Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

Sven Schäge <> Sat, 19 March 2016 21:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AAAF612D53D for <>; Sat, 19 Mar 2016 14:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9MPXq4VKPGFp for <>; Sat, 19 Mar 2016 14:06:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7B8312D50C for <>; Sat, 19 Mar 2016 14:06:32 -0700 (PDT)
Received: by with SMTP id d205so113933946oia.0 for <>; Sat, 19 Mar 2016 14:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=31K1yExy17eP7atc4EVPQ9USRzekA2jbCEnLuO4Acmk=; b=fU8eaeWs7o+R+Z9563YJ5YYy5eaKVBdGmggZBZnu1Q5Stp28yDkvBK3YzBeCgnwPxV k+RbrNklLZ84yLjMez7NSsKBGHxvC/QmR2I+f01SAU0jPzA/DSD/luZcsVlzEuSC/3Ed I5uAAWKzTW9Htkl1UYVJyb+cCJrg3S6OEBdrSTIoE6btACKLTOX95LMvdH83KT4yRovb R7+DHXytMiWzVo/EnsDtI7v1v6KqnYZSgoY4wI0G0PrRaYpK4RotUJzJ3/qxNRy2UnrW dGvHzQ0yxRmnStjcefDGxOoxxufW+wxkiCI/j32oN1JGx7nmiCu0e7synPZKmqHnFDny CN7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=31K1yExy17eP7atc4EVPQ9USRzekA2jbCEnLuO4Acmk=; b=TmdQdziO3OKDkLCnDb9Sk2+RMiwQApLvTldk8BPM9PmbsrrThvOCLTG8cbXFjzJTlp XBJcsAkHVNm8cVlGJkKoma/DbkaUr1bY1iG9Ko5EMcs23j2YM7+9vZQuTmWF+G+suUPi aoAI1KLTzWBgSdSEXLGkxl1ZCf0wBHVjxav1DSXLkCU6P1ydu9Y+mZ9xdr8Gw8aZq18K +IeBeOqR1h1Mwp3WCHUEzhVjNvd71HiKgDfhLYkWu6xtCXx2WiYYy0h4FBZmvSaX5Nus MOwAs9TV8HLWC+6IMAroZKE91nlMvGSaefEJX8aIgVN/CrmYr62tBGS4cdh5OJrtYcny k6ng==
X-Gm-Message-State: AD7BkJJnrNrn5FzoJ9yglqfWfmSdYDyckiH7xUlLPzDsQePLVhQ/RKh7MkXyr3j76QJCV3G6DH0m+Q1duLMVfw==
MIME-Version: 1.0
X-Received: by with SMTP id u84mr13471977oig.93.1458421592065; Sat, 19 Mar 2016 14:06:32 -0700 (PDT)
Received: by with HTTP; Sat, 19 Mar 2016 14:06:31 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Sat, 19 Mar 2016 22:06:31 +0100
X-Google-Sender-Auth: isjKF5VammgHtzDQlbt2HBhsId0
Message-ID: <>
From: =?UTF-8?B?U3ZlbiBTY2jDpGdl?= <>
To: "Paterson, Kenny" <>
Content-Type: multipart/alternative; boundary=001a113d526ced8eed052e6d3cf7
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Mar 2016 21:06:35 -0000

Dear Kenny,

thank you for clarifying the state of the cryptographic analysis of TLS 1.2
and 1.3! I also do not see TLS 1.3 being nearly as good understood from a
security standpoint as the previous version. This is only natural given
that it is so recent. I am also not quite happy with the existing results
and their meaning for the final version of the standard (although I really
am happy that the cryptographic community in general accompanies the
standard development process.)
I would expect the most valuable results to be published once there is an
entirely fixed candidate specification. As Hugo has mentioned several times
details really matter. Therefore I really like the idea of giving
cryptographers time to analyse the final candidate quite thoroughly before

And no, you guys are not the only ones reading this.

Many greetings,

2016-03-16 20:26 GMT+01:00 Paterson, Kenny <>uk>:

> Hi
> On 16/03/2016 18:44, "Watson Ladd" <> wrote:
> >On Wed, Mar 16, 2016 at 11:22 AM, Paterson, Kenny
> ><> wrote:
> >> Hi
> >>
> >> On 16/03/2016 15:02, "TLS on behalf of Watson Ladd"
> >><
> >> on behalf of> wrote:
> >>
> >> <snip>
> >>
> >>>The analysis of TLS 1.3 is just wrong. TLS 1.3 has been far more
> >>>extensively analyzed then TLS 1.2. It's almost like you don't believe
> >>>cryptography exists: that is a body of knowledge that can demonstrate
> >>>that protocols are secure, and which has been applied to the draft.
> >>
> >> This is patently untrue. There is a vast body of research analysing TLS
> >> 1.2 and earlier. A good survey article is here:
> >>
> >>
> >
> >There's a vast literature, but much of it makes simplifying
> >assumptions or doesn't address the complete protocol.
> Correct, but that does not make it irrelevant or valueless. Or are you
> actually saying that it does? Quite a sweeping presumption; see
> immediately below.
> >The first really
> >complete analysis was miTLS AFAIK.
> Yes, and even there the analysis was done step by step, spread out over a
> series of papers which gradually built up the complexity of the code-base
> being handled. And, in parallel, various other groups were doing hand
> proofs of abstractions of the core protocol. And I believe it's fair to
> say - from having discussed it extensively with the people involved - that
> the miTLS final analysis benefitted a lot from the experience gained by
> the teams doing the hand proofs, going right back to a paper in 2002 by
> Jonsson and Kaliski Jr.
> My point is that the TLS 1.2 "final" analysis represented by the miTLS
> work was the culmination of a long line of research involving many people
> and influenced by many sources.
> > Furthermore, a lot of the barriers
> >to analysis in TLS 1.2 got removed in TLS 1.3.
> Unfortunately, some of them may be coming back again. But again, this has
> nothing to do with the argument you were making.
> >The question is not how
> >many papers are written, but how much the papers can say about the
> >protocol as implemented. And from that perspective TLS 1.3's Tamarin
> >model is a fairly important step, where the equivalent steps in TLS
> >1.2 got reached only much later.
> The timing is entirely irrelevant to the argument you were making.
> I agree though that it's about the depth and reach of the analysis. And
> from this perspective, I'd say that TLS 1.3 is still way behind TLS 1.2,
> despite the very nice analyses done by Sam and Thyla (and their
> collaborators), by Hugo & Hoeteck, and by Felix & co.
> I could go further, but I expect that, by now, only you and I are actually
> reading this.
> >It's true 0-RTT isn't included: so don't do it. But I think if we
> >subset (not add additional implementation requirements) TLS 1.3
> >appropriately we end up with a long-term profile that's more useable
> >than if we subset TLS 1.2, and definitely more than adding to the set
> >of mechanisms. I think claims that TLS 1.3 outside of 0-RTT is likely
> >to have crypto weaknesses due to newness are vastly overstated.
> I didn't make that claim.
> Cheers
> Kenny
> >--
> >"Man is born free, but everywhere he is in chains".
> >--Rousseau.
> "If I have seen further it is by standing on the shoulders of Giants"
> -- Newton, in a letter to Robert Hooke
> _______________________________________________
> TLS mailing list