Re: [TLS] Security review of TLS1.3 0-RTT
Nico Williams <nico@cryptonector.com> Thu, 04 May 2017 21:58 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1812C128B37 for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM1mIcQeIO8n for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:58:22 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E00EF127286 for <tls@ietf.org>; Thu, 4 May 2017 14:58:22 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 7B854A00491D; Thu, 4 May 2017 14:58:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=yJnJ0M6uwVClEc V7TnTwiVwlub4=; b=bu6pEvmcum21SZAKiVUut+wA23tbD0Eh9INbUvP6kIQvxE 5bhLepZJlqxRuEVugH6XxoxMn3aFXd/3Xf77OFfOrkcwEFpHHlGsGRvayB3ld1i7 xCxyvh04UhgG4xT1hvYescZUuV2XTb3Mgb0XIiPTVKtclee3HdhT3NBufBTLA=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 22FFCA00491B; Thu, 4 May 2017 14:58:22 -0700 (PDT)
Date: Thu, 04 May 2017 16:58:19 -0500
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Kyle Nekritz <knekritz@fb.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170504215818.GZ10188@localhost>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <MWHPR15MB11825419AF296AE7EC26F3BDAFEA0@MWHPR15MB1182.namprd15.prod.outlook.com> <CABcZeBNyQB3FOik3ZBZvgX7FnEjUydHdJwfa5OkACYDO_FQHaA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBNyQB3FOik3ZBZvgX7FnEjUydHdJwfa5OkACYDO_FQHaA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wVxLzSU3LtkdAmjFEpgd7Di6e7Q>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 21:58:24 -0000
On Thu, May 04, 2017 at 02:37:20PM -0700, Eric Rescorla wrote: > On Thu, May 4, 2017 at 2:27 PM, Kyle Nekritz <knekritz@fb.com> wrote: > > [...] > > I think this is basically right. In the PR I just posted, I spent most of > my time describing the > mechanisms and used a SHOULD-level requirement to do one of the mechanisms. > I think there's a bunch of room to wordsmith the requirement. Perhaps we > say: > > - You can't do 0-RTT without an application profile > - Absent the application profile saying otherwise you SHOULD/MUST do one of > these mitigations? There's a number of ways to handle this. One is to say that 0-rtt cannot be enabled by default, and that enabling it requires an API call or application profile that puts the onus of understanding the ramifications on the application developer. The thing to keep in mind is that this RFC can give guidance to TLS implementors, and to authors of Internet protocols using TLS. It can't really give guidance to authors of non-Internet protocols using TLS: they might never look at the RFC. So the guidance here has to be for the available audience. For TLS implementors the guidance should be to make the 0-rtt footgun clear to consuming applications. Nico --
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Daniel Kahn Gillmor
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Jeffrey Walton
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Hannes Tschofenig
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Timothy Jackson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Watson Ladd
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Derrell Piper
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT David Benjamin
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Dave Garrett
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Yoav Nir