Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Hubert Kario <> Fri, 13 October 2017 11:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57E0313239C for <>; Fri, 13 Oct 2017 04:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XZYDrj9x8CY1 for <>; Fri, 13 Oct 2017 04:05:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 291D3132026 for <>; Fri, 13 Oct 2017 04:05:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 527BD80468; Fri, 13 Oct 2017 11:05:36 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 527BD80468
Authentication-Results:; dmarc=none (p=none dis=none)
Authentication-Results:; spf=fail
Received: from (unknown []) by (Postfix) with ESMTPS id 1AC2360A99; Fri, 13 Oct 2017 11:05:35 +0000 (UTC)
From: Hubert Kario <>
To: Stephen Farrell <>
Date: Fri, 13 Oct 2017 13:05:34 +0200
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2761183.O94gRuIYnI"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 ( []); Fri, 13 Oct 2017 11:05:36 +0000 (UTC)
Archived-At: <>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Oct 2017 11:05:38 -0000

On Thursday, 12 October 2017 15:16:08 CEST Stephen Farrell wrote:
> (With the obvious caveat that I hate the whole
> idea... :-)

to be clear: me too
> On 12/10/17 13:57, Hubert Kario wrote:
> >> Anyway, I think key life length could be addressed in later drafts, but
> >> the
> >> inability of the client to identify (and possibly reject) the tapping
> >> third
> >> party is a "no go" for me...
> > 
> > yes, a three-way DH with two certificates (one IPS one EE server) does
> > seem
> > like a much better approach, especially if IPS certs need to have special
> > flags that make them useless for anything else and cannot be set by CAs in
> > public CA programs.
> But... even if one did add names/certs for the wiretapper
> or IPS or whatever then there could be more than one of
> those who'd like to be able to interfere with the TLS
> session, and there's no way I can see that makes sense for
> the client and server to negotiate which wiretappers they
> allow/like.

my point is, that I may be forced to disclose contents of all my 
communications to a specific entity, so I effectively have to trust it 
(willingly or not), but that doesn't mean that I have to allow for wiretapping 
for arbitrary parties

> This is all just squaring-the-circle, TLS is meant to be
> a 2-party protocol (ignoring CAs) and I don't see any way
> to make TLS a multi-party protocol that works.

1. Alice sends a share to Bob: g^a
2. Bob sends Alice's and his share to Carol: g^a, g^b, g^ab
3. Carol replies to Bob with her share added to Alice's and his: g^ac, g^bc
4. Bob sends the Carol's reply to Alice as a Server Key Share: g^bc
5. Alice calculates the shared secret g^bca
6. Bob calculates the shared secret: g^acb
7. Carol calculates the shared secret: g^abc

so it doesn't look to me like it requires a lot of chamfer to fit that square 
peg in the round hole, only the 2 and 3 need to happen out-of band.

of course, I haven't analysed how Carol would be authenticated in that 
communication (if signing just the SKS by Carol is enough, transferred in the 
encrypted extensions, with server signature of the handshake in certificate 
verify being sufficient for integrity)
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic