[TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
David Benjamin <davidben@chromium.org> Wed, 20 November 2024 18:46 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4024EC14F6BA for <tls@ietfa.amsl.com>; Wed, 20 Nov 2024 10:46:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.403
X-Spam-Level:
X-Spam-Status: No, score=-9.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiAhGf3AWl9n for <tls@ietfa.amsl.com>; Wed, 20 Nov 2024 10:46:36 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B562C14F6AB for <tls@ietf.org>; Wed, 20 Nov 2024 10:46:36 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id 46e09a7af769-718066adb47so3587a34.0 for <tls@ietf.org>; Wed, 20 Nov 2024 10:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1732128395; x=1732733195; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zzAOX0ZEpM+lttSaUnhpExpCHakSMM5Dk97e5y+ICN8=; b=lCVVOJz9KU0KX8Dgsiag4J1STu3/7qfJFTyUcOGKX1rGebSJ2rkuJdlDRmihV59Maf CLi3A9P2Ribafl+ODtjN2b20cz0EKALybW8Irm+2WdPkR7K4IApHPcb+BzbwFOa79hgW 6IwLWYzzSVjroKxvow1bjjqiFHL86+J5QPUv8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732128395; x=1732733195; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zzAOX0ZEpM+lttSaUnhpExpCHakSMM5Dk97e5y+ICN8=; b=G3V89Mdkktqug02+z/agGAcEiaqubfaIYJDVb8t0faNGZlFHr+Fh+m/fNM4MlUo1qB k9+987dTvBZSFL9vqFopliYf37ZUTQ65C7enQCmlugbmlAnc2HQ9h6Lrl7WMA9sJRxuQ mzlOwOyT7FLq0ALIgBxOGbJOpXN4SJktuub0HfIUAdi02tKG/PlwXkbcITTQ2wrEne/0 YmsE0brCxDCIOPeBUq3JiHyh670nblCMFLi32xwZuMnas7QjBoTyiFNeZ0fPq6bzICcN fWvDk/2f0mJvFDMwd6UgjsABIrfk/gDvRG4NwzBBk81PVB0klnYLAf/b1ypnV04XAakn 4KyA==
X-Forwarded-Encrypted: i=1; AJvYcCUxlhWofV4NS90qiyjGyS6vY0GsVxpqwP7DomOaPUsRKooaDc72FnLWANxw0pzsOWY1exo=@ietf.org
X-Gm-Message-State: AOJu0YxRXkd1Ot4ZtngmHCcBbn6ry6zJ105PqukNMlDfR0MAxAsB2PMd GbkS0FdLevYSrHWJGZyAeoJAl/n+fRYCfBecpn2S1Y5NeNNksOB8dfR+GL1/Z6fYIkd6HdG3LQr jh6MqYpD3PxBD4XSWu5fwEIOSTAPDznknqHg=
X-Google-Smtp-Source: AGHT+IG8FoEyyamms+Qw7BMVhc8yHh18BAenR94bF/80w0MVFw1BRkiBqGoAMpJk8mzLDmv7eZSxRFWGOKZ7+Di9plg=
X-Received: by 2002:a05:6830:6b93:b0:718:105b:1185 with SMTP id 46e09a7af769-71ab311d4e8mr3886437a34.14.1732128395045; Wed, 20 Nov 2024 10:46:35 -0800 (PST)
MIME-Version: 1.0
References: <278163DF-0CB8-472F-84CB-0B8236FEC7C1@sn3rd.com> <231D5F24-E1AE-4F7C-9860-F6B0FF79D6FF@akamai.com> <CWXP265MB5153A14B88F7E5CC94E9BF9AC2212@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>
In-Reply-To: <67DD955A-3D13-E04F-9398-F5B37786F79A@hxcore.ol>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 20 Nov 2024 13:46:01 -0500
Message-ID: <CAF8qwaBg_Qjeic9k_7vKU9iTvLxrsOZ5uyPCkvMiQN+x2cXT5Q@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b1c18506275c912a"
Message-ID-Hash: TTGSVPDJGR5YKG5PE6TLCIUYHJFDTWW6
X-Message-ID-Hash: TTGSVPDJGR5YKG5PE6TLCIUYHJFDTWW6
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrew Campling <andrew.campling@419.consulting>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dRu4ssJYjUx0c7JrsDDV3RaCPxY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I did notice one odd thing about the TLS-LTS protocol change (keep in mind this document is *not* deployment considerations, but a whole new incompatible mode for TLS 1.2), regarding domain separation. Unless TLS LTS can fully enforce that the same key is never used for TLS 1.2 LTS and regular TLS 1.2 (on both the authenticating side and the relying party side), we need to worry about the security of the two protocols deployed together. TLS-LTS changes the signature payload to include the whole transcript so far: https://www.ietf.org/archive/id/draft-gutmann-tls-lts-14.html#section-3.1-11.1.1 It also changes the syntax of the ServerDHParams: https://www.ietf.org/archive/id/draft-gutmann-tls-lts-14.html#section-3.2-2.1.1 Now, signing a transcript is definitely a good move, and TLS's DHE construction was very much broken. This is why TLS 1.3 fixed both of these. But when we change the signing payload, we need to think about domain-separation. It should not be possible to take a signature generated in one context and substitute it in another context. The TLS 1.2 ServerKeyExchange signing payload is already fragile. ECDHE and DHE param formats are different, but the cipher suite is not bound into the signature. I don't have the paper off-hand, but I recall there was a near miss where the ECDHE and DHE payloads already nearly overlapped. Given that the new client_server_hello_hash fully overlaps with the old client_random (totally under the client's control) and then the new params overlap with the old server_random (totally under the server's control), it's... not immediately obvious to me whether this is fine. In comparison, TLS 1.3 prepends a context string and also includes a 64-byte prefix to clear the old client and server randoms. The former allows domain separation with future signing payloads, and the latter works around TLS 1.2's lack of a context string. This avoids needing to reason about overlapping payloads and who controls what, except the minimum needed to convince ourselves the 64-byte prefix separates from TLS 1.2 well enough. (Would be nice to avoid that too, but we can't change TLS 1.2's lack of a context string, only make sure we fix this going forward.) https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3 Additionally, if making an incompatible change to TLS 1.2 anyway, rather than adding dh_q to the parameters, I think we've since learned that negotiating named values is the way to go, hence the addition of FFDH values into the NamedGroup registry. (Though there are some other issues with using the same cipher suite values. RFC 7919 did not actually work to save TLS 1.2 DHE.) Of course, details like this are not adoption concerns. Adoption is just a question of whether the WG wants to take on a document as a starting point. I.e., normally, the question we should answer here is "do we want to extend TLS 1.2 to apply the smaller protocol fixes?". However, there was talk in the thread of not wanting to change the protocol anymore, in which case we would be unable to, say, apply TLS 1.3's fix to this. On Wed, Nov 20, 2024 at 12:58 PM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > -1. The TLS working group, and this document in particular, has > consistently ignored the products of the UTA working group. Specifically, > RFC 9325 [1] published a mere two years ago is not even referenced in the > draft, let alone a comparison made with these deployment recommendations > that were made by the very same IETF. (Yes you can hear my frustration > coming through). > > > > Thanks, > > Yaron > > > > [1] https://datatracker.ietf.org/doc/rfc9325/ > > > > > > On 20/11/2024, 19:27, "Andrew Campling" <andrew.campling@419.consulting> > wrote: > > +1, especially given the previous discussion on this topic on the list > back in 2016. > > > > > > Andrew > > > > -----Original Message----- > > From: Salz, Rich <rsalz@akamai.com> > > Sent: 05 November 2024 19:01 > > To: Sean Turner <sean@sn3rd.com>; TLS List <tls@ietf.org> > > Subject: [TLS] Re: Adoption call for TLS 1.2 Update for Long-term Support > > > > I strongly support adoption. > > > > I do not understand why anyone would be opposed to the IETF making > deployment recommendations. I can understand why someone might be bothered > by the impliciation that *THIS ONE WAY* is the only way to get long-term > support, especially if it's seen to contradict our encouragement of TLS > 1.3. But that is an editorial issue that can be easily fixed. > > > > I would like to see this adopted, a short change cycle, and then advanced > in the same cluster with our TLS 1.2 is frozen document. > > > > > > _______________________________________________ > > TLS mailing list -- tls@ietf.org > > To unsubscribe send an email to tls-leave@ietf.org > > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Adoption call for TLS 1.2 Update for Long-t… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Thom Wiggers
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Viktor Dukhovni
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Christopher Wood
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Richard Barnes
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Martin Thomson
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Nick Harper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Arnaud Taddei
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Eric Rescorla
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David Benjamin
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Andrew Campling
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Alicja Kario
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Salz, Rich
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Pascal Urien
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Stephen Farrell
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Muhammad Usama Sardar
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Yaron Sheffer
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Bas Westerbaan
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David A. Cooper
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Watson Ladd
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… David Benjamin
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Peter Gutmann
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Sean Turner
- [TLS] Re: Adoption call for TLS 1.2 Update for Lo… Rob Sayre