Re: [TLS] OPTLS: Signature-less TLS 1.3

Nico Williams <> Tue, 11 November 2014 00:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9301D1AD37F for <>; Mon, 10 Nov 2014 16:52:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jJG98xnoFKRT for <>; Mon, 10 Nov 2014 16:52:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 98C041AD37C for <>; Mon, 10 Nov 2014 16:52:23 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 7871A20047B86; Mon, 10 Nov 2014 16:52:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=/QAUNfOoyRjKSf qpF287WvbmvMo=; b=RK7SFeLOZJ4jHJoDPCI3P6/Cusbk6o1hFD0s6rWtyuKKJX C/qLZB8Ja/gy7l5QW7igAEVWFBjdRB9JmqSY9MYWI+IyTC7FERyPxrtaFUrrp6pX QrfuK97ZfvPvCPCHE4xNgx6k9aQ4SrLfOwkHAArNpa+C/PPPbe5xNrenbD1Zw=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 285D720047B84; Mon, 10 Nov 2014 16:52:23 -0800 (PST)
Date: Mon, 10 Nov 2014 18:52:22 -0600
From: Nico Williams <>
To: Daniel Kahn Gillmor <>
Message-ID: <20141111005220.GG3412@localhost>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 00:52:24 -0000

On Mon, Nov 10, 2014 at 02:15:34PM -1000, Daniel Kahn Gillmor wrote:
> On 11/10/2014 01:45 PM, Watson Ladd wrote:
> > Furthermore,  eliminating online certificates enables
> > isolation of certs without a performance penalty.
> if we get people to move their secret keys offline by replacing certs
> with something that is cert-equivalent for purposes of authentication,
> then what have we gained?

The ability to use cheaper, lower-performance HSMs, for one (maaaybe,
and only where one was using an HSM to begin with).  Or, put another
way, to handle more connections with a given HSM investment.  It's not
nothing.  But see below!

> The reason to move secret keys offline is to protect the identity
> credentials of the TLS endpoint, not because those keys are valuable in
> themselves.  If a delegation process creates a new object that is an
> identity credential for the TLS endpoint, and the secret part of that
> object remains online, we haven't actually gained anything.

The delegation has to have a short lifetime because otherwise it
might as well be a certificate issued by an intermediate CA...

...which the customer can't get because of the failure to widely
implement and deploy PKIX name constraints.

But also because of revocation: if you have to check the status of the
key then you lose the 0rt.

By putting a short lifetime on the delegation that problem goes away.
But then there's no advantage over plain session resumption.

Even if each 0rt connection can lengthen the delegatee key's life by
having the server send a fresh signature of the key as needed, the
server could also just refresh the session resumption state/ticket.

IMO the main value in static DH is in learning the server's static DH
pubkey out of band, via DNSSEC (DANE).  That eliminates all these
concerns while enabling 0rt connections _every_ time for servers that
have such keys.

Of course, 0rt connections can't provide proper PFS to data sent
immediately after the client's first TLS handshake message.  That's a
problem, no?