Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
Russ Housley <housley@vigilsec.com> Wed, 06 December 2023 21:06 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 546A3C151717 for <tls@ietfa.amsl.com>; Wed, 6 Dec 2023 13:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NOOZ_frbLXsk for <tls@ietfa.amsl.com>; Wed, 6 Dec 2023 13:06:13 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCCA9C14F685 for <tls@ietf.org>; Wed, 6 Dec 2023 13:06:13 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id E668A1B2D3B; Wed, 6 Dec 2023 16:06:12 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id D1BD41B2F55; Wed, 6 Dec 2023 16:06:12 -0500 (EST)
Content-Type: multipart/signed; boundary="Apple-Mail=_10C3CCCD-7163-4A7C-8BC6-8330EB54C4AE"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <a3d5a39d-8d8d-4bb7-9a4e-92894e6f281c@cs.tcd.ie>
Date: Wed, 06 Dec 2023 16:06:02 -0500
Cc: John Mattsson <john.mattsson@ericsson.com>, IETF TLS <tls@ietf.org>
Message-Id: <8A7C29FE-345B-4C3F-B741-AE3A8A5A30FD@vigilsec.com>
References: <CAOgPGoCV9VQD+hqtorrRGi8+2V6dHfKr_ifAwUzECLVzJE=ZHQ@mail.gmail.com> <aacbbdc4-fb28-22cd-1fbd-a1c6b844f2ee@lounge.org> <GVXPR07MB967852472870E05C04FB70F68984A@GVXPR07MB9678.eurprd07.prod.outlook.com> <4BB96C09-1EDD-4D58-8491-86623E93369F@vigilsec.com> <a3d5a39d-8d8d-4bb7-9a4e-92894e6f281c@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bz6KC80zSKnWkLxqSlYGawfN9DE>
Subject: Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2023 21:06:18 -0000
Stephen: Maybe. ECH would need to be updated to use PQC algorithms to get that protection. Ill add that point: Appendix E.6 of [RFC8446] discusses identity-exposure attacks on PSKs. Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses tracking prevention. The guidance in these sections remain relevant. If an external PSK identity is used for multiple connections, then an observer will generally be able track clients and/or servers across connections. The rotation of the external PSK identity or the use of the Encrypted Client Hello extension [I-D.ietf-tls-esni] with algorithms that a secure against a CRQC can mitigate this risk. Russ > On Dec 6, 2023, at 4:00 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > >> (3) The privacy considerations already talk about Appendix E.6 of >> [RFC8446]. I am please to add a pointer to ECH, but I do not think >> that ECH use should not be mandated. > > While I'm a fan of ECH, does it actually do the trick here? > If the adversary has a CRQC then we'd need an updated ECH > that's not vulnerable in that scenario, and we don't have > that now. (And it might be hard to get to, given MTU sizes.) > > Cheers, > S. > >> I suggest: >> Appendix E.6 of [RFC8446] discusses identity-exposure attacks on PSKs. Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses tracking prevention. The guidance in these sections remain >> relevant. >> If an external PSK identity is used for multiple connections, then >> an observer will generally be able track clients and/or servers >> across connections. The rotation of the external PSK identity or the >> use of the Encrypted Client Hello extension [I-D.ietf-tls-esni] can >> mitigate this risk. >> Russ >>> On Dec 6, 2023, at 11:51 AM, John Mattsson >>> <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: >>> Hi, >>> I am quite convinced that the security properties are not worse >>> than a mixture of PSK authentication, PSK key exchange, (EC)DHE key >>> exchange, and signature authentication. >>> In some cases, this is very good. You get the quantum-resistance of >>> the PSK together with the PFS of ECDHE, and the entity >>> authentication and security policies of certificates. In other >>> cases, it is not so good as the reuse of a PSK identifier enables >>> tracking and potentially identification of both the client and the >>> server. I don’t think that such a field enabling tracking belongs >>> in modern TLS, but reuse of a PSK identifier is already in RFC 8446 >>> so this document does theoretically not make the worst-case worse. >>> If RFC 8773 is updated. I think the following things should be >>> updated: - The title and abstract only talks about PSK >>> authentication. The key exchange is likely more important to make >>> quantum-resistant than the authentication. I think the title and >>> abstract should talk about PSK key exchange. - I think the >>> paywalled references should be removed. I think paywalled >>> references are both a cybersecurity risk and a democracy problem >>> [1]. I don’t think they belong in RFCs unless absolutely necessary. >>> RFC 8446bis recently removed all paywalled references. - The >>> document should refer to section C.4 of RFC8446bis that now >>> includes a short discussion on that reuse of an PSK identifier >>> enables tracking. I think RFC8773bis should have a warning early >>> that the privacy properties are much worse than the normal >>> certificate-based authentication. This could be completely solved >>> by mandating ECH. Alternatively, it could be solved by sending the >>> PSK identifier after flight #1 when things are encrypted. >>> 3GPP specified the use of server certificate authentication >>> combined with PSK authentication and key exchange for TLS 1.2. As >>> that mode was not available in RFC 8446, 3GPP does not specify this >>> mode for TLS 1.3 but there have recently been discussions in 3GPP >>> about adding RFC 8773. I think the really bad privacy properties of >>> PSK in TLS 1.3 is a significant problem for 3GPP. The bad privacy >>> properties of TLS 1.3 with PSK have also been discussed several >>> times in EMU WG. I think a mode that sends the PSK identifier >>> encrypted would make a lot more sense for standard track. >>> I am not supportive of standard track unless the tracking problem >>> is solved. If the privacy problems are solved, I am however very >>> supportive. Adding an extra roundtrip is a small price to pay for >>> privacy. Adding a field (psk identifier) that can be used for >>> tracking to current certificate-based TLS is making privacy worse. >>> I don’t think that is a good idea or worthy of standards track. >>> Cheers, John Preuß Mattsson >>> [1] >>> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/6pgf5tFaAAAJ >>> >>> From: TLS <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org>> on >>> behalf of Dan Harkins <dharkins@lounge.org >>> <mailto:dharkins@lounge.org>> Date: Wednesday, 6 December 2023 at >>> 14:50 To: TLS@ietf.org <mailto:TLS@ietf.org> <tls@ietf.org >>> <mailto:tls@ietf.org>> Subject: Re: [TLS] Call to Move RFC 8773 >>> from Experimental to Standards Track >>> Hi, >>> I approve of this transition to standards track and I am >>> implementing this as well. >>> regards, >>> Dan. >>> On 11/29/23 7:51 AM, Joseph Salowey wrote: >>>> RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication >>>> with an External Pre-Shared Key) was originally published as >>>> experimental due to lack of implementations. As part of >>>> implementation work for the EMU workitem >>>> draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is >>>> ongoing implementation work. Since the implementation status of >>>> RFC 8773 is changing, this is a consensus call to move RFC 8773 >>>> to standards track as reflected in [RFC8773bis](https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). >>>> > This will also help avoid downref for the EMU draft. Please indicate >>>> if you approve of or object to this transition to standards >>>> track status by December 15, 2023. >>>> Thanks, >>>> Joe, Sean, and Deirdre >>>> _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls >>> -- "The object of life is not to be on the side of the majority, >>> but to escape finding oneself in the ranks of the insane." -- >>> Marcus Aurelius >>> _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls >> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > <OpenPGP_0xE4D8E9F997A833DD.asc>
- [TLS] Call to Move RFC 8773 from Experimental to … Joseph Salowey
- Re: [TLS] Call to Move RFC 8773 from Experimental… Ira McDonald
- Re: [TLS] Call to Move RFC 8773 from Experimental… Salz, Rich
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Eric Rescorla
- Re: [TLS] Call to Move RFC 8773 from Experimental… Deirdre Connolly
- Re: [TLS] Call to Move RFC 8773 from Experimental… Deirdre Connolly
- Re: [TLS] Call to Move RFC 8773 from Experimental… Eric Rescorla
- Re: [TLS] Call to Move RFC 8773 from Experimental… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Ilari Liusvaara
- Re: [TLS] Call to Move RFC 8773 from Experimental… Dan Harkins
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Stephen Farrell
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… John Mattsson
- Re: [TLS] Call to Move RFC 8773 from Experimental… Dennis Jackson
- [TLS] Privacy and PSK identifiers (was Re: Call t… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… John Mattsson
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Eric Rescorla
- Re: [TLS] Call to Move RFC 8773 from Experimental… John Mattsson
- Re: [TLS] Call to Move RFC 8773 from Experimental… Stephen Farrell
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Stephen Farrell
- Re: [TLS] Call to Move RFC 8773 from Experimental… Bas Westerbaan
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Stephen Farrell
- Re: [TLS] Call to Move RFC 8773 from Experimental… Bas Westerbaan
- Re: [TLS] Call to Move RFC 8773 from Experimental… Russ Housley
- Re: [TLS] Call to Move RFC 8773 from Experimental… Christian Huitema
- Re: [TLS] Call to Move RFC 8773 from Experimental… Watson Ladd
- Re: [TLS] Privacy and PSK identifiers (was Re: Ca… John Mattsson
- Re: [TLS] Call to Move RFC 8773 from Experimental… Bas Westerbaan
- Re: [TLS] Call to Move RFC 8773 from Experimental… Bas Westerbaan
- Re: [TLS] Call to Move RFC 8773 from Experimental… Rob Sayre
- Re: [TLS] Privacy and PSK identifiers (was Re: Ca… John Mattsson