Re: [TLS] Deprecating tls-unique for TLS 1.3
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 04 November 2015 07:30 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCAA1B2A03 for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 23:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9A9zN2aiLu_0 for <tls@ietfa.amsl.com>; Tue, 3 Nov 2015 23:30:36 -0800 (PST)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 344081B2A05 for <tls@ietf.org>; Tue, 3 Nov 2015 23:30:28 -0800 (PST)
Received: by wicfv8 with SMTP id fv8so26326377wic.0 for <tls@ietf.org>; Tue, 03 Nov 2015 23:30:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ipOyO4rAmHMh8dFcEBA5WtbNX0J/7QDWZ4Du5fR91I4=; b=HE7HrjRPLXjJx+j1hHWq90zbowVFISLXmi8M9hAAQZ+7ITaJ5OqAMtk3FrbIxzpn9L 5W6w7Rly7+l3erjL6zlLCQhghFognVCAZy+X8hkW1nDA4l3cySOKJF+yq6Yw6ZVThdxb OrthQvii6ZrJl4wLuuFwYTmAZVrYDUcGiYwd5EJDcHkHJYHzvulwJFOPsx/1BD217GzD 0LoZLiDoWy0qDYPT6UlJynBCk8QzWPb/72DfIMq4OuEKDYMu7n1+bZIJ0EdjPFXxJ7TM srx0ooIhPdjIF7AtgH8vnsbQE7+aM7FGM0l6iUnoBf3UbBlD7Sm5bpuoeXFQTynd/Jnn RilA==
X-Received: by 10.194.58.142 with SMTP id r14mr26973wjq.37.1446622226729; Tue, 03 Nov 2015 23:30:26 -0800 (PST)
Received: from ?IPv6:2001:660:330f:38:95ba:8865:d014:619d? ([2001:660:330f:38:95ba:8865:d014:619d]) by smtp.gmail.com with ESMTPSA id ka10sm46459wjc.30.2015.11.03.23.30.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 03 Nov 2015 23:30:26 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C98D670B-E383-4BF6-887F-0132ABAEB086"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CA+_8ft6Ej9QLPJ59Rt+kjz_4OXukhNtH58PF_V9eB8Abbm=D9w@mail.gmail.com>
Date: Wed, 04 Nov 2015 08:30:24 +0100
Message-Id: <225ECEC4-8553-4C49-9FA8-4139E67DFD44@gmail.com>
References: <F7D995DF-98C9-4093-AA6A-8EA251E7274C@isode.com> <9AB2FB66-1E46-473B-AE7E-E27798474891@gmail.com> <CABkgnnW8tKZNDZL5Gto0ot_HbuLTJJ-2GbknHK8_o7YyDn+Pcg@mail.gmail.com> <CA+_8ft6Ej9QLPJ59Rt+kjz_4OXukhNtH58PF_V9eB8Abbm=D9w@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nxtqlG5eEQ8zNe4YUOdVFjpj6DU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating tls-unique for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 07:30:38 -0000
Despite the proposed extended master secret fix in RFC7627, I now think that tls-unique needs to be deprecated for all versions of TLS, and that we should design and recommend a new channel binding that can be used uniformly by SASL/TokenBinding/FIDO etc. I have read Simon’s draft and it is a plausible approach https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03 <https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03> The TokenBinding folks have gone with an exporters-based binding, which makes sense too. Both of them rely on the session hash construction and should be compatible with TLS 1.3. One question to ask is whether the binding should be per-session (i.e. per master secret) or per-connection. Best, Karthik > > On Wed, Nov 4, 2015 at 7:00 AM, Martin Thomson <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote: > On 4 November 2015 at 11:16, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote: > > Can’t we just say that all previous uses of tis-unique will instead get an exporter generated with the label “tis-unique” ? > > > That was my thought here: redefine what it means to generate tls-unique. > > That's part of why I asked about the size. We should ensure that > clients are not made sad if they receive a tls-unique that is longer > than 96 bits. > > We could backport this to 1.2, but I'm not sure whether this is a new > feature or whether it's a bug fix. If it is the former, I'm not that > enthusiastic about a backport. > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls> >
- [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Eric Rescorla
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Yoav Nir
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Karthikeyan Bhargavan
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Andrei Popov