Re: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 18 March 2024 19:50 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FA3C1D5C5B for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 12:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NVZG5qSS3_ti for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 12:50:18 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF945C180B56 for <tls@ietf.org>; Mon, 18 Mar 2024 12:50:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id D5B1820D3F for <tls@ietf.org>; Mon, 18 Mar 2024 21:50:14 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id lr_mM8DHlT16 for <tls@ietf.org>; Mon, 18 Mar 2024 21:50:14 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 974F42316 for <tls@ietf.org>; Mon, 18 Mar 2024 21:50:13 +0200 (EET)
Date: Mon, 18 Mar 2024 21:50:13 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: TLS List <tls@ietf.org>
Message-ID: <Zfia9e2dp9Ve5IKo@LK-Perkele-VII2.locald>
References: <309fed03-fd3b-4ebc-ac92-054c2d195aff@dennis-jackson.uk> <GVXPR07MB9678312222CA59A62DE1BBE5892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <GVXPR07MB9678312222CA59A62DE1BBE5892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oZ1-FEy_TDuTDyKYZI87LMJVDX0>
Subject: Re: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 19:50:20 -0000
On Mon, Mar 18, 2024 at 06:46:51PM +0000, John Mattsson wrote: > Hi, > > I thought the old version was a quite good starting point. This new > version seems significantly worse. I think it has three major > problems: > > 1. It uses the application layer and therefore requires changes in the > application layer. For many uses of TLS, it is not acceptable to > change the application layer. I expect that in many applications, it is not even possible to change the application layer. > 3. I don't see the need for HPKE. All discussions, specifications, > and deployments of PQC KEMs in TLS 1.3 and DTLS 1.3 uses the ordinary > "KeyShareEntry". Replacing the existing key exchange mechanism in TLS > with the public key encryption mechanism HPKE. This seems to add a > lot of code to an TLS implementation already doing quantum-resistant > key exchange in the initial handshake. Yes, using existing TLS mechanisms is much easier for implementations. > I think a solution to do post-handshake ephemeral-ephemeral key > exchange as well as mutual post-handshake authentication on the > TLS/DTLS/QUIC layer would be very welcome. I think ephemeral- > ephemeral key exchange as well as not using the application layer > should be requirements. Note that TLS-level post-handshake authentication has very nontrivial implications on application protocols. E.g., HTTP/2 explicitly bans TLS post-handshake authentication for very good reasons. For supporting application-layer authentication, there already are TLS exporter and exported authenticators. For EE key exchange, TLS is the relatively easy case. Everything in TLS is in-order and lossless. The only possible race condition is the crossed update, and it is easy to make both sides agree that happened. DTLS is much more difficult due to all the race conditions caused by reordering and packet loss. Which is something TLS does not have to deal with, and is especially problematic with the crossed update case. And while QUIC is based on TLS, it replaces some of the key parts this mechanism touches. Which means it has to have its own version. And looks like it has to deal with similar problems (reordering and packet loss) as DTLS does. > I think frequent rekeying with ephemeral-ephemeral key exchange is a > must for long-lived interfaces. This has for a long time been an > established requirement. Typical requirements are 1 hour of 100 GB in > IPsec and 1 hour or 1 GB in SSH. Note that there is no problem with > TLS 1.3 when you can frequently setup new connection with psk_dhe_ke. > Discussing with Eric Rescorla and Martin Thomson in the past, they > suggested that this was the way forward. It would be interesting to > hear if there are more use cases than RFC 6083 where frequently > setting up a new connection with psk_dhe_ke is problematic. I expect > there is. Any application that associates resources with connection poses major problems with setting up new connections. While I don't think anybody uses it with TLS, up until recently BGP (extremely important, to put it mildly) was infamous of recting very badly to connection loss. -Ilari
- [TLS] Feedback on draft-tschofenig-tls-extended-k… Dennis Jackson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… John Mattsson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… Ilari Liusvaara