IETF Logo Mail Archive

[TLS] draft-ietf-tls-tls13-21 posted

Eric Rescorla <ekr@rtfm.com> Tue, 04 July 2017 00:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4146F1317EE for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 17:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQ3iB2qftZFC for <tls@ietfa.amsl.com>; Mon, 3 Jul 2017 17:11:19 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 589691317EF for <tls@ietf.org>; Mon, 3 Jul 2017 17:02:37 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id a12so28205595ywh.3 for <tls@ietf.org>; Mon, 03 Jul 2017 17:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=yecH2VH1+4vjHkasTLU4cYhNDvp/V4nmH3mhFoMEDZo=; b=Jr0ePi3gwOxC+ipGNys3ySNSVD3dUQ5I2AdCUmvqAFgmp/tsVM5/d5qegzJgJR0F+l AkqIuyj9Mgp0dNmB87fb0N1Iw17mueidfi2wS8cQLdpRqX4/ApK+CXsGkvOXMjeDYuGO Qqj7s0CgJb/i01DbCO97Yb8DsuG6nENne/vm8w3yp3fARyryQjdqBG1f6RIWfryXt+JR sAOl0QER6SpnXTQMbuL1wE9M75br9uCH5XKCfEEHEzmjUngcOzpwExL4T/LO3j3F2zGS olSbeETfe6d2yxVb/xRgv5r7rLLE6eKFLD3o0vuXav0IlzK7btH+MgYTncKoWdb6gu2D OQ6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yecH2VH1+4vjHkasTLU4cYhNDvp/V4nmH3mhFoMEDZo=; b=W23qVpjlvcDZw9ykmnNlVPw714R7Wi0SuyQ0FJqlpdcDW+XjTWMOz7FxOYsPpiVdxJ pi+RhQY4nuIyHOeeaSftg2+9YmqW3R+8F5+vqLTZMBWC5nvIpSlWU7spVNXSbHG4fi2s C9Yn3Uss8r7mwQyJhKBRIfnKCxiT1oen3uZYWDOa+hqAHknRbxUjQ068H4WjgEoWP/Sw L4qPy2vGdj5C6iWC1+XtNBdfW9V9SaR/dmZt9utG+urvhvAwZ9G0rj3eL7wsyImGjYk3 2kJEprV72zAqYewsbUwmS+iVNsZcSs4obGzKP4CuqsvLcZVpldBQWyESMxmJcpHcR9Lz w6Vw==
X-Gm-Message-State: AKS2vOzGsurrOPx/Xqs4t5Vbo/pzhO7G+WSxdOEFD3m6HDzXUttyD29D RKFleviPAfxOUvot0gpI5eAOhOG1M/3XE5yMQQ==
X-Received: by 10.129.50.140 with SMTP id y134mr28460448ywy.312.1499126556376; Mon, 03 Jul 2017 17:02:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Mon, 3 Jul 2017 17:01:55 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 03 Jul 2017 17:01:55 -0700
Message-ID: <CABcZeBN7vJXZJadNzPR5RbWwZpgM+NgjW7FvuJW+Q5cNUu6_FQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140932addda6e05537299bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tbSZ4arVpUpDm1eWV85V_-MauGw>
Subject: [TLS] draft-ietf-tls-tls13-21 posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 00:11:20 -0000

Hi folks,

I just published draft-21, which incorporates the discussions we've
been having about 0-RTT replay. This lead to two changes:

- Modifying the key derivation for PSKs so that each session ticket
  is associated with a distinct PSK.

- Adding a very extensive description of 0-RTT nti-replay and
  a SHOULD-level recommendation that servers use some anti-
  replay mechanism that doesn't allow replay within a given
  zone.

In addition, I have followed Richard Barnes's lead and added
key transition events to the state machine. This also clarified
that clients should send in-handshake alerts encrypted if they
can.

I wanted to call the WG's attention to one issue:

Currently the extension table says that server_certificate_type goes
in the Certificate message, whereas client_certificate_type does
not. My reasoning for the latter is that the extensions are attached
to individual certificate elements, so it was non-sensical to have a
situation where you might have cert A be X.509 and cert B be PGP.  I
think we should just change server_certificate_type to go in EE, and
then maybe in future if people want something cleverer they can add it
then. I didn't want to do this without WG discussion, but I think we
should and if people don't object I'll do it in a -22.

This version also addresses Kathleen's AD Review.

Other comments welcome.
-Ekr


[0] Note that this is a bit tricky when you are also streaming
Early Data.

v2.23.0 | Report a Bug | By Email