Re: [TLS] '15 TLS Fall Interim Minutes

Ilari Liusvaara <> Wed, 23 September 2015 10:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6EFA21ACE80 for <>; Wed, 23 Sep 2015 03:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YKlI0yphkl06 for <>; Wed, 23 Sep 2015 03:54:44 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1C401ACE7F for <>; Wed, 23 Sep 2015 03:54:42 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 5DB2F2340BF for <>; Wed, 23 Sep 2015 13:54:40 +0300 (EEST)
Date: Wed, 23 Sep 2015 13:54:40 +0300
From: Ilari Liusvaara <>
Message-ID: <20150923105439.GA24394@LK-Perkele-VII>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: Ilari Liusvaara <>
Archived-At: <>
Subject: Re: [TLS] '15 TLS Fall Interim Minutes
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Sep 2015 10:54:46 -0000

On Tue, Sep 22, 2015 at 04:27:35PM -0700, Sean Turner wrote:
> I’ve gone ahead and posted the minutes/list of decisions to:


> ## Issue 223 - absolute or relative time
> Leave as-is because a) switching to relative time is painful and it's
> not standalone, b) it's not entirely clear what > benefit we get from
> this, and c) we're already using absolute time for other things like
> certificates & OCSP.

One thing to note: The time is 4 octets, and 32 bit time since unix
epoch runs out a good bit faster than what I would like.

> ## Client Authentication
> We agreed that we need to support this in TLS 1.3.
> ### How
> 2. We will modify the data that's signed to conform with what Andrei
> is proposing provided we also terminate the transcript for key
> derivation before the CC/CCV.

Oh yay, Server 0-RTT?

> investigate: using the same construct for server/client sigs.

Huh? Don't both currently use the same construct, except for the
context string? Are you proposing to remove the context string or

> 4. We agreed to not allow unsolicited client auth.

What will browser using HTTP/2 do if it receives client reauth request
when it has stream blocking identity change open?

- Open new connection and ??? to elict certificate request.
- Reset all streams that block identity change and then change identity.
- Reset all streams, change identity and retry request.
- Kill connection (e.g. PROTOCOL_ERROR).

(Just changing the identity is known to be insecure.)
> 5. We agreed to take out the ClientCertificatType from CertificateRequest.

Yeah, that one is not needed for anything.

> 6. We want a consolidated certificate message and certificate verify.

Just be careful that certificate is still signed, as many signature
algorithms fail to even properly bind the key, and nothing binds the

And results of lack of binding for the certificate are not easy
for me to analyze.

> ## Data transfer limitation per connection (issue 125/4)
> After quibbling with the math a bit, we need to specify how good we
> think the current ciphers are numbers.

Parse error. Does this mean something like "how much data current
ciphers can safely encrypt"?

> ## Include randoms directly in digital signatures
> Issue 224
> Consensus at the interim was that this has straightforward to do by
> just having the authentication server supply the ServerRandom was
> enough since it can search through the handshake transcript.

This assumes that authentication server receives full handshake and
not just handshake To-Be-Signed.

> # PRF designation in server certificate verify
> Issue 227
> Consensus was to leave as-is. A hash identifier isn't the way to
> solve this.  What you really need is contributory behavior to solve
> this issue.

Huh? This is about collisions between different hash algorithms. I
don't see how contributory behavior would help there (which is severly
limited by 1RTT maximum there).

Now, the issue is probably entierely theoretical and thus would not
need solving.