IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-prediction next steps

Bas Westerbaan <bas@cloudflare.com> Tue, 10 September 2024 22:06 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBECC18DB82 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 15:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9SKhAYVT70N for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 15:06:04 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3B42C1840FE for <tls@ietf.org>; Tue, 10 Sep 2024 15:06:04 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-e04196b7603so5919822276.0 for <tls@ietf.org>; Tue, 10 Sep 2024 15:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1726005963; x=1726610763; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gCmqUyKRuWjTaqkerYGsJoAkeb7DMbYxmCNcPZ+tEBo=; b=KswdjLEsXpAnLwZIm+UUWMx+hgfaRqg8axhiS/6Gv/VJLHxcjfCOcIHlVeohx81y7U plF/0fYVsRvjdz3pGyKN+2WjQMFoM+udzyddXlUivRRaJ5ClmWiwGcUjo26KsekLHpj5 sKGjgsYjrhbdN3PIWSFguxT/ptGTspoKVDak4df3bjItBJxPasEzGk4GqAQXh2QDsxGV 3Emo1fiiJjzcWLAUKKxiQuB1ccqVcXSPT0qOvAXx85xrGxvPh0C6U4MJJkgM1PLVDhG5 tFLAnkBIUgEkLn0zLAI9SX1LjMjiK9u8Mk3i8HedsFrQmYrb4UlWJjt9IyXfN1ta1S8+ vcuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726005963; x=1726610763; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gCmqUyKRuWjTaqkerYGsJoAkeb7DMbYxmCNcPZ+tEBo=; b=McNWAL4G5AGQKG6j/Cv2Dyo/1gYQCAVD3Ja/xzRxulFrm1HOM+6IBn/QN+MfcIaR6e 6R/hbFqQhd/uzNW17pTTv1twME0W5di2noZ9jaWn76RwIqam9U5X7Sya6wykOFf/WSTf A87nNEtlCtQFokLF+bC9ZvZcHJMoQH3MacNPw+BLvrqizMzoEZ8COIdm1zYbt04M2HFe Bevi8jeu1KUvRw5uZiAangy2e1LHzNjuV3CN3jLBA9GBbmAsLWbOupbUfBVQDHvhH1SE p4agFBXZSc5tmTaYETTXAueqvNgyiAA3Xp+vXrXvck3+Exqf8E26uYBAXr9MYXBR5nMQ Ll4g==
X-Forwarded-Encrypted: i=1; AJvYcCWi+LJuvDkV2VWv/i51CWCOxUTS0wssUQlGi9XEK9Tw5HYbiadzZpJOLRzjXDbr2viwKmw=@ietf.org
X-Gm-Message-State: AOJu0Yx+CHmVzz7eJDri8TmAvrudgmrMBKmIvxOx8bKIJJh7bPhHsDtU UROjwYeTFUAyImeidJuLMDeGFsGkGE37R6RhTdfcVYdMPzPxH0hfP/yrEy6P/udZt/a7bsewuKa Oe6677deRbkHQ4bok2dVeL0wQQV4+aS2BDG4ycg==
X-Google-Smtp-Source: AGHT+IFE3vOoNZL+G/F+Wy07WpBdqq6y8YRV1oUexPtsQBJ5eNzpy5DT9IiqkAxsPx16HDzZZFPSj9bbAGIJcD66haI=
X-Received: by 2002:a05:6902:1022:b0:e11:7869:9fd with SMTP id 3f1490d57ef6-e1d348661b5mr14549459276.7.1726005963017; Tue, 10 Sep 2024 15:06:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com> <DS7PR21MB37163D5C728E7917A939E30D8C9A2@DS7PR21MB3716.namprd21.prod.outlook.com>
In-Reply-To: <DS7PR21MB37163D5C728E7917A939E30D8C9A2@DS7PR21MB3716.namprd21.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 11 Sep 2024 00:05:51 +0200
Message-ID: <CAMjbhoXj55Lmz_n2fUHjO76zHcrXeo2ca=Y98To+scZhybv9Dw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004ec1650621cb1457"
Message-ID-Hash: DKIYK5QIIRUBLW67E3CKNR2PHVMWOEQV
X-Message-ID-Hash: DKIYK5QIIRUBLW67E3CKNR2PHVMWOEQV
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [EXTERNAL] draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_sS6zQ6r2An5T3LgXvRaKxCByu8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Same.

On Tue, Sep 10, 2024 at 11:51 PM Andrei Popov <Andrei.Popov=
40microsoft.com@dmarc.ietf.org> wrote:

> I support staying the course, continuing work on the key share prediction
> draft and allocating the code point.
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* David Benjamin <davidben@chromium.org>
> *Sent:* Tuesday, September 10, 2024 2:40 PM
> *To:* <tls@ietf.org> <tls@ietf.org>
> *Subject:* [EXTERNAL] [TLS] draft-ietf-tls-key-share-prediction next steps
>
>
>
> Hi all,
>
>
>
> Now that we're working through the Kyber to ML-KEM transition, TLS 1.3's
> awkwardness around key share prediction is becoming starkly visible. (It is
> difficult for clients to efficiently offer both Kyber and ML-KEM, but a
> hard transition loses PQ coverage for some clients. Kyber was a draft
> standard, just deployed by early adopters, so while not ideal, I think the
> hard transition is not the end of the world. ML-KEM is expected to be
> durable, so a coverage-interrupting transition to FancyNewKEM *would* be
> a problem.)
>
>
>
> We adopted draft-ietf-tls-key-share-prediction in June to address this.
> There hasn't been a whole lot to do on it since. I've cut a new draft,
> draft-ietf-tls-key-share-prediction-01, with some very minor changes that
> were queued up in GitHub. I'd like to sort out next steps and move forward.
>
>
>
> Beyond that, there are a couple of minor issues in the issue tracker. I
> don't believe either of these need to block getting a codepoint.
>
> https://github.com/tlswg/tls-key-share-prediction/issues/4 - unless
> folks think otherwise, I plan to just leave this alone and close this
>
> https://github.com/tlswg/tls-key-share-prediction/issues/7 - unless folks
> think otherwise, I plan to just leave this alone and not require the
> receiver to check
>
>
>
> Finally, there's the question of downgrade protection:
>
> https://github.com/tlswg/tls-key-share-prediction/issues/11
>
>
>
> For some background if folks have forgotten, the original key share
> prediction draft included a ton of complexity to accommodate existing
> server behavior that would preferentially pick groups out of key_share even
> if an otherwise more preferred group was in supported_groups. Depending on
> what the server was trying to do there, this could be perfectly fine (if
> the server believes the groups are comparable in security) or a downgrade
> risk (if the server actually believed they were in different security
> classes---PQ vs classical---but implemented a key_share-first selection
> algorithm anyway). Pre-adoption, my original draft took the position that
> it was ambiguous and we cannot safely assume the server knew what it was
> doing. It designed a scheme to clarify the semantics going forward and use
> codepoints to ratchet in whether the server implemented the new semantics.
>
>
> https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html
>
>
>
> After WG discussion, I think we broadly concluded the semantics were
> actually already present in RFC 8446, and it was not worth the trouble to
> second-guess the servers here. That led to the much simpler draft, which
> simply discusses why this is OK in security considerations:
>
>
> https://www.ietf.org/archive/id/draft-ietf-tls-key-share-prediction-01.html#name-security-considerations
>
>
>
> As I wrote that text, I unsurprisingly agree with and am fine with this
> outcome. :-) But there was some chatter about it in the adoption thread
> (see GitHub link), so I filed the issue so we continued to discuss it. I
> think perhaps now is the time to discuss it, if we're going to. Do folks
> want to discuss it? Are there alternate proposals, or should we just stay
> the course? Unless we have an alternate proposal, I propose we just stay
> the course and go with [what I understand the conclusion to be from] the
> previous WG discussion.
>
>
>
> If there are no further significant changes that folks want to make, I
> would like to propose we get a codepoint for this and unblock
> implementation. The earlier this is ready, the more likely that we will be
> prepared by the time the next KEM transition happens.
>
>
>
> Thoughts?
>
>
>
> David
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status