Re: [TLS] tls-unique

Simon Josefsson <> Thu, 08 October 2015 10:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 916641ACE2D for <>; Thu, 8 Oct 2015 03:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nzq7IFeZY4pC for <>; Thu, 8 Oct 2015 03:16:45 -0700 (PDT)
Received: from ( [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D98CC1ACE96 for <>; Thu, 8 Oct 2015 03:16:40 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4) with ESMTP id t98AGOQ0031822 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 8 Oct 2015 12:16:25 +0200
From: Simon Josefsson <>
To: Eric Rescorla <>
References: <> <> <>
OpenPGP: id=54265E8C; url=
Date: Thu, 08 Oct 2015 12:16:23 +0200
In-Reply-To: <> (Eric Rescorla's message of "Thu, 8 Oct 2015 12:04:51 +0200")
Message-ID: <>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at
X-Virus-Status: Clean
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] tls-unique
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Oct 2015 10:16:46 -0000

Eric Rescorla <> writes:

> On Thu, Oct 8, 2015 at 11:29 AM, Simon Josefsson <>
> wrote:
>> The notes from the interim meeting mentions 'tls-unique' and points to
>> issue #228 on github.  I want to get your attention on the draft below.
>> Doesn't it do what you are looking for?  There is a little in the way of
>> a problem statement in the TLS interim meeting notes, so it is hard to
>> tell what the perceived problem with 'tls-unique' is in this context.
>> Does my draft need to be updated for TLS 1.3 in any way?  It might serve
>> as a starting point for future work.
> Well, TLS 1.3 doesn't have a PRF, but instead explicitly uses HKDF.
> With that said, I don't really understand the structure of your draft:
> Instead of referencing the PRF and session_hash directly, why not instead
> use RFC 5705 exporters and require the use of the session_hash
> extension?

The introduction says:

   There exists a TLS extension [I-D.ietf-tls-session-hash] that modify
   TLS so that the definition of 'tls-unique' [RFC5929] has the intended
   properties.  If widely implemented and deployed, the channel binding
   type in this document would not offer any additional protection.  The
   purpose of this document is to provide an alternative channel binding
   that offers the intended properties without requiring TLS protocol
   changes.  However, keep in mind that TLS implementations needs to
   offer the appropriate APIs necessary to be able to implement the
   channel binding described in this document.

I agree that one alternative is to require session_hash for all
connections.  But then what is the problem with use of 'tls-unique'?
The github issue and the interim notes aren't clear on that.

> Then TLS 1.3 can just define exporters for 1.3 and we'll be done.

Right.  My draft intends to use TLS exporters but I see that it isn't
aligned with RFC 5705.