Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
Eric Rescorla <ekr@rtfm.com> Fri, 03 February 2017 14:46 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F2B129DAB for <tls@ietfa.amsl.com>; Fri, 3 Feb 2017 06:46:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uZlCpYUTMwW for <tls@ietfa.amsl.com>; Fri, 3 Feb 2017 06:46:31 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A42BC129DA0 for <tls@ietf.org>; Fri, 3 Feb 2017 06:46:30 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id v200so13050726ywc.3 for <tls@ietf.org>; Fri, 03 Feb 2017 06:46:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2nJU3CA7XWh57cDQBDYQyUtfP3HV/QQZ0nLlnAz3Vy0=; b=tBacbG2OQGd5OvgjBALzqsRwwPb8QoWx7XshNORQdtRASPcb3J5+Z0riDdT/7u0ZBq i2IVlbaUUnC59qiowMvjo1IsfihshlVTyO4Uqye3LsMmrzBdmE5omi7Z1QgsXT0ZQzvt jHi+jKRyOH91AH0AGv74Kt7TuUfoOFRhzCeyBnd4rinaO+mXcPzYKNyv4krlMIyXVIi4 KPEm5kB6BI3tFk7NyhhkcHF8q+wnkwx57SHL1dcT/CYfcynVykGA28w+Z7Z4c9Xz5KbN xRskRqVw1s4VgC8CgN/jmNrxWYaMySCKyCxQFW6ZkG5r7B9oVC0hKw4YTWGzbzNo3Hdj jLaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2nJU3CA7XWh57cDQBDYQyUtfP3HV/QQZ0nLlnAz3Vy0=; b=SuV0DX1i5syyFGtOANwG4H9O2snPnXO1rkj8l9rzBEGEJ1oYkNECVVLlPMJDSSnhlk t2nMbUMcqbtxfyovxrZkixU5CDEQ4k7AoJfzKCfmb3UBtwLDbxylrJAZiMWZDX+tZdVk F7TQjfCvsSKf98iFrEwW/twBrsJ0rmLxHg00N3IeC6pS8D5VP5LLuw1d5L74SZmQazWL eMdGtlkx1JyltIM7tLuwPL46Gku1aMBEJ+fjWWCNCzSNVZJzSUObDEB+5hI0noksAAGl kNfMwi10hcQNt59pFM2cwcHLfvjo1F3CyGEhkHn1u/uuJRsuW1xRUK5cXuKvZH4icpxN 7ELg==
X-Gm-Message-State: AIkVDXJ4oxZGzu70w2NIBDXy8XooduQpL0fWNavIKOCOYYP95oHdKsj1B7gW1fQJpZSWQpIcmTWHQ1QXdGUQXA==
X-Received: by 10.129.162.130 with SMTP id z124mr11111909ywg.276.1486133189945; Fri, 03 Feb 2017 06:46:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.204.80 with HTTP; Fri, 3 Feb 2017 06:45:49 -0800 (PST)
In-Reply-To: <CAF8qwaA5ntF8iN99=tQyFt7dqucvcKNw9avgVRGJRmGu-3UswA@mail.gmail.com>
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com> <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com> <1b678d65-b146-b25f-c1ad-6dfc044f7ce0@akamai.com> <CABkgnnXfw45-R-Tvf2cZQGb4a5mas2yZRXT4q3ArRyTMSF9x2Q@mail.gmail.com> <733EE968-69EF-43A5-A39B-F016993A3CCD@vigilsec.com> <949EBD4E-613B-4B36-BD93-FDE3E4D4926F@vigilsec.com> <CAF8qwaA5ntF8iN99=tQyFt7dqucvcKNw9avgVRGJRmGu-3UswA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 03 Feb 2017 06:45:49 -0800
Message-ID: <CABcZeBNXu==kGd63OdF07WEqcFiD0qd0aL=KQqKY23Y75XfewA@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="94eb2c129292e088550547a15893"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vEbb2mlq2oC2M5rPfoa1rnbiD60>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 14:46:33 -0000
I agree with David here. Specifically, I think. - The base specification should continue to forbid certificates in combination with PSK - We should at some point contemplate an extension that allows the use of certificates in combination with PSK - The base spec should be factored in such a way as to make that extension easy. -Ekr On Thu, Feb 2, 2017 at 8:24 AM, David Benjamin <davidben@chromium.org> wrote: > I think this is much clearer, except for one bullet point below: > > On Thu, Feb 2, 2017 at 10:22 AM Russ Housley <housley@vigilsec.com> wrote: > >> [...] >> - If PSK and (EC)DH are being used together, then the server will: >> >> -- sends a "pre_shared_key" extension to indicate the selected >> key; >> >> -- provide a "key_share" extension; and >> >> -- send the Certificate (Section 4.4.1) and CertificateVerify >> (Section 4.4.2) messages. > > > This last bullet here contradicts what specification says elsewhere. From > 4.4.1: > > """ > The server MUST send a Certificate message whenever the agreed-upon key > exchange method uses certificates for authentication (this includes all key > exchange methods defined in this document except PSK). This message conveys > the endpoint’s certificate chain to the peer. > """ > > (Otherwise we defeat the point of resumption and lose PSK-based > identities.) > > Like MT, I am interested in a mode with both (right now we have a ticket > renewal cliff because only the initial handshake does an online signature), > but we'll need to work out the exact semantics. Going from one identity to > two identities, especially when one is added partway through the stream > (consider 0-RTT) has a lot of sharp edges. > > Since this can easily be added as an extension (and would need one anyway > for negotiation), I think it's better to do it as a later document, so we > don't delay what we've done already or rush in a combined mode without > considering all the details. The document would just say "when PSK and > fancy_new_extension are both negotiated, then the server will [...]". > Plenty of extensions have modified the handshake message flow. > > David > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Using both External PSK and (EC)DH in TLS 1… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Joseph Salowey
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Martin Thomson
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Ilari Liusvaara