Re: [TLS] OPTLS: Signature-less TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Tue, 11 November 2014 01:53 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20141111005220.GG3412@localhost>
Date: Mon, 10 Nov 2014 15:53:35 -1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <8C76E955-0942-4343-B044-8E490C6264FB@gmail.com>
References: <CACsn0cnkRZ5ZzX0bHfVFsvsrNoJxU2Txs0O2YW386fsg9GF1vQ@mail.gmail.com> <CABcZeBMQc5Mb_FK3davMxi0oBgzawqCMaYp1DqGYgg3nEHYHHw@mail.gmail.com> <CADi0yUOZ8LqsJbTTZmYL6XgrTjWvTMqvFMd7euzv+xQPU9vPJg@mail.gmail.com> <CABcZeBM+CcG8Tr_+XZ6nkw4xJP8DGFXguvRvLGhTUXYdhEOUqA@mail.gmail.com> <87r3xdfzi1.fsf@alice.fifthhorseman.net> <CABkgnnWqppL-1VJORYfrwuKn8n=NO-rZX6LDTiq+-qxddsp1mg@mail.gmail.com> <87r3xawv8a.fsf@alice.fifthhorseman.net> <CABkgnnXWAZ78ir-62cnsZM080GAFzScNSv52SKGAc6ZRYM+++w@mail.gmail.com> <CACsn0c=nh1yDUcYGYSMBhUs0OnJJJeOh5CRT3qyz8ZEVQsdokA@mail.gmail.com> <54615526.5020504@fifthhorseman.net> <20141111005220.GG3412@localhost>
To: Nico Williams <nico@cryptonector.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fOF2o5TPXsjYc0dsA4_7bTjB3Yo
Cc: tls@ietf.org
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
Precedence: list

> On Nov 10, 2014, at 2:52 PM, Nico Williams <nico@cryptonector.com> wrote:
> 
>> The reason to move secret keys offline is to protect the identity
>> credentials of the TLS endpoint, not because those keys are valuable in
>> themselves.  If a delegation process creates a new object that is an
>> identity credential for the TLS endpoint, and the secret part of that
>> object remains online, we haven't actually gained anything.
> 
> The delegation has to have a short lifetime because otherwise it
> might as well be a certificate issued by an intermediate CA...
> 
> ...which the customer can't get because of the failure to widely
> implement and deploy PKIX name constraints.
> 
> But also because of revocation: if you have to check the status of the
> key then you lose the 0rt.
> 
> By putting a short lifetime on the delegation that problem goes away.
> But then there's no advantage over plain session resumption.

How short is “short”? This is yet another thing that is hosed by the non-availability of a secure time signal. Clocks are skewed, so if you use a notAfter date that is less than 24 hours away, you’re going to have clients thinking that this has already passed. 

Sure, we MUST fix time. But we also MUST fix PKIX name constraints, and I think we’re close to solving the latter than we are to solving the former.

> Even if each 0rt connection can lengthen the delegatee key's life by
> having the server send a fresh signature of the key as needed, the
> server could also just refresh the session resumption state/ticket.
> 
> IMO the main value in static DH is in learning the server's static DH
> pubkey out of band, via DNSSEC (DANE).  That eliminates all these
> concerns while enabling 0rt connections _every_ time for servers that
> have such keys.

This assumes a deployed DNSSEC. That will happen some time after the secure time signal.

> Of course, 0rt connections can't provide proper PFS to data sent
> immediately after the client's first TLS handshake message.  That's a
> problem, no?

I guess you can’t have everything. 

Yoav

Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
[TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk