Re: [TLS] External PSK design team

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 03 February 2020 22:07 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E420712082F for <tls@ietfa.amsl.com>; Mon, 3 Feb 2020 14:07:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.398
X-Spam-Level:
X-Spam-Status: No, score=-14.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=StMTlRia; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Cx0W7GwX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYSgHUyHieB6 for <tls@ietfa.amsl.com>; Mon, 3 Feb 2020 14:07:23 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A4212001E for <tls@ietf.org>; Mon, 3 Feb 2020 14:07:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25596; q=dns/txt; s=iport; t=1580767642; x=1581977242; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Is1eEygIaAgReDSbiqqFACSOJhJd0ju/ZYWxNB+F7Nk=; b=StMTlRiaPwcau1DOFj0F3i1nD8TaYsuJC5h3rH/63liZx+Msx7KsqK5f 1aHUr8OH0ZtJmWYc8b3ZTqzb4Wc2nVWcZxKfnG4Ly0dNThbUYDGG5AyGc Or7Nxk88IAoFVmYM09k+4NI1j5XftU9uVLaUESU5FSt7JHfQ82gkBABB1 Y=;
IronPort-PHdr: =?us-ascii?q?9a23=3AwmJH1xHtC5Fzt2+0L7xJ9J1GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e4w3Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNV?= =?us-ascii?q?cejNkO2QkpAcqLE0r+efnkdS03GOxJVURu+DewNk0GUMs=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AAAQDemDhe/5pdJa1lGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF7gSUvUAVsWCAECyoKhAqDRgOKeYJfiWGJTIR?= =?us-ascii?q?iglIDVAkBAQEMAQEYAQkLAgEBgWOCXQIXgh0kOBMCAw0BAQQBAQECAQUEbYU?= =?us-ascii?q?3DIVmAQEBAQMBARARChMBAQccBgMLAQ0CAgEGAg4DBAEBAScDAgICGQYGCxQ?= =?us-ascii?q?JCAIEAQ0FCBqCfwQCgX1NAy4BAgyRMpBmAoE5iGJ1gTKCfwEBBYEvAYNvAwo?= =?us-ascii?q?LggwJBYEzhR6FZIEeGoFBPyZrR4JMPoIbSQEBAhqBSwoLFgkIglIygiyNRiI?= =?us-ascii?q?IH4JIhWCJeY5yRAqCO4dGhUeFCYRFgkiIDpAyjmGIZ4IokAsCBAIEBQIOAQE?= =?us-ascii?q?FgWkiDYFLcBU7gmwJCj0YDY4dg3ODEoIChT90AgEBAYEkjFABgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.70,398,1574121600"; d="scan'208,217";a="701395598"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Feb 2020 22:07:20 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 013M7KJ5020512 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 3 Feb 2020 22:07:20 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Feb 2020 16:07:20 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 3 Feb 2020 16:07:19 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 3 Feb 2020 16:07:19 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JEH8ocYCUgVAOYgNbZG7e5SVouXB37OqVZIS+qhPywYvVp989bQCC1ykwzCm67mAE3ZNGtKB533l7cDVUTevJtnCKUTu5FixJB0Ura2tpSjYdrtrFdZE8QEuAA2F1MjULFiOza3sH9s9wqMwvP314JjzSD1QqOuRGwrrb4HcUq02ZKJKi0HzitzonYeleOsZs7ZULJ24rHrHtzVWGNF6wxktYJU60wSWTg8r0EhgBUmIZvOx6sSr6liHCKpuot/RO0k8RbvEq6vrJq/BPpLuCa6ElZxf9k30FIhvHKlnQcAGIj7F7ISwzM7406D6w+ZwNrblD6sqvkuxsF+69yZ/0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Is1eEygIaAgReDSbiqqFACSOJhJd0ju/ZYWxNB+F7Nk=; b=V2tLXmqc6MvFG95cAQbUNtHcJJoZ3D8K2kYLN4qVD/mbTPyXNXLuAZfPplbTGUsjgIfbNfjOx84HE4ia1JpHDLmgUCyUUBUn7gM6vWCnsTzOhyrVKr5JjJMOq5D81ZXhrgX7/XnbzHehIh4oIt/NwpujEQY76mizfOH3uMRE34Z18Gltcp3wWwYJiuP0MkkRZgJuE9xWm9HVt0/wsQNNV+lSlIInzDhoWUyxrYWMoBYdXtWqzUesYVfT2SzXiauNm6wkHhxICKE7EKHxqwqLoR8JOKrH3+lCL0Rrc7poKdyE0Qe2WC70hpvTALerKQqSSe1MBeH7OwA1JyhGCW6bnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Is1eEygIaAgReDSbiqqFACSOJhJd0ju/ZYWxNB+F7Nk=; b=Cx0W7GwXXQz9olXAT3Qz2DoGEkf+7fyehEwuRgqtcyz5yA4WXMPthNPgCRjbLmzylc/Gy8XVuHAVnlJ+U2X2OmUhTIyh1BNIYUHM9ZZ91uhWhZGrI+7x+kE1ibAY3OopOjSio1qI2I25hqrCB3WpPJRBi7lTUdRNNlQDrDPUCYc=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3629.namprd11.prod.outlook.com (20.178.252.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.29; Mon, 3 Feb 2020 22:07:18 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9%7]) with mapi id 15.20.2686.031; Mon, 3 Feb 2020 22:07:18 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: =?utf-8?B?QmrDtnJuIEhhYXNl?= <bjoern.haase@endress.com>, TLS List <tls@ietf.org>, Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Thread-Topic: [TLS] External PSK design team
Thread-Index: AQHV0A95AGHaXgezM0iEtJyKwXOzXaf0mHUAgABGWACAAAIEgIAAA08AgAAMuQCAAEPNAIAU550w
Date: Mon, 3 Feb 2020 22:07:18 +0000
Message-ID: <MN2PR11MB3901FCD4796FA9C921BC32D0DB000@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <DCF8B276-346E-4323-A57F-04123D8C126C@sn3rd.com> <CAAF6GDc0kE+hftk1fPPPnEr3ADNguJhN7suoOxHQOsrWxHQVVA@mail.gmail.com> <6b080bb0-bdb5-c424-c6c8-596fbeadb588@ericsson.com> <VI1PR05MB6509F3AC096B3DFB5065B059830D0@VI1PR05MB6509.eurprd05.prod.outlook.com> <815ea7c9-b0ce-b0e3-3763-1cda6fe1b5b0@ericsson.com> <CACykbs1r-rGWh9QeokSOQqdrMuPaHyYM0s+1V56MS=J3iLHzVQ@mail.gmail.com> <CABcZeBMOa6rqnVmie7tuZMBSqaPb7ws1CDO-iLvSH+FMb5PD0A@mail.gmail.com>
In-Reply-To: <CABcZeBMOa6rqnVmie7tuZMBSqaPb7ws1CDO-iLvSH+FMb5PD0A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.45]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 03492361-52d6-4ded-612a-08d7a8f56f73
x-ms-traffictypediagnostic: MN2PR11MB3629:
x-microsoft-antispam-prvs: <MN2PR11MB3629F484CEFA23337BB7D68DDB000@MN2PR11MB3629.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0302D4F392
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(39860400002)(366004)(396003)(346002)(189003)(199004)(86362001)(45080400002)(66574012)(8936002)(966005)(2906002)(9686003)(66946007)(26005)(4326008)(478600001)(316002)(76116006)(7696005)(66446008)(6506007)(66556008)(33656002)(64756008)(8676002)(81166006)(81156014)(5660300002)(186003)(66476007)(54906003)(71200400001)(55016002)(53546011)(52536014)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3629; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jVYbsqrKLIOivDmxrODTa0LSSan1mD2GDyq10jPu8Vtd6eiL1bH44y4xt1nZktUuQib9ovcnz2OO2D0kqclFQmMUpAKHTQFMtuh4NpueNuJTO9XrnMN/a0LM6/9qzny6QLKHUR1/0Lug+5uAEV7Ah6ljosn3mMKszFQzT9vkDPzwEO6E45XUrxEfYEJqGfjQjyVyiWTV/N0KKoYJQchR7MlNOYdOd5uMPPks0BIRcVDHvACpzgifu8glThFrGI2PAaxuH8K1aKO6E7/LQU3fDTHDPUFsnMMD4GWnaWaahoCazPhGuYugYyf5h0u/a+eQmp2qJDHVmKLwlJnGAh/wDmqgQz554xowx9cDrompXfQ31EE0C4pQeSw0BgIYJoWBobQeyXh4df7OWZSeak9tILDKKP2B9O+ns+mtbuaemQ3BO6qZEpgRVUAOA51ooIBtGtgA7L4KlDuk7HJsyct7NQz+aOxOl+L/DoYsD1wnCOQ1qG356yCF1zAtyz7USiR3qu/hD9Xwf7V45fq3ULsVvw==
x-ms-exchange-antispam-messagedata: BTzJ+sO1RVL8LSTGT5Lpb0BcJ2KWIvsr69G6ErmnIkLFdzKzNOzMnekhrBoMiwvBNzOsqn+M0QJoq+rf5mwvdCP4hSjA2kpG7xvlJ9ytzpzLcNPX1cHVEoqnKeDx063Z3y09d6WIMh1hw+8Bj4q3lQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB3901FCD4796FA9C921BC32D0DB000MN2PR11MB3901namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 03492361-52d6-4ded-612a-08d7a8f56f73
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2020 22:07:18.4961 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hWmZprVcW0sNR+MLAelPJdlK/Q0axFuP3QzMFHmJAOw20pI/xuCwjfKHk6g9RLHDdidXAyJ4ymSs2UV/SqPZ8g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3629
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hJEugSFUlEnshnS03wdP_EKWo1k>
Subject: Re: [TLS] External PSK design team
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 22:07:27 -0000

I’m also interested in helping here for potential applicability for IoT device onboarding.

From: TLS <tls-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: 21 January 2020 14:52
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Björn Haase <bjoern.haase@endress.com>om>; TLS List <tls@ietf.org>rg>; Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Subject: Re: [TLS] External PSK design team

I am willing to contribute.

-Ekr


On Tue, Jan 21, 2020 at 2:50 AM Jonathan Hoyland <jonathan.hoyland@gmail.com<mailto:jonathan.hoyland@gmail.com>> wrote:
Hi All,

This is something I'm very interested in.

Definitely want to participate.

Regards,

Jonathan

On Tue, 21 Jan 2020 at 10:04, Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
I would let CFRG deal with the PAKE selection process:
https://mailarchive.ietf.org/arch/msg/cfrg/-a1sW3jK_5avmb98zmFbCNLmpAs
and not have this design team spend time and energy on designing PAKEs.

--Mohit

On 1/21/20 11:52 AM, Björn Haase wrote:
> Hello to all,
>
> I am also willing to contribute. My concern is that I observe that in some industrial control applications, PSK mechanisms (that actually require high-entropy keys) are (mis)-used in conjunction with TLS, where the PSK is actually of insufficient entropy (maybe derived only from a 4 digit PIN).
>
> In order to fix this issue, I'd really appreciate to have an PSK-style TLS operation using a balanced PAKE (note that this could be implemented with virtually no computational overhead in comparison to conventional ECDH session key generation).
>
> Yours,
>
> Björn.
>
>
>
> Mit freundlichen Grüßen I Best Regards
>
> Dr. Björn Haase
>
>
> Senior Expert Electronics | TGREH Electronics Hardware
> Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
> Phone: +49 7156 209 377 | Fax: +49 7156 209 221
> bjoern.haase@endress.com<mailto:bjoern.haase@endress.com> |  www.conducta.endress.com<http://www.conducta.endress.com>
>
>
>
>
>
> Endress+Hauser Conducta GmbH+Co.KG
> Amtsgericht Stuttgart HRA 201908
> Sitz der Gesellschaft: Gerlingen
> Persönlich haftende Gesellschafterin:
> Endress+Hauser Conducta Verwaltungsgesellschaft mbH
> Sitz der Gesellschaft: Gerlingen
> Amtsgericht Stuttgart HRA 201929
> Geschäftsführer: Dr. Manfred Jagiella
>
>
> Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
> Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach.
>
>
>
>
>
> Disclaimer:
>
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> Im Auftrag von Mohit Sethi M
> Gesendet: Dienstag, 21. Januar 2020 10:45
> An: Colm MacCárthaigh <colm@allcosts.net<mailto:colm@allcosts.net>>; Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>>
> Cc: TLS List <tls@ietf.org<mailto:tls@ietf.org>>
> Betreff: Re: [TLS] External PSK design team
>
> I am certainly interested and willing to contribute. We need some
> consensus on whether PSKs can be shared with more than 2 parties,
> whether the parties can switch roles, etc.
>
> EMU is going to work on EAP-TLS-PSK and the question of
> privacy/identities will pop-up there too.
>
> --Mohit
>
> On 1/21/20 7:33 AM, Colm MacCárthaigh wrote:
>> Interested, as it happens - this is something I've been working on at Amazon.
>>
>> On Mon, Jan 20, 2020 at 8:01 PM Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> wrote:
>>> At IETF 106, we discussed forming a design team to focus on external PSK management and usage for TLS. The goal of this team would be to produce a document that discusses considerations for using external PSKs, privacy concerns (and possible mitigations) for stable identities, and more developed mitigations for deployment problems such as Selfie. If you have an interest in participating on this design team, please reply to this message and state so by 2359 UTC 31 January 2020.
>>>
>>> Cheers,
>>>
>>> Joe and Sean
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org<mailto:TLS@ietf.org>
>>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&amp;data=02%7C01%7Cbjoern.haase%40endress.com%7C5af7f9dcd2f746b6638a08d79e56a7dc%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C0%7C637151967330246544&amp;sdata=xtt%2F1mxS0XbrTQ8mExdzUP%2F%2BHSJKrXANsVqsX%2F4sUZA%3D&amp;reserved=0
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&amp;data=02%7C01%7Cbjoern.haase%40endress.com%7C5af7f9dcd2f746b6638a08d79e56a7dc%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C0%7C637151967330246544&amp;sdata=xtt%2F1mxS0XbrTQ8mExdzUP%2F%2BHSJKrXANsVqsX%2F4sUZA%3D&amp;reserved=0
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls