Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
David Benjamin <davidben@chromium.org> Mon, 24 February 2020 22:23 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 243953A147F for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 14:23:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UI-TC1u9hJrW for <tls@ietfa.amsl.com>; Mon, 24 Feb 2020 14:23:44 -0800 (PST)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC5D3A147A for <tls@ietf.org>; Mon, 24 Feb 2020 14:23:44 -0800 (PST)
Received: by mail-pj1-x1030.google.com with SMTP id 12so365000pjb.5 for <tls@ietf.org>; Mon, 24 Feb 2020 14:23:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DGRUl0eZ65s3McJjl1jLJV0m7ODzFpqtg8Y9StjIBDM=; b=em5mvNTwc0o8iFL1TjU0lbEot+IeMzR6i74aTgjGb5Dc/al9N0MiGgViTG+7qCGcfc em4ZbnXfw5B9THgDKxysXNe6kQaGmfB4y+RvrJbErRcNRDFBUKgDUAg268UsvmiiScHy Wyd3J3t/JHsr3cqK9W57W+Vb+kbCFe+ciyOD4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DGRUl0eZ65s3McJjl1jLJV0m7ODzFpqtg8Y9StjIBDM=; b=S3RgFksH4BwlDs27UgPKsGblnPt5EKsrlE2yrktTaadDFr0Y1928mkeA9nyIlITTLQ p6RHAU8Ezns9EJD6ooBFFcVDnHYhmApmQq5Zn6/I28JuTN2ds+AIxJMNT/uw8ZhZkgWR M8rbYCQHl+izQOUZh1U5LuQUdTnsDap4aUSzqC8pgx0Kyxz16Iww/a74TyatUksKVziE i7SDOqszMYdw9FTa1l99kpzJdOeTKFjSOZIEmVt9qxfljhfk9McNIJ3duZgJvcAeavjO IzMMJzRMd97GercPBVA2VWP6qtXLcSZtVoJVC0VYHzY2R6xCCPx4xiqUMRWvaE8F+v/m VMkw==
X-Gm-Message-State: APjAAAVFSE5ySOExOdzdt2EwJyH0QnIbWrIxy2zDw20E7vdh9hPx8Sgg oAYfxEUqwCymoeb29APK1d3QV8Z2hqjwNbPYsn2y
X-Google-Smtp-Source: APXvYqzIFeiM1uQba5eVb2ZHGYYUAXSqsAyB5zBBLOW8GKnmWgoOh1IP/nra2HdIYR+P415mtAqthONKD+Hnn1Z/dJ8=
X-Received: by 2002:a17:90a:f013:: with SMTP id bt19mr1417448pjb.47.1582583022611; Mon, 24 Feb 2020 14:23:42 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoBnSsDDaWWRHjkdjVRWw_DtxFYSQS7G-NyeSUfTzmYbAw@mail.gmail.com> <CAChr6SyA05VTB1n5Dcc2WNP6rrpsvDGXuPQxDxM9-=3JiYYPLQ@mail.gmail.com> <CABcZeBOPaGZ1ZKWpXkhC05v3HcbSLNuXYD_Lzw0S6iaBQY0a9A@mail.gmail.com> <CAChr6Sz7EqMbHNzcvbwdXkWB1JbQQig3RXCrzG6zascJL__t2Q@mail.gmail.com> <8887946c-8509-483c-9c62-de5393fb9eaf@www.fastmail.com> <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com>
In-Reply-To: <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 24 Feb 2020 17:23:26 -0500
Message-ID: <CAF8qwaCPbQfXWvTm7VgS7G6XAfzEY_=rTfD2CzRWsSod+MpC2Q@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e4557f059f59d25f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l_aM7g7cXi176XWV74s_rRX69ZA>
Subject: Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 22:23:46 -0000
On Mon, Feb 24, 2020 at 4:33 PM Jonathan Hoyland <jonathan.hoyland@gmail.com> wrote: > Just looking at this again, it might be better to make a slightly > different tweak to the key schedule. > Instead of: > > 0 > | > v > PSK -> HKDF-Extract = Early Secret > | > +-----> Derive-Secret(., "ext binder" > | | "res binder" > | | "imp binder", "") > | = binder_key > > v > > > > We should do: > > 0 > | > v > PSK -> HKDF-Extract = Early Secret > | > +-----> Derive-Secret(., "ext binder" > | | "res binder" > | | "imp e binder" > > | | "imp r binder", "") > | = binder_key > > v > > > or at least: > > 0 > | > v > PSK -> HKDF-Extract = Early Secret > | > +-----> Derive-Secret(., "ext binder" > | | "res binder" > | | "imp e binder", "") > | = binder_key > > v > > > > > Just so that we can distinguish between external imported binders and > resumed imported binders, should we at some point decide to do both. > I may just be confused, but what would a resumed imported binder mean? I see this mechanism as largely a bugfix for TLS 1.3 external PSKs, rather than a new kind of adjective describing PSKs. ("imp binder" also doesn't preclude "imp r binder" later if we later define something which needs it, but I'm confused what the concept even would be.) David > On Mon, 24 Feb 2020 at 20:50, Christopher Wood <caw@heapingbits.net> > wrote: > >> On Fri, Feb 21, 2020, at 1:15 PM, Rob Sayre wrote: >> > >> > >> > On Fri, Feb 21, 2020 at 8:35 AM Eric Rescorla <ekr@rtfm.com> wrote: >> > > >> > > >> > > On Thu, Feb 20, 2020 at 7:08 PM Rob Sayre <sayrer@gmail.com> wrote: >> > >> Hi, >> > >> >> > >> I'm not sure how violations of these requirements would result in >> poor interoperability: >> > >> >> > >> Clients which import external keys TLS MUST NOT use these keys for >> > >> any other purpose. Moreover, each external PSK MUST be associated >> > >> with at most one hash function. >> > >> >> > >> These seem like aspirational security goals. It would be better to >> describe the consequences of violating these conditions. >> > > >> > > I don't agree. They are requirements in order to be able to make the >> assertions we want to make about the security of the protocol. >> > > >> > > This is consistent with the following text of RFC 2119 S 6 >> > > ".. or to limit behavior which has potential for causing harm (e.g., >> limiting retransmisssions) " >> > > >> > > I don't think it would be unreasonable.to explain the reason for >> these, though this is already a requirement of 8446 S 4.2.11 (though >> without justification). >> > >> > I think that interpretation of 2119 is a stretch, but your idea to add >> > an explanation while keeping the 2119 terms addresses my concern. At >> > the very least, the draft should note this is already a requirement of >> > 8446. >> >> That seems perfectly reasonable! We can point to the security >> considerations to clarify the "single hash function" requirement, and we >> can note cross protocol attack deterrence for the other claim. Would that >> suffice? If not, can you please recommend text? >> >> Thanks, >> Chris >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] WGLC for draft-ietf-tls-external-psk-import… Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood