[TLS] AuthKEM: Splitting the draft and next steps
Thom Wiggers <thom@thomwiggers.nl> Tue, 04 July 2023 06:00 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DAB8C14CE31 for <tls@ietfa.amsl.com>; Mon, 3 Jul 2023 23:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yX0g3dR_UB4k for <tls@ietfa.amsl.com>; Mon, 3 Jul 2023 23:00:03 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AF51C14CE30 for <tls@ietf.org>; Mon, 3 Jul 2023 23:00:03 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id 46e09a7af769-6b73c2b6dcfso3058738a34.2 for <tls@ietf.org>; Mon, 03 Jul 2023 23:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1688450402; x=1691042402; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=V7BD/zdQvjDFQ62jIjqxYz1p4bytZKRZnEBfQBh4qE8=; b=ZuGp0PaVme6+nYpnkHWzm7HICbdw/RnC2KPjyL1bZUn2NT4Olwmf5LVtF6bn/OOpl2 XhfH3nDHkeUOiAHr4T5R9FMU6CYRs01uiOOJA0jIRyRCet3AokK2ALRW/3fjlKewlY/T jXKIHcKJrB4m5cIHSMCWRR04Hh4+7PRqSvPhI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688450402; x=1691042402; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=V7BD/zdQvjDFQ62jIjqxYz1p4bytZKRZnEBfQBh4qE8=; b=d1EnKUDxiiCGm6QQoJ6IRCAGGkQBdsuYhqOQCmY6BdFk1rW0RpKN0JgTo2Mf6mNjzb NMPMIOOiLJ//Eb7IYF5dcgpO6U216ypW0lAYZq8uMJ+Bt6eik2eAGP/Vc/ViGoSZaeO6 iryXodhFO7+uzsZD8YEvID7yW0VyjAu5s/7os8FvD8RAuNxUVZTUp4iiEOY55VbphOxj BnVKU2uwBHxPQSw8/HCs0DRwUOjQqIIt1V5gmeg1ooEWxk8NvyozdRmPVlg6Uc9yzGmO hQVI3nIClWhUfZfTKFn5FYyJyywFEPzHOO3xAiXuH9n6CE4OAcnGozlp1hOmQA/XzzDr kjTg==
X-Gm-Message-State: AC+VfDxQ/LL6QoymGTDNq0UTdedihaZATaUkkP0z7+FOqQi08U+K1/eF Xq9I5Racy3mW1jIzK3LhdOy3h1Jlf7/rBO7u0vbvn+m8fHZKQfv3sx7B8Q==
X-Google-Smtp-Source: ACHHUZ55Kik/OIZ+1RM+wZrlXTgCm35AfXItYZCzm3q7aoGAjIOKw/343FZ14tiwkHqeW5AeqM1e5fDZ/y4pPJmrzws=
X-Received: by 2002:a05:6808:f94:b0:3a1:ecb9:bb76 with SMTP id o20-20020a0568080f9400b003a1ecb9bb76mr10620970oiw.30.1688450402247; Mon, 03 Jul 2023 23:00:02 -0700 (PDT)
MIME-Version: 1.0
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 04 Jul 2023 08:00:00 +0200
Message-ID: <CABzBS7=5RV+5rnK=OR6m-Rsw6F5X6X-MwzvNK=qt1WAeMwpkNw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000727e2c05ffa2fea4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r3pQipthdQdmpceas1kyZSoqMJ0>
Subject: [TLS] AuthKEM: Splitting the draft and next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2023 06:00:08 -0000
Hi all,
It has been a while since I have had time to work on the IETF draft for
AuthKEM (``draft-celi-wiggers-tls-authkem``, aka "KEMTLS"), and some of you
have previously asked when the draft (which is currently expired) will be
updated. In this email, I want to pick up the work again.
Specifically, I want to do the following:
* Split the proposal in two parts for improved legibility and applicability
to use cases
* Once this is done and in a good shape, move forward towards consensus
with the aim of adoption
I will now describe the plan in more detail. I am welcoming further
suggestions, and would like to hear if these changes make sense and are
appreciated. If nothing else, you're welcome to help bikeshed draft names.
:-)
The draft currently describes TLS authentication via KEM ("KEMTLS
authentication") and TLS-PSK-style abbreviated handshakes via KEM
(KEMTLS-PDK). The TLS authentication and the abbreviated KEM-based
PSK-style handshake probably are independently interesting. The two
proposals can be split and this would hopefully make evaluating them
easier. AuthKEM and "pre-shared KEM" can be independently implemented.
"Plain AuthKEM" is useful for mitigating the cost of post-quantum signature
schemes in "regular" TLS handshakes. Use of plain AuthKEM can be especially
attractive to devices that want to use mutually authenticated TLS, but
would like to re-use the (e.g. protected) implementation of the KEM
algorithm for ephemeral key exchange. Compared to Dilithium2, use of Kyber
also offers significant space savings.
"KEM-PSK" is interesting for embedded or IoT applications that currently
are using symmetric-key PSK with ephemeral key exchange. Using KEM-PSK
avoids symmetric-key key management issues, such as protected storage and
key distribution, while allowing PSK-style abbreviated TLS handshakes.
Meanwhile, no additional code is needed over the ephemeral key exchange
algorithms. (In the future, we could even investigate additional mechanisms
to distribute the server’s public key, such as putting it in HTTPS records
alongside ECH, to allow more clients to use the abbreviated handshake.)
I hope to get these changes done over the coming weeks, but I doubt it'll
be ready for IETF 117. But, as stated above, I do not want to drag this
forward in the unadopted state forever—it's been long enough already. So
once refactoring has happened, discussion has settled and consensus has
been reached, I intend to ask the chairs for a call for adoption.
Cheers, and thanks for your comments,
Also on behalf of my co-authors,
Thom
PQShield
PS: we moved the Git repository to
https://github.com/kemtls/draft-celi-wiggers-tls-authkem
- [TLS] AuthKEM: Splitting the draft and next steps Thom Wiggers
- Re: [TLS] [EXT] AuthKEM: Splitting the draft and … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] AuthKEM: Splitting the draft and next s… Ilari Liusvaara
- Re: [TLS] AuthKEM: Splitting the draft and next s… Thom Wiggers
- Re: [TLS] AuthKEM: Splitting the draft and next s… Ilari Liusvaara
- Re: [TLS] AuthKEM: Splitting the draft and next s… Thom Wiggers
- Re: [TLS] AuthKEM: Splitting the draft and next s… Ilari Liusvaara