Re: [TLS] A la carte handshake negotiation

Dave Garrett <> Sun, 14 June 2015 15:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 58AE71B2F64 for <>; Sun, 14 Jun 2015 08:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qr4eaaipEkIc for <>; Sun, 14 Jun 2015 08:55:59 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 01FFB1A905B for <>; Sun, 14 Jun 2015 08:55:05 -0700 (PDT)
Received: by qcbfz6 with SMTP id fz6so325291qcb.0 for <>; Sun, 14 Jun 2015 08:55:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=7lRMNtqse3tWdrnqstHSLJcEU6xDKlVH7FmBEYWku2U=; b=ot9o1+vrQ8OkkXzQPV0Xz1vXup4AHs+HTwNWbiJQ1oF75vsv0Ntq9RstIdIinzIx2f 0cnim/ibfGDqSnF/gXCHrvaEGiaTP4ZHLGuDi/9udFWFGJwduGg+hDlMgTJp+HRiNx2E 4N9eM98xYEaZxtetEfRuHL3/xwYF9/YusMmg/YF52BdDPXCsC01expSt/9bf8BCc+NFZ ObHQB6BLwvznQ7UEzQA8vpHaIUrozan7k8Faj9JiZJa82fFvE3ulk/u2FjqqovYeC9yw tJ4zYTBM9r7jgCYbcQq7dCXsxgDHy6p6OMIsGDNYd2XOLtrqQd5I8T/XcifzMsvTgqLS 5fXA==
X-Received: by with SMTP id j69mr30155007qga.17.1434297304264; Sun, 14 Jun 2015 08:55:04 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id j62sm4856258qhc.33.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 14 Jun 2015 08:55:03 -0700 (PDT)
From: Dave Garrett <>
To: Ilari Liusvaara <>
Date: Sun, 14 Jun 2015 11:55:02 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <20150614063342.GA24954@LK-Perkele-VII>
In-Reply-To: <20150614063342.GA24954@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Jun 2015 15:56:01 -0000

On Sunday, June 14, 2015 02:33:42 am Ilari Liusvaara wrote:
> Trick of using empty cert and HMAC(PSK, ...) as authentication to unify
> GDHE_CERT and GDHE_PSK won't work if one is to remain compatible with
> TLS 1.2 DHE_PSK (or at least, requires further tricks).
> The problem is that in TLS 1.2, there is thing called PSK hint, which
> is optionally sent from server to client. Then client will chose its
> final PSK identity. In TLS 1.3, that sort of thing would need 1RTT
> miss, followed by extra message from the client to select the final
> PSK identity (and possibly also sending a missing group key if in

ekr is currently considering adding a PSK identity extension for the ClientHello. (it's in his current WIP branch, atm) It's just a simple extension to have the client send the id it wants. This is what I was saying would be all that was needed for PSK. The entire signatures extension wouldn't be needed; just send the PSK id (anon=null) and the supported groups extension. Selected NamedGroup selects FF/EC DHE; for plain PSK, don't send this extension either.

> And I think optional handshake messages are a bad idea, being souce
> of nasty bugs (situation-dependent is different thing).

Yes, that sort of thing is a risk. This has PSK & CERT largely separate, so within each use-case, not much is optional.

From an alternate perspective, this could be viewed as kicking PSK/anon out of TLS 1.3 proper and moving it entirely to a dedicated extension (though, defined in the same document).