Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

On 05/10/17 09:54, Arnaud Taddei wrote:
> Being new to this community, can I actually ask for the analysis of
> the ‘hundred’s of applications’ which lead to the evolution of TLS
> 1.3 the way it is today? Was it captured somewhere or shall I
> reconstruct this history from all the discussions in the mailing
> lists?

It's more the latter. But, and it's a big but, tls1.3
is almost entirely (0rtt aside) aiming to provide the
same services as earlier versions, just to do it better,
so the need for that kind of broad survey of uses of
tls is far less. WRT 0rtt, people did, and are doing,
a bunch of work to figure out when it's (un)safe to
use that.

When it comes to breaking tls (as in this proposal),
since that'd change the security model (from an
essentially two party security protocol to an N-party
model), a lot more work would need to be done, and
has never been done, by any of the people proposing
to break tls, at least afaik.

S.


> 
> Thank you in advance
> 
>> Le 3 oct. 2017 à 00:48, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> a écrit :
>> 
>> 
>> Russ,
>> 
>> On 02/10/17 22:43, Russ Housley wrote:
>>>> For starters, though, I'd be interested answers from the
>>>> authors to two quick questions, though I suspect I can guess
>>>> 'em:
>>>> 
>>>> 1. TLS1.3 has had significant formal analysis. Did the authors
>>>> or other proponents here do any such work and if so can you
>>>> send a pointer to your results? If not, then I believe the onus
>>>> is on the folks who want to break TLS to do that work
>>>> themselves if they want to make a serious proposal and it is
>>>> not ok IMO to try put that work onto the community who have
>>>> been working hard for years to make TLS stronger.
>>> 
>>> I would be willing to work with the people that did the formal 
>>> analysis to show the impact of including the extension, and
>>> making changes to the extension that are indicated by that
>>> analysis.
>>> 
>> 
>> IMO, that's not a good answer. When improving the security 
>> properties of the protocol it may suffice. When weakening the
>> protocol, I strongly believe the onus is on you to have done that
>> work ahead of time, so that the damage you are proposing the
>> Internet suffers is clear and known and not discovered years
>> later.
>> 
>>>> 2. Which of the hundreds of applications making use of TLS did
>>>> you analyse before proposing this? If only a handful, then same
>>>> comment wrt where the onus ought lie.
>>> 
>>> Just like TLS 1.3 has been implemented and tested with many 
>>> applications during its development, I would expect the same to 
>>> happen in those environments where there is interest in making
>>> use of this extension.
>> 
>> The TLS WG has spent an awful lot of effort on (I think) every
>> single semantic difference between TLS1.2 and TLS1.3. (Ortt for
>> example.) You are now asking that everyone else do work to figure
>> out how your proposal damages their uses of TLS so that this
>> supposed use case is dealt with. I think you and other proponents
>> of breaking TLS need to spend that effort yourselves. (This is
>> because as you know there is no way to limit the damage of your
>> proposal to only the use-cases that are the claimed targets for
>> this bad idea.)
>> 
>> So yes, those answers are as I expected and are just as 
>> unsurprisingly, utterly unsatisfactory.
>> 
>> S.
>> 
>>> 
>>> Russ
>>> 
>>> 
>> 
>> _______________________________________________ TLS mailing list 
>> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> 
>