IETF Logo Mail Archive

Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design

Carrick Bartle <cbartle891@icloud.com> Wed, 12 February 2020 23:01 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 778AD12002E for <tls@ietfa.amsl.com>; Wed, 12 Feb 2020 15:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sxC_4uSm0-G0 for <tls@ietfa.amsl.com>; Wed, 12 Feb 2020 15:01:28 -0800 (PST)
Received: from mr85p00im-hyfv06011301.me.com (mr85p00im-hyfv06011301.me.com [17.58.23.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB82120026 for <tls@ietf.org>; Wed, 12 Feb 2020 15:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1581548487; bh=pkH58alwUOjaSITDs06vzYrPacn41n6/f4RFLcXo0ZE=; h=Content-Type:Subject:From:Date:Message-Id:To; b=EEyGlIxG4jSy4gBtqI4942JExVpqXKtgujhmvIdUPh7D/Ed9WlIwdb6csUE3l/jUx 5Ch+LIAWTexhOPro6Cchsy0bJ10SkYpVculKLPhH+iSVABMruYBg3yf3uB2T0OaMvA gqqe1EDfVmynhR3ZMgs27IlJ5UWyU9gxAUtSSvFyr1dBQxrBtALSkHqbILruAMZVUn fYFTqV152Lu7HthHYWeLJdd1XFgB9U5SPNcakwVjbzY4YVzkOvBqbaOt9BSdQk+lup G/Qc1Qfsj1ixx85wWExPI0VSHRvEabceSBGEoeKCTYXR1rpEqBJPzGU0AG3mz9i+bo rPz3DaKlvMisQ==
Received: from [17.230.167.54] (unknown [17.230.167.54]) by mr85p00im-hyfv06011301.me.com (Postfix) with ESMTPSA id 6F4025802D1; Wed, 12 Feb 2020 23:01:27 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.3\))
From: Carrick Bartle <cbartle891@icloud.com>
In-Reply-To: <284685f0-8b19-4870-aef6-573809827091@www.fastmail.com>
Date: Wed, 12 Feb 2020 15:01:26 -0800
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D4DBD81C-6555-4EBD-AA77-49905CB88B22@icloud.com>
References: <CAFBh+SRAJAbviyrcQM2PjztumAH565i4-ui28OQ-pCJE9nePJg@mail.gmail.com> <284685f0-8b19-4870-aef6-573809827091@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3608.80.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-02-12_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-2002120159
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bFbxhhiETv3s3i3cmDJLyK73Qs4>
Subject: Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 23:01:31 -0000

> At a high level, I think that this would be easier if it were more clearly framed as *recommendations*

I'm brand new to the IETF, so please forgive me if I'm totally off base here, but my understanding is that Informational RFCs are explicitly not recommendations (let alone mandates)?

Per https://ietf.org/standards/process/informational-vs-experimental/:

'An "Informational" specification is published for the general information of the Internet community, and does not represent an Internet community consensus or recommendation.'




> On Feb 12, 2020, at 12:46 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> On Thu, Feb 13, 2020, at 06:26, Douglas Stebila wrote:
>> We would like to request the working group adopt
>> draft-stebila-tls-hybrid-design, "Hybrid key exchange in TLS 1.3", as
>> a working group item.  We have updated the draft based on feedback
>> we've received over the past few months, including from our
>> presentations at IETF 104 and 105, and think the current version
>> represents the view of the WG to date.
> 
> I agree that we should adopt this.  I think that the draft is broadly in the right shape.
> 
> Skimming through I noticed a few things that I would prefer to see eventually changed, but we can do that in the working group.
> 
> At a high level, I think that this would be easier if it were more clearly framed as *recommendations*, especially when it comes to the format of key shares and the input secret.  One advantage of the macro-level design is that the format is can be specified on a case-by-case basis.  For instance, variable-length values might be length-prefixed; fixed size values don't need to be.  That might avoid having to directly specify a single format. 
> 
> S 3.1 (Negotiation) suggests that a portion of the named group space be reserved for this use.  I think that is a bad idea because it implies semantics where none are necessary.  Picking codepoints as usual should suffice; indeed, random allocation might be ideal.
> 
> The concatenation approach is definitely my preferred approach, but the inconsistency between the design for key shares and secrets is curious.  This design assumes that shares are length-delimited; secrets are not.  The latter implies that the `ss` needs to be fixed length for a given algorithm (both the PQ and classical parts), but `ct`/`pk` does not.  I can guess at why, but when you can avoid the question, then I think you should.  That is, in favour of more generic recommendations on structure.
> 
> To answer some of the open questions:
> 
> Larger public keys and/or ciphertexts - if we need these, we're in serious trouble.  To give you an idea, even at 1k, these will start being much harder to deploy.  Getting close to 64k adds all sorts of complication.  Better to defer support for big messages.  Acknowledging the limitation should suffice.
> 
> Duplication of key shares - not so much an open question as something the draft could acknowledge as a cost.  As previously discussed X25519 is small enough that duplication doesn't hurt enough to care.
> 
> Variable-length shared secrets - see above.
> 
> Resumption - I would be supportive of policy recommendations about the strength of key exchange on resumption, but as we allow straight resumption without PSKs, this cannot be standardized.
> 
> Failures - If this were low enough, I'd be happy to try again.  From our perspective, this isn't technically challenging, it's merely annoying. If this were very low probability (as I would expect), then we might just accept the loss of the occasional connection attempt.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email