Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
Benjamin Kaduk <kaduk@mit.edu> Mon, 19 February 2018 19:50 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AB2126C19; Mon, 19 Feb 2018 11:50:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Os-k-6LHymyM; Mon, 19 Feb 2018 11:50:04 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E4CB1204DA; Mon, 19 Feb 2018 11:50:04 -0800 (PST)
X-AuditID: 1209190e-2bfff70000000dde-34-5a8b2a6a0e12
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id FF.3D.03550.A6A2B8A5; Mon, 19 Feb 2018 14:50:02 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w1JJo1Mg001874; Mon, 19 Feb 2018 14:50:02 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w1JJnvNI014196 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 19 Feb 2018 14:49:59 -0500
Date: Mon, 19 Feb 2018 13:49:57 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "draft-ietf-tls-tls13@ietf.org" <draft-ietf-tls-tls13@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20180219194957.GL54688@kduck.kaduk.org>
References: <CAHbuEH45PYDuhwFPhv-ybDY6LyzsBhfdEwhJPFLQg9b+ndNK9w@mail.gmail.com> <CAAF6GDdsHW4ynWm15cMgL3BRkJw5xFshhQVO3S47MQD8fVMMag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAF6GDdsHW4ynWm15cMgL3BRkJw5xFshhQVO3S47MQD8fVMMag@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOKsWRmVeSWpSXmKPExsUixCmqrZul1R1lMPO4gcWXpt2MFju7L7Ja PNs4n8VizokbLBafzncxOrB6XF+0m9VjyZKfTAFMUVw2Kak5mWWpRfp2CVwZC1tfMhas0a3o WreBtYHxjnIXIyeHhICJxKbpRxi7GLk4hAQWM0ks/3oIytnIKHFs11dmCOcqk8SLm1/ZQVpY BFQlXm06xQxiswmoSDR0XwazRQRsJM51NjOBNDALnGaUOP/6ABuIIyzQwyjxqHUBWBUv0MJf HzZA7ZjOKHFg/VN2iISgxMmZT1hAbGYBHYmdW+8AdXMA2dISy/9xQITlJZq3zgabwykQKDFh 8z9WEFtUQFlib98h9gmMgrOQTJqFZNIshEmzkExawMiyilE2JbdKNzcxM6c4NVm3ODkxLy+1 SNdYLzezRC81pXQTIzj0Jfl2ME5q8D7EKMDBqMTDu+NWV5QQa2JZcWXuIUZJDiYlUd4Ule4o Ib6k/JTKjMTijPii0pzU4kOMEhzMSiK8OSJAOd6UxMqq1KJ8mJQ0B4uSOK+7iXaUkEB6Yklq dmpqQWoRTFaGg0NJgneNJlCjYFFqempFWmZOCUKaiYMTZDgP0HCwGt7igsTc4sx0iPwpRmOO Gy9etzFz/Nq0t5NZiCUvPy9VSpx3O0ipAEhpRmke3DRQ+pLI3l/zilEc6Dlh3osaQFU8wNQH N+8V0ComoFWrRTpBVpUkIqSkGhhPr5lucYQpIqlS4Rxv1MFjzbkiYQo8/DFWry1j2qSdT54J j/9RemVjFjOnxqNuo5Vsrd9v7BQqq3nadPRapUDvLN9D2cpxOazHDtUJzCnZ+2pR9Vy5qeW7 lzGamXqFm33P/88l+fpy/8a6pVGH/prckfRRP1vk9/xntfj+vrI+H20TiY3HViuxFGckGmox FxUnAgBwIIPrOgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ynwbtMP25TlvnPR_K2m9DEyNmX4>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 19:50:07 -0000
Hi Colm, On Mon, Feb 19, 2018 at 11:13:44AM -0800, Colm MacCárthaigh wrote: > Since this IETF-LC/IESG process is a good chance to get a sanity check, I'd > like to boil down what I think are the nits and risks with 0-RTT, and if > others want to weigh in they can. I'll state my own position at the bottom. Thanks for this summary and review; I think it's well-said. > Broadly, I think there are three issues with 0-RTT: > [...] > At the same time though, most vendors have stated that they don't plan to > do that and instead have designed around limited replay time windows, > non-transactional strike registers, and non-forward secure tickets. This is > what I expect to see deployed, and already see with some TLS1.3 deployment > experiments. TLS1.3 could be more restrictive here; limiting the size of I don't disagree. It might be helpful to have a conslidated list of references for the vendor statements, so we can get a more clear picture of where to set our expectations. Though of course I do not insist that you assemble one, and I do not want my comment to be seen as detracting from your review overall. > session tickets to smaller than the size of session state would effectively > forbid any kind of session encoding which would force the issue, but > several vendors are against it because it doesn't align with current > practices and it incurs the cost of server-size caching. For balance, in > the last year I have heard from most vendors that they do plan to implement > some anti-replay mitigation though, beyond the simple time-windowing, which > goes a way to protecting users from throttle limits. > [...] > > But my more important reason for supporting is that overall TLS1.3 is much > much better than TLS1.2, including in regards to forward-secrecy, which is > now guaranteed for all non-0RTT data. I still believe that it will > meaningfully increase the overall security posture for the internet, and > I'm super excited to get it out and for users to be getting the benefits. > TLS has always been a bit of a mess, it's not as clean as something > designed by a single voice focused on modern cryptographic best-practices, > but 1.3 does a lot of good cleaning up. Shipping 1.3 doesn't mean things > can't be improved further, and delay inflicts 1.2 and lower versions on > users for even longer. So let's go! Well said! -Benjamin > > On Mon, Feb 19, 2018 at 7:58 AM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > > > Dear Yuhong, > > > > As the sponsoring Area Director, my job is to take the draft forward > > as was determined by working group consensus. Like Stephen, I'm also > > not particularly happy about the choice to leave in 0-RTT, but I have > > to support it as a WG decision. Whatever the version number in the > > ServerHello decision is from the WG, I will support that decision. > > The ServerHello decision doesn't really fall into the, "arms race" as > > you put it. More on that in another thread. > > > > Best regards, > > Kathleen > > > > On Thu, Feb 15, 2018 at 9:04 PM, Yuhong Bao <yuhongbao_386@hotmail.com> > > wrote: > > > I wonder what is IESG's opinion on the TLS arms race with middleboxes. > > > Yes, I am talking about moving the version number in the ServerHello. > > > > > > ________________________________________ > > > From: TLS <tls-bounces@ietf.org> on behalf of The IESG < > > iesg-secretary@ietf.org> > > > Sent: Thursday, February 15, 2018 1:13:48 PM > > > To: IETF-Announce > > > Cc: draft-ietf-tls-tls13@ietf.org; tls-chairs@ietf.org; tls@ietf.org > > > Subject: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport > > Layer Security (TLS) Protocol Version 1.3) to Proposed Standard > > > > > > > > > The IESG has received a request from the Transport Layer Security WG > > (tls) to > > > consider the following document: - 'The Transport Layer Security (TLS) > > > Protocol Version 1.3' > > > <draft-ietf-tls-tls13-24.txt> as Proposed Standard > > > > > > The IESG plans to make a decision in the next few weeks, and solicits > > final > > > comments on this action. Please send substantive comments to the > > > ietf@ietf.org mailing lists by 2018-03-01. Exceptionally, comments may > > be > > > sent to iesg@ietf.org instead. In either case, please retain the > > beginning of > > > the Subject line to allow automated sorting. > > > > > > Abstract > > > > > > > > > This document specifies version 1.3 of the Transport Layer Security > > > (TLS) protocol. TLS allows client/server applications to communicate > > > over the Internet in a way that is designed to prevent eavesdropping, > > > tampering, and message forgery. > > > > > > > > > > > > > > > The file can be obtained via > > > https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/ > > > > > > IESG discussion can be tracked via > > > https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/ballot/ > > > > > > The following IPR Declarations may be related to this I-D: > > > > > > https://datatracker.ietf.org/ipr/2900/ > > > > > > > > > > > > The document contains these normative downward references. > > > See RFC 3967 for additional information: > > > rfc8017: PKCS #1: RSA Cryptography Specifications Version 2.2 > > (Informational - IETF stream) > > > > > > > > > > > > _______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://www.ietf.org/mailman/listinfo/tls > > > > > > _______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://www.ietf.org/mailman/listinfo/tls > > > > > > > > -- > > > > Best regards, > > Kathleen > > > > > > > -- > Colm
- [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (T… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Sean Turner
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Kathleen Moriarty
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Benjamin Kaduk
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Kathleen Moriarty
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Kathleen Moriarty
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Benjamin Kaduk
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Sean Turner
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Sean Turner
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Benjamin Kaduk
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Martin Thomson
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Sean Turner
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Martin Thomson
- Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt… Sean Turner