Re: [TLS] New Internet-Draft: draft-housley-tls-tls13-cert-with-extern-psk-00

Martin Thomson <> Thu, 01 March 2018 21:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 806BC12FAC7 for <>; Thu, 1 Mar 2018 13:54:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WqeATo_0EEzw for <>; Thu, 1 Mar 2018 13:54:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 69DC51201FA for <>; Thu, 1 Mar 2018 13:54:41 -0800 (PST)
Received: by with SMTP id g5so5655362oiy.8 for <>; Thu, 01 Mar 2018 13:54:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XUQqGQT2wwIsknrlY37I9eOOKn6U0PrJE4tYl/Ei02M=; b=DddfLu+w9anr+2eoknxkTRRySq8KipQF2PLDfUYFF5uXMZToP5hXRzMYYSSUwro33+ cWso05oUSOnnDOx97TfsMrqSA1qizg+u9u+9Duqnl2c2hLqx1IEdSlarLS/NDbzRIuxc MRDYe2fCaz3/0BK1Mrg9SYaime0bOuq5ayhjkU6SVZHFQpu+ZNtj1jPfo3EIBNVYmzXA LkM5iKqo+LSbBQuWDWXAQQlDGrpmBQI+JquLAc6DfZpPOXqd2JLbzM8doEY7jwvfXkkC TTQb6lDsl6fo6s04F6AjrRgo9R+s/N1sLypHNyY5rHjXVVNK365tqAay+mKW/E3My9yY RigQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XUQqGQT2wwIsknrlY37I9eOOKn6U0PrJE4tYl/Ei02M=; b=gDVqqfi2LkjJesldraX/4b++zB4/iyZf1OP0G9idqvJZoLMLtC51dHxm3ODNQIshYb o/jpFCjhbpBUzrS6RAMklk2ycgrmUQGoQZ+kQ2/hxbmYqiT41b3r1G8qhf4Dx2EhTHrx C7H88UUGEuz6jwLf1lVg7ani9DL6+RgwwNvHE1eJ/bCHeHKk9uPpnPTPT7lMZzyM+5p4 l6TWhumS/jry12XQEE2eYjFs+cl1mTLYCLQaH5xMXx8sYQcr21mRoMzAHSf0acPVexKN 5Oa/MxMKgff8Sot/CAf6OMGDX1nR15que2PLOoy8DcLAM/oLMpWeWxppch09Rxw3YpUi OT3Q==
X-Gm-Message-State: AElRT7EsnVPbLceBEFiQkC1JQEPmz5IexW5PQHnaJbuHh+ehBkGcMxrJ Zhq2G8Rg1ufpn/ESj0TSSGTGytGCdyoVwleuv68=
X-Google-Smtp-Source: AG47ELv81LG7QN2wuEHl0qy4VJhXSX9hZLtx3riduKNSJz+GnU4L3iqvTuCtMzRS9pvaIGtOLYA6bREZwL7mYx/DB0I=
X-Received: by with SMTP id j127mr2331873oih.346.1519941280549; Thu, 01 Mar 2018 13:54:40 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 1 Mar 2018 13:54:40 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Martin Thomson <>
Date: Fri, 02 Mar 2018 08:54:40 +1100
Message-ID: <>
To: Russ Housley <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] New Internet-Draft: draft-housley-tls-tls13-cert-with-extern-psk-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Mar 2018 21:54:43 -0000

Hi Russ,

This seems like a welcome addition.  I'm not sure why you think that
PQ needs are a good motivation for this work though.  Managing
external PSKs is so unwieldy that it almost seems like this would do
more harm than good in that regard.  I find this more interesting from
the perspective of providing continuing proof of possession for keys
while also permitting the use of 0-RTT (and session continuation more

FWIW, I don't see any reason that this approach would be a problem
given that it is additive, the problem that Sam Scott et. al. from
before was a result of important contextual information being omitted
from the transcript.

Why didn't you consider a new codepoint on psk_key_exchange_modes that
permits/requires use of the certificate?  The purpose of that
extension is to signal that a) you want PSK, and b) what additional
things are permitted alongside that PSK.

It's not clear from your text on client certificate authentication
whether your mode permits the server to omit its Certificate, but then
send CertificateRequest.  You should clarify that one way or other.


On Fri, Mar 2, 2018 at 8:37 AM, Russ Housley <> wrote:
> I would like to get comments on this Internet-Draft.  Once a round of
> comments have been received and folded into -01, I would like to work with
> folks that did the earlier proofs with Tamarin to make sure that the this
> does not negatively impact the TLS 1.3 protocol changes that were made to
> eliminate the man-in-the-middle attack that they found in 2015.
> Thanks,
>   Russ
> From:
> Subject: New Version Notification for
> draft-housley-tls-tls13-cert-with-extern-psk-00.txt
> Date: March 1, 2018 at 4:13:44 PM EST
> To: "Russ Housley" <>
> A new version of I-D, draft-housley-tls-tls13-cert-with-extern-psk-00.txt
> has been successfully submitted by Russ Housley and posted to the
> IETF repository.
> Name: draft-housley-tls-tls13-cert-with-extern-psk
> Revision: 00
> Title: TLS 1.3 Extension for Certificate-based Authentication with an
> External Pre-Shared Key
> Document date: 2018-03-01
> Group: Individual Submission
> Pages: 9
> URL:
> Status:
> Htmlized:
> Htmlized:
> Abstract:
>   This document specifies a TLS 1.3 extension that allows a server to
>   authenticate with a combination of a certificate and an external pre-
>   shared key (PSK).
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> The IETF Secretariat
> _______________________________________________
> TLS mailing list