum3D0vRFg3rEB0OWekJIbZxpHtlFgR6OVYe PDJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741668234; x=1742273034; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=N/9PyDkBNH5MBnh4zyDXePMK86GFtE9Peryic7V67DE=; b=EdjLFK2nh4vCkLhXT0sKl86WGQU0jQEgdCX+/7mz2m3WIa3g4Rf8GiA+OyoNyvkDA+ 8GWmZUrvH69Eev6NtiJz+g9uaqrudHvS3/8PSydGooBQQavRKHDSw4zxuTM+jWkkmjK0 fAeMxX81TKd6ICxqXAlgEXSelCXf/iQgMx+CYNTz3ZIiPZt/3TQM85VhP+ZLhrrrgGZe rdIQ168oFeCv20fPZWqtnDJqTfXBVRUfp1lYtK7Wmzq8Wd3mmSxeFq/FpdsOf63gFcnv gQ7FWTHannKVdSpvJ1OZgZA8ERtp3FDQ7c91YhpzZmvU6DAK2Mo9omfQPd9sog1Ml+DS 8WvQ==
X-Gm-Message-State: AOJu0YzZlm7E0Cp9j2+wrTHoW2tqo1n1RnXZBMSrjgr5JyLnB0wWnYJj 2ixyv6hctJKGn2Ot/WQ2mPA/meSRRJtXxzCS3b5Xah0cJ9EqqRHV6QnuYC8KclNCnrr3+KXjes+ pt1ZirXNc5lNoxLZEbBQvkIBRVeRiW/kWBXT6zyXtcU/I7mkInnw=
X-Gm-Gg: ASbGncsN1LmeTAXKNH5Hk7vJ3JopRdkpvhgx4VLf6AfXrMvwPDaI75MPts4T5sdSWbB h4dGu3nnTlD/NqHYGWZY9/Ru6PRDlEfnL//15m9HSEXGiyiA7ZP4wDVf92bScc8+gfp0Z7lE6ar zhrpEKe9Rx2T3zH9Y9FlgMwOrw7w==
X-Google-Smtp-Source: AGHT+IG61l9/u2V1PginEl7jC20TCx9QPc2Ax2qtE9ZbFV4QekzJrAe0Sq4G6s2nI3hnJQwnjT6NVmNTM2v4EKsrVgE=
X-Received: by 2002:a2e:b710:0:b0:30b:f2b4:8868 with SMTP id 38308e7fff4ca-30c20e3ee8fmr6118721fa.4.1741668233503; Mon, 10 Mar 2025 21:43:53 -0700 (PDT)
MIME-Version: 1.0
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 10 Mar 2025 21:43:42 -0700
X-Gm-Features: AQ5f1Jq0BxNnc5Ourb5K9X7oZhh5LasuvgqL37cbKc0CtdrUw_5DzjgHWiB_ty0
Message-ID: <CAOgPGoDGvftLp2x0LgqqDL1EYzfgyQKLfEHVyVhykbFxXMek3A@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006000d7063009bc5b"
Message-ID-Hash: FVQ5J4BM7Y45A35NU35O6D7C32X5ZCNN
X-Message-ID-Hash: FVQ5J4BM7Y45A35NU35O6D7C32X5ZCNN
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] RFC 8773bis status
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_bYerBVuqzPreWxGSYJtBpvRLSQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
draft-ietf-tls-8773bis has been in the “Held By WG” state since the Update to Standards Track / Working Group Last Call ended on 01 January 2024, see [0]. On 23 August 2024, we issued a consensus call to determine whether to require formal analysis in the symbolic model; see [1]. Between then and now, we tweaked the process somewhat to introduce a FATT point person and better described the process; see [2]. As a result, we: 1) Identified a FATT point person; Britta Hale generously offered to act as the point person for this draft - many thanks. 2) Received a FATT review report for draft-ietf-tls-8773bis; see [3] and please note the usage restrictions - many thanks again to the FATT members who participated in the review and to Britta for pulling it together. >From that report, we would like to note the following: Reviewer comments highlighted that the [-8773bis] technical changes to TLS through use of PSK are unlikely to introduce vulnerabilities to TLS in its current form, which should allay concerns from developers who rely on TLS security as-is and may have reservations about issues introduced by [-8773bis]. However, there were concerns about the claims of security offered under a quantum attacker and the [-8773bis] technical changes not aligning. To resolve the FATT comments, two courses of action were presented, namely reducing/revising security claims or seeking an analysis. Russ, the author, made adjustments to some of the security claims in the draft (see [4]) specially addressing some reviewer concerns about authenticity claims from the PSK. Some FATT open notes still remain, specifically that the draft claims continued TLS security against HNDL attacks. However, since the draft allows PSK reuse as well as group use, under a quantum attacker the draft does not provide “TLS security” but some form of group-like static key protection without the FS guarantees TLS now provides nor uniqueness of session keys. While this is not an issue with group PSKs under traditional attackers for the reason that the rest of the TLS handshake ensures unique client-server channel keys, it is an issue under a quantum attacker, which is the scenario that this draft claims TLS security against. The FATT recommendation was to select one of the following courses of action: a) restrict such PSK from reuse and group use to better match the intended TLS security, b) reduce or remove security claims on the TLS security provided under a quantum attacker, or c) seek analysis that will breakdown the exact security model that the draft provides and ensure the security considerations section matches that model. We will have time to discuss this at the IETF 122 meeting in Bangkok and will run a consensus call on the way forward soon after. Cheers, Sean, Deirdre, and Joe [0] Link to Update to Standards Track/Working Group Last Call completion message: https://mailarchive.ietf.org/arch/msg/tls/YLDjIzpwNB17dYlxmCPv-G3IdSk/ [1] Link to Consensus Call for Formal Analysis Requirement message: https://mailarchive.ietf.org/arch/msg/tls/M-ZBViaDQ0adftLrjZfZ-l7BMfI/ [2] Link to FATT process: https://github.com/tlswg/tls-fatt [3] Link to FATT report: https://github.com/tlswg/rfc8773bis/blob/main/fatt-review/IETF%20FATT%20Report%20-%208773bis.pdf [4] Link to diffs: https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-04&url2=draft-ietf-tls-8773bis-05&difftype=--hwdiff
- [TLS] RFC 8773bis status Joseph Salowey