Re: [TLS] OPTLS: Signature-less TLS 1.3

Watson Ladd <> Tue, 11 November 2014 05:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9F6B01AD556 for <>; Mon, 10 Nov 2014 21:00:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3gSIYjJ8xiGH for <>; Mon, 10 Nov 2014 21:00:07 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6D5E91AD53D for <>; Mon, 10 Nov 2014 21:00:07 -0800 (PST)
Received: by with SMTP id 79so4311922ykr.23 for <>; Mon, 10 Nov 2014 21:00:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mvO2/nHlrSssu1kouz7OlSscnplD9MJ9gJgSW3BTUR4=; b=GKbn3m8TDL2ctT3yAyrNP6Xj8DzW8w/pL4NzzX/Y0OTBPcpFgL781p8hbu53Au0Aqu 7xGmwCv6LYat5uXVnLA6ctub7F9t/8GqbO6BuHqycMrpm2YhcGrWmxOMI/ysXBByCXwg M4e36h0fpcsi+HR8NDW6CN3u9iwnAc/t53hRpLeNsyLcYPYqvKUmgKxvQ1Gw5UBTxQrh ZVXRe5cHmY43XgmKeIXfVTqbWZO+Z/jJ/ecJnMAhn+BDrBRgp9nmV2euSuS7jLKnbT7b Pz+xkZp07TahpJen0zPWwWpr3xwJe9J8r9NquRltCOMRldVU3oRk1nDA+VIlh3L0TU9V c8Iw==
MIME-Version: 1.0
X-Received: by with SMTP id e124mr39269484ykf.24.1415682006753; Mon, 10 Nov 2014 21:00:06 -0800 (PST)
Received: by with HTTP; Mon, 10 Nov 2014 21:00:06 -0800 (PST)
In-Reply-To: <20141111005220.GG3412@localhost>
References: <> <> <> <> <> <> <> <> <> <> <20141111005220.GG3412@localhost>
Date: Mon, 10 Nov 2014 21:00:06 -0800
Message-ID: <>
From: Watson Ladd <>
To: Nico Williams <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 05:00:12 -0000

On Nov 10, 2014 4:52 PM, "Nico Williams" <> wrote:
> On Mon, Nov 10, 2014 at 02:15:34PM -1000, Daniel Kahn Gillmor wrote:
> > On 11/10/2014 01:45 PM, Watson Ladd wrote:
> > > Furthermore,  eliminating online certificates enables
> > > isolation of certs without a performance penalty.
> >
> > if we get people to move their secret keys offline by replacing certs
> > with something that is cert-equivalent for purposes of authentication,
> > then what have we gained?
> The ability to use cheaper, lower-performance HSMs, for one (maaaybe,
> and only where one was using an HSM to begin with).  Or, put another
> way, to handle more connections with a given HSM investment.  It's not
> nothing.  But see below!
> > The reason to move secret keys offline is to protect the identity
> > credentials of the TLS endpoint, not because those keys are valuable in
> > themselves.  If a delegation process creates a new object that is an
> > identity credential for the TLS endpoint, and the secret part of that
> > object remains online, we haven't actually gained anything.
> The delegation has to have a short lifetime because otherwise it
> might as well be a certificate issued by an intermediate CA...
> ...which the customer can't get because of the failure to widely
> implement and deploy PKIX name constraints.
> But also because of revocation: if you have to check the status of the
> key then you lose the 0rt.
> By putting a short lifetime on the delegation that problem goes away.
> But then there's no advantage over plain session resumption.

Can we make 0-RTT resumption? Snap start doesn't do this, and my
proposal from the summer to do this was thought to not be that great.
I'll look up exactly what was wrong and try to fix it. This may work
better than general 0-RTT exchanges, if delegation is considered to be
a problem.

I do see a benefit, which is that session resumption as currently
envisioned involves keeping keys around that can decrypt old data.
Changing this means that TLS 1.3 resumption works differently than TLS
1.2 resumption, which isn't a problem. We should at minimum fix this
PFS failure.

> Even if each 0rt connection can lengthen the delegatee key's life by
> having the server send a fresh signature of the key as needed, the
> server could also just refresh the session resumption state/ticket.
> IMO the main value in static DH is in learning the server's static DH
> pubkey out of band, via DNSSEC (DANE).  That eliminates all these
> concerns while enabling 0rt connections _every_ time for servers that
> have such keys.

So we have a root cert with RSA 1024 bit RSA, or the same delegation
point issue. It doesn't eliminate revocation concerns either: DNSSEC
doesn't guarantee liveness. (DNS can have dynamic data, but the size
is strictly limited, so stuffing a cert chain in is a bad idea).

> Of course, 0rt connections can't provide proper PFS to data sent
> immediately after the client's first TLS handshake message.  That's a
> problem, no?

They can limit the time the key is around, so an attacker has a narrow
window to steal the keys.

There is another set of advantages beyond those mentioned above: TLS
1.2 is annoying to think about for technical reasons, whereas OPTLS
had a good chance of avoiding those. We need to actually design a
secure protocol, not just spray and pray as we have in the past. There
was a 20 year gap between TLS 1.0, and the definitive security
analysis, which discovered new attacks, and is dependent on tool
support. A TLS 1.3 based on TLS 1.2 runs a risk of having significant
security holes in new features unless we take care to do the analysis
before deploying.

I feel the delegation problem was clearly spelled out in Hugo's
message describing the protocol. What I don't understand is why it is
a problem to have a duration-limited credential equivalent in power to
a certificate. Since there is no recording, I can't figure out what
was said and what convinced everyone this was a bad idea.

I've looked at the minutes but they are extremely sparse. What was the
worry associated with complicating the key schedule? Can someone
summarize the argument about delegation, so I can figure out if it
convinces me or not?

Watson Ladd

> Nico
> --