Re: [TLS] External PSK importers
Martin Thomson <martin.thomson@gmail.com> Tue, 30 October 2018 04:56 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5EE51288BD for <tls@ietfa.amsl.com>; Mon, 29 Oct 2018 21:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uU5dM2lXRPiY for <tls@ietfa.amsl.com>; Mon, 29 Oct 2018 21:56:11 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B177B126CB6 for <tls@ietf.org>; Mon, 29 Oct 2018 21:56:11 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id f21-v6so6119206oig.1 for <tls@ietf.org>; Mon, 29 Oct 2018 21:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=L53mFm8G+zQ8FZGKDXf4VdesFcAkAmpqkuECUpr8fbw=; b=T9rW12H0YXihQYc8SU6EEHaeVxXU9OqBOa2tYdqRf7ukF5EoUP1PGus0ekAo5epLHS hLwiB5VGrsRexc10T0P3sg1LaBzwUcX2FBCCncNgD49wM91NeocRPd8CQhrutOOqRqcE 35cFvnCYAL210KWTtHTDQP6fQnpi4KY0YkdeDks7gKwTP9RaJaIcpEyJyxJsYAsaBwqh AAgSjBEBWPYhL5zdG/gV5HsvujqqTMmM7XZfhnwPjzIybNjSoLiggl+VGjh2RfkxhMh2 R31g7v0aYPPdSR8Ak6tHN0VNJ5WoSK8Sp0XNRpcXEW4eR4XBkY8uUaWqjPn/WN9zGET/ c5iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=L53mFm8G+zQ8FZGKDXf4VdesFcAkAmpqkuECUpr8fbw=; b=hpBsYQninSsQRbdJC7BN+/CT6rZrNwb9ll1EOiVG4xAycp3cnT1AE0XNrUAb5xCFI6 bor5+DirPD5JG4WEGRPXTBtxmtyn8hzy/Is2PKS00qdM0CrzrPmpyu7KX7a3MfvobAqf 6vyoByFzVfCBHvI1FXtOrLMtJJTJbKgSr8dESDEWO/ynjsWJYtsFmj3VqwH6bJgZ0kab 2h0Di2n4uxp3STmEb4MclQ3wuXW5bNJkN3yaxJLXqFDdcocbjf0SEJKbIitka+S2P3qB ZqPOL2PUw7WqDBkMJ96lpJ8/IbZdYoqAx0KA2TDC8aVSavyEsiN7SjBrVVC8BMX+fY+t s13g==
X-Gm-Message-State: AGRZ1gKxajQ8kBEFYe5XTqLj5BF3lMhtxyvEyz4SnXD5CbQHtc6Mohwo kHw7kYOGMlgxbT+QYU8kBl37UJxeqh5IClGxrQU=
X-Google-Smtp-Source: AJdET5df2WmBAjYjk2qnuQB6mIF39oDvwwIhQFEoQoeAb6562IfZRULecVmt9jUVdcsXLvjpce1kixntcd6iaYv1OYI=
X-Received: by 2002:aca:c792:: with SMTP id x140-v6mr9523345oif.129.1540875370993; Mon, 29 Oct 2018 21:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <D8741E2F-9D4B-4405-8A73-33CDD39F2857@apple.com>
In-Reply-To: <D8741E2F-9D4B-4405-8A73-33CDD39F2857@apple.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 30 Oct 2018 15:56:01 +1100
Message-ID: <CABkgnnXwPRdcwPATaWMpvCb8NdDLBbWEzu9RmxJb0iPwUL75Jg@mail.gmail.com>
To: Chris Wood <cawood@apple.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aM4tiBUJFmoL6x1J5mXbwF6WCyI>
Subject: Re: [TLS] External PSK importers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 04:56:14 -0000
Happy to talk about this. Based on a quick reading, a few notes: You should do something more concrete with the label parameter. Keep in mind that both client and server need to agree on a use for this, so my initial intuition to put the server identity might not work, but it could be a start. The problem being that how the client identifies the server might not be something it shares with the server. You equivocate regarding the hash to use. If we're going to make this solid, then we need to follow good hygiene and say that each imported PSK needs to be used with just one hash function. You equivocate again more than I like about TLS 1.2. How about you reserve a label specifically for TLS 1.2 and feed the PSK through the expand function using that label? On Tue, Oct 30, 2018 at 3:41 PM Christopher Wood <cawood@apple.com> wrote: > > To resurrect the discussion around external PSKs and TLS 1.3, I wrote down the importer-based design Ekr and I discussed [1]. > > https://datatracker.ietf.org/doc/draft-wood-tls-external-psk-importer/ > > Time permitting, I’d like to present this in BKK. It would be useful to compare and contrast this against David’s Universal PSK draft [2]. > > Thanks, > Chris (chair hat off) > > [1] https://mailarchive.ietf.org/arch/msg/tls/FKB5oNxTVoIh59I3q9epHk6Q1Uw > [2] https://datatracker.ietf.org/doc/draft-davidben-tls-universal-psk/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] External PSK importers Christopher Wood
- Re: [TLS] External PSK importers Martin Thomson
- Re: [TLS] External PSK importers Christian Huitema
- Re: [TLS] External PSK importers Russ Housley
- Re: [TLS] External PSK importers Christian Huitema