Re: [TLS] Re-thinking OPTLS

Nico Williams <> Mon, 24 November 2014 06:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AC2D41A1BDD for <>; Sun, 23 Nov 2014 22:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.634
X-Spam-Level: *
X-Spam-Status: No, score=1.634 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SSlR48AtCT4x for <>; Sun, 23 Nov 2014 22:33:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AA75E1A1BE5 for <>; Sun, 23 Nov 2014 22:33:07 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 3946E1DE060; Sun, 23 Nov 2014 22:33:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=0Ge6GUpn/osXem h+hxW1Xjk3NcY=; b=RnWTb6SVfP8UOGFoKWJgDWQ6Hdlk2XpfAxz40sRjo5kAYs 9GiQHPNQRESVILTmm6fKSknWaZtVbeevFnmoAKZZpfovL9CRlF7kxMzzox3DUp/k gYsUdiuZToljkDjx9o4Zeny+SLZSs0CGKKswrItvCKYLxctRsLGyplQD8eeRs=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id D9E741DE05D; Sun, 23 Nov 2014 22:33:06 -0800 (PST)
Date: Mon, 24 Nov 2014 00:33:06 -0600
From: Nico Williams <>
To: Hugo Krawczyk <>
Message-ID: <20141124063304.GA3200@localhost>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "" <>, Hoeteck Wee <>
Subject: Re: [TLS] Re-thinking OPTLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Nov 2014 06:33:08 -0000

I'm in favor of using static server (EC)DH keys for server
authentication and possible 0-RTT, particularly in connection
with DANE.

I *don't* think that OPTLS is worthwhile without connection to DANE, but
only because OPTLS is just an optimization with roughly the same
applicability as an existing optimization that is much faster: session
resumption [with encrypted session state tickets].

But since I think sprinkling DANE on is the obvious thing to do given
OPTLS as part of the protocol, I'm in favor.

Security-wise the use of static (EC)DH keys is well-understood (as well
understood as (EC)DH is in general).

The g^xs plus (not the arithmetic operator) g^xy method of obtaining PFS
is also OK, and heck, if need be the client could use two different x's,
and the protocol ought to allow it (not least because the client might
want to use different groups/ curves for PFS key agreement than for
authentication key agreement).