Re: [TLS] Minutes for TLS IETF 102 uploaded
Russ Housley <housley@vigilsec.com> Fri, 10 August 2018 21:42 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547EA1310A6 for <tls@ietfa.amsl.com>; Fri, 10 Aug 2018 14:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-EIb9k-sDPF for <tls@ietfa.amsl.com>; Fri, 10 Aug 2018 14:42:08 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4186113107D for <tls@ietf.org>; Fri, 10 Aug 2018 14:42:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id CE95C300A4B for <tls@ietf.org>; Fri, 10 Aug 2018 17:42:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id d4CyyFEq-_42 for <tls@ietf.org>; Fri, 10 Aug 2018 17:42:01 -0400 (EDT)
Received: from [192.168.1.147] (047-133-081-124.res.spectrum.com [47.133.81.124]) by mail.smeinc.net (Postfix) with ESMTPSA id 8F64B300541; Fri, 10 Aug 2018 17:42:01 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <502D8CE4-B955-4DE6-B908-B80D499B611F@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_39607239-813B-472D-835B-CE786743585B"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 10 Aug 2018 17:42:01 -0400
In-Reply-To: <B5768C2D-5C9D-4347-A32E-F66A69713868@gmail.com>
Cc: IETF TLS <tls@ietf.org>
To: Christopher Wood <christopherwood07@gmail.com>
References: <CAO8oSXnTn0DjBiz6opbavDetJfSa1wDbaSDd3LsZkP36iZi7Zw@mail.gmail.com> <B5C02445-C74B-49EE-961B-40FAC1938DB0@vigilsec.com> <358d7f50-2055-b903-36f9-7518e957b791@gmail.com> <B5768C2D-5C9D-4347-A32E-F66A69713868@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tIrox3AoQyXPAcnqyzdH5dxyvdg>
Subject: Re: [TLS] Minutes for TLS IETF 102 uploaded
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 21:42:19 -0000
I suggest this change to the minutes: OLD: Russ: Current 1.3 key schedule uses a sig across (?). DH is the thing that drives the key schedule. Subsequent handshake based on resumption PSK or that and an additional DH result. Proposal: add an additional option to the initial hs to include an external PSK and combine with the DH. Want to do this for quantum protection, you've mixed in this external OOB-distro'd PSK so that any attacker has to get the PSK too. (See ladder diagram of where this would fit.) Syntax: boolean, present or not. If you negotiate, you'll agree to do that. Presently language in the spec that precludes PSK when certs are used. wouldn't be used with a resumption, just external. Group of TLS peers would need to get the PSKs. If the quantum computer comes, have to compromise one of the numbers of the group to compromise the PSK. Ask: WG adopt as a work item, then review and comment. NEW: Russ: In TLS 1.3, initial handshake authentication is based on certificate and signature, and DH shared secret drives the key schedule. In a subsequent handshake, authentication is based on resumption PSK, and the key schedule is driven by the resumption PSK or the resumption PSK plus and an additional DH shared secret. Proposal: add an additional option to the initial handshake to include an external PSK that is combined with the DH shared secret. Want to do this for quantum protection; the external PSK must be distributed out of band. An attacker with a quantum computer needs to learn the external PSK to crack the key schedule. (See ladder diagram of where this would fit.) Syntax: a boolean; the TLS extension is present or not. If the extension is negotiated, the client and server agree to include the external PSK in the key schedule. Presently language in TLS 1.3 precludes PSK when certs are used. The external PSK wouldn't be used for resumption, just initial handshake. Group of TLS peers would need the same PSK and identifier. If the quantum computer comes along, the attacker would have to compromise one of the members of the group to obtain the PSK. Ask: WG adopt as a work item, then review and comment. Russ > On Aug 10, 2018, at 11:40 AM, Christopher Wood <christopherwood07@gmail.com> wrote: > > Thanks for pointing out this formatting issue, Russ. I updated the notes in an attempt to improve readability. Please have a look and let me know if you see other (or new) issues. > > Best, > Chris > > On 9 Aug 2018, at 21:53, Kaarthik Sivakumar wrote: > > Could be line ending issues - I see something like these when switching between different OSes. > > -kaarthik- > > On 10/08/18 03:37, Russ Housley wrote: >> I do not understand the formatting. Are the '*' characters supposed to be bullets? If so, them appearing in the middle of paragraphs is confusing. >> >> Russ >> >> >>> On Jul 28, 2018, at 1:32 PM, Christopher Wood <christopherwood07@gmail.com> <mailto:christopherwood07@gmail.com> wrote: >>> >>> Minutes for both TLS sessions at IETF 102 have been uploaded: >>> https://datatracker.ietf.org/doc/minutes-102-tls/ <https://datatracker.ietf.org/doc/minutes-102-tls/> >>> >>> Many thanks to Joe Hall and Gurshabad Grover for taking detailed notes. >>> >>> Please review the minutes and check for inaccuracies. If anything is >>> incorrect, please let the chairs know ASAP. >>> >>> Thanks, >>> Chris, Joe, and Sean >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls> >
- [TLS] Minutes for TLS IETF 102 uploaded Christopher Wood
- Re: [TLS] Minutes for TLS IETF 102 uploaded Russ Housley
- [TLS] 答复: Minutes for TLS IETF 102 uploaded yinxinxing
- Re: [TLS] Minutes for TLS IETF 102 uploaded Kaarthik Sivakumar
- Re: [TLS] Minutes for TLS IETF 102 uploaded Christopher Wood
- Re: [TLS] Minutes for TLS IETF 102 uploaded Russ Housley
- Re: [TLS] Minutes for TLS IETF 102 uploaded Christopher Wood