IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sun, 07 March 2021 08:08 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E60543A2270 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 00:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RAND_MKTG_HEADER=3, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=vQNXE6aj; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=vQNXE6aj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5eT0J59rhWCX for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 00:08:06 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70084.outbound.protection.outlook.com [40.107.7.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D85E93A226E for <tls@ietf.org>; Sun, 7 Mar 2021 00:08:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcewpDyRee5dZMQ8UOq16mwbgrdf9Yh52SwD/97VGaY=; b=vQNXE6ajQCZ5wPr7Djsg+uFxJXKYOoMw8rGkdTg+Bz/Tev0gv3IW2zIOssgLOLSaf8adCtWRd3Lk/trwPsVy2K+7hHHhQtLQmQREKN1hjl6laFBlnRy7S0Uv+4Shv0kzhW9vYXs2BU82BXlugd2cCVe7V7SLXF/FqseBXKBWf7Y=
Received: from AS8PR04CA0082.eurprd04.prod.outlook.com (2603:10a6:20b:313::27) by AM0PR08MB3795.eurprd08.prod.outlook.com (2603:10a6:208:105::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.26; Sun, 7 Mar 2021 08:08:02 +0000
Received: from VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:313:cafe::a1) by AS8PR04CA0082.outlook.office365.com (2603:10a6:20b:313::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 08:08:02 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT060.mail.protection.outlook.com (10.152.19.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 08:08:02 +0000
Received: ("Tessian outbound 751bd80b3146:v71"); Sun, 07 Mar 2021 08:08:00 +0000
X-CR-MTA-TID: 64aa7808
Received: from a961c211af49.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D2CF57FF-5EAB-4D78-870B-052BB9A21984.1; Sun, 07 Mar 2021 08:07:55 +0000
Received: from EUR02-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a961c211af49.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 07 Mar 2021 08:07:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=foaCgcWko5DlKWMgfrXSo/o05zYO9YOx/P8S7ujpQDPnnGL0aW09++NvJE9Fhw6vgCgl3xZKJDyJUeFM5IXfCgZXAJkwClco2JOOT5ass0jU9MxjEnGLhqCWtHjNxn7BdvAKmSw0B6qKwz8FfmxfajrFfgYXsglX2cBe/2V3AF+bPedoYoxTD4Bsy7+pPwPdZfuNAtmWOGuQPg+CCciQdAc7zPK6W5PBEeFdI/9TWJXjlBUKm4ZV8Iz2LNNWn7Po5ULSOdp0Olv8VfLYsKq2S886S+gy1+3AQom4owlK+hMCp6TpJJM55IETdX/Dc+5wViWn1Y1m/tcq0O4w0tB3sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcewpDyRee5dZMQ8UOq16mwbgrdf9Yh52SwD/97VGaY=; b=MmZVcZ4ZRRBa0ZyeaoceOA95K8XhJiGiJaBbNedtpLKZr8Rj5mkKAT/qENsXj8QGZpcznk078wDghy3OcOD4cw426frpUsZY4gxd8la728Wz3dkQ1GP8U7/FjCBBYZ6vnL3ekmTqZLLyFqThNAH8BgaLnYFyYkKs+x2nqXc6a3PtiDkAsWVc1jfYO7X/AgoEs6W3OkQmXid3QDY3EU0bwVtVSL2KgTXuW2EvhGTMUYYnLwD5e9z1r5teAvvpTtHhB858dp1gZqOEf+2BgKSrT6Ba/MyprMzMkx1EfCv4mcZbwuHTaHtWqVJj/YzU26YLX/bWlhqBHFvVvfgJPeKGVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcewpDyRee5dZMQ8UOq16mwbgrdf9Yh52SwD/97VGaY=; b=vQNXE6ajQCZ5wPr7Djsg+uFxJXKYOoMw8rGkdTg+Bz/Tev0gv3IW2zIOssgLOLSaf8adCtWRd3Lk/trwPsVy2K+7hHHhQtLQmQREKN1hjl6laFBlnRy7S0Uv+4Shv0kzhW9vYXs2BU82BXlugd2cCVe7V7SLXF/FqseBXKBWf7Y=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM8PR08MB5700.eurprd08.prod.outlook.com (2603:10a6:20b:1d5::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Sun, 7 Mar 2021 08:07:49 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::7484:8c2b:e664:648]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::7484:8c2b:e664:648%7]) with mapi id 15.20.3890.037; Sun, 7 Mar 2021 08:07:48 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Nico Williams <nico@cryptonector.com>, John Mattsson <john.mattsson@ericsson.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloD///3gAIACXrFQ
Date: Sun, 07 Mar 2021 08:07:48 +0000
Message-ID: <AM0PR08MB3716A4C8D0F9BB007F9A0CBCFA949@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <20210305193502.GW30153@localhost>
In-Reply-To: <20210305193502.GW30153@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 6120C737734C2C418377CC38B1AE01D7.0
x-checkrecipientchecked: true
Authentication-Results-Original: cryptonector.com; dkim=none (message not signed) header.d=none;cryptonector.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.115.86]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: edc2467b-915d-4ade-9c09-08d8e140211e
x-ms-traffictypediagnostic: AM8PR08MB5700:|AM0PR08MB3795:
X-Microsoft-Antispam-PRVS: <AM0PR08MB3795DBE4067C09640964B3F9FA949@AM0PR08MB3795.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:4941;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 0zTvFsT8KhZa2TWzfe1hYYSY9q2nn5K42s1jTiBvyVs1aAOtIGiQ6nB1yvh7KwGzoMOWNRD0Z7x24TrXTBUNcUFpmW0RtQNtUtxPv0RNUOtJpidzw8pyyyzHwMfNdGmK9fNDDYi/I16JohPNav4W6qDxUrUf9JZIq9UN//Iw7CtsX+g8vsZlXDK1mGMk3WNmIgUspVdLYKYwzvPZUPBznx92z6A4s5FiKlb/InfqkD0D1Un4EfXcpgrlkzdwPNGskLFSNT5gA6PrQjwBZyZZwwApzQLY1+GNo7G3/Xt6ULwmgeOPFfJkXzysQvhj0prwLVqWeaP9KrgFautM14jCe5TvM5CLNJzYeHxoKmXHuGeHDJgUNdmSmcrEH/Oo+qSv5boWJEP8beg6kcUHozbR+k1QFjkyWKu0xHI/H0lhXjA6PGC9DN8lHMX/mrEkluMsi/RNl+PN9c1RGDPA8xsIr3bn1blGj9xm+i0b/SLcZZlTXGAOMdw0R6jTFBUXLDEs85NVMilwpXhmbPwy8xHm5MN8poiMQC3WWD6msL11Q+/i7xuKpxhoKfvA7cv5lu/8mNgE9WaIeXuBfUpnse3cB4LcqcfsGtMRK7Mk8MAKCGVPyCvneu8ERuI9y88ALjKrYvtnCLZkqXvEeK9UFYQz1ugyrc/5DPeC8uOdDGlc2CY=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(366004)(136003)(39860400002)(396003)(66556008)(316002)(66446008)(478600001)(33656002)(186003)(83380400001)(8936002)(5660300002)(8676002)(7696005)(110136005)(26005)(2906002)(86362001)(76116006)(66946007)(9686003)(6506007)(966005)(4326008)(71200400001)(53546011)(64756008)(66476007)(52536014)(55016002)(219973002)(557034005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: +WMhcn3u80W5J7BYTDrvw0uvUQKsUobQ04g4rvj+wQtAH783ptB8z2IE6PvvzlZGAYq6GAfOyEKxyaKDxg3jE2uPBy3CcnBLrz0NbelY+yuq6ALSRyWYGtDj8JUJPgwwaH7FU31fUeSVBt8tdSowlJiDpYiXsB/FxsCWHHJsgLOKdjV1jXBiyFJhGpwkly8ADZ522ehNvjaYGa8c5aHRQ+O2+hR55uzbjOjKGtIKL1qR6pScgBlipgF40IhWjva9c8XJXISN17tFUTkXsXvALcm9XMDBt3pedMLJM6z5F4XFqTCYsgDS+hCZp2Z98mplnEzToeVRCf+QV4LeQS2QHUYriR95w5EkYjEtOS6UXQoNlfFK+IVssG/DrOBLMe9nO46FB9AMcNg0vo6RNg922QVGjGAu3tgEwhA4WRCnY6IK4kGPXex1zwttU+mdCrEkUoR86aXqp4It5a21wJCMJcWVnKPDVeIwrunOWv1Y2igTv00SwW5kYepv/YH78FNyLQu3rRAL38yoXs8kYa4Wc8WnK6DBt9QEQYG7Zw5T1xULDLw+NpwKkVXM19TB42kwG0FiEWzVf4j3OnhkpoODzQNY3coz0+MLQ3t8Ut2WWy54OPWdik92tDuDmiFbyM1setravJpc3xQ8Cwrbq/tZ1fE7nUyNNoAfdrhbvqG0mvy/ZiFlZhwsMAfO0x4LofwHyRAnD4F/slnJYorvWBtoJVp/VyiUaROrI+SJZeik+pf1kRDysDSYPwmtV+oBtEuW0UkeTqIeHNlFunqfKQnac01c4EySXTqNGkDbVWo+Ek+zsPMjmZJFUxU/gqJBBOUvVX+I12k4WqVyFnx+p+AC0CfRlBub2aTCZDuu1HQJAxxVVktc4fTv1PtVDZcnEC7jxvOxujYsVKI9qca2SWalqIcCE1HNfCXFPdxwr5fHn++UPhLXsunGD/U+avc9JcGV3JlOfRBeVEm57KmyAU75VMqz9wepkLNVRqzKZ256nNgVnqcyhBwIQH4BaReF6XQclVPkqDif2Uz/ammM5UBWgBCbR+0MD/u1bCQWG6DmZg37QVeeHTzVM/et0+K8zkh1pQsRZSLZpUDD/i1eaVq6NxesCOp3ZBd+XNUGccSWR6YwEauy/dSYHII64mmH0ZkncUFz8cMwEUIKFwa++rTxBS9vi2Tlvq/wUi7hcpDJi7GwJW8xPIJIQBvlLfHWgBQqQEs8btl94rFkeI9h+SSMvPXsZJBedDdO1CmefySfbJzcRRH7rTVN2D/ZDJxfzF80Hb6p04nztrxRpMhGbPGCe0/WUxp0+LC2pXTAt5e0Y2g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5700
Original-Authentication-Results: cryptonector.com; dkim=none (message not signed) header.d=none;cryptonector.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 7a118ad7-2f72-4b79-8fb8-08d8e140191f
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: sSB9o12piB+HQQFD46pC9tC+QXWA60Vc8iBFtLR/hxmvydOeLmksUuBGh6Q7wgx23NxqnfJdOX6EecHNo8vslQ9expUGWeX+YbGJSlwm4ewiKth/yQrKvTrnJnOa/4vwLKZNn2YGOpE65ej0+6SdLM9Cxaz327p7ywm5ba3FeuBvXdd6S9xPZ9ubKsH8OQDk8ojLwcTqYZmTfMbmKejBgIj6WbtutnsK3EuuCDcUxony/YslUcPQGJOh/EtVmMAiNV1SkdUu7U3+Jh0/5gyGyunU8vSo2tCiRZme3e7alaETfQ65s9odqPfdTinhFq7xKIdDuxOYtLVPFuNKGljHz/lY8jtmHZHEl4yi38cObnwoOr9rcLuuiekFIkrJS2/GTW1RY2pLMXwFMKOZARPbD39LCp96vehWy6NqVbIATkuadElK9ZrBDiOkwFVbaleMZhuLYU7kYpnXvBmfl6rqDUXh7u9z1Y40HZVbafxaEBHq4eVa1e/kFq9XZRWwaXPOpw4DchXTQ1x878JGGiIElrzP+/WZ8HFx682hPwsWUrx2FDJ57DzTTjTPgPujIUcVpkQPiPelmlGX9j0GaCH9HFWzx6PB3KBZybXHTF3ug65Hc/3BYScqIa8my9Ua+0GQjHfFP2mX9Heb3hG8FlTg4gU3dCAx0l7uSE7RfGrXFt2nekmEafSzTqP9NkPuTgFVMh8zpeyqxbJMWwH4Xsyx3eM1KWm+h0LBhFc/+Gs4uTtQeoFLrwWU+2Gq3KTYu3IyCxByfLhu8N8caZ4GbIbmbs5ZwoWTyAEcbqfVIJr+2Qs=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(396003)(39860400002)(36840700001)(46966006)(86362001)(7696005)(6506007)(53546011)(966005)(36860700001)(52536014)(82740400003)(8676002)(316002)(5660300002)(110136005)(4326008)(9686003)(336012)(478600001)(55016002)(8936002)(70586007)(47076005)(2906002)(33656002)(356005)(26005)(186003)(81166007)(70206006)(82310400003)(83380400001)(219973002)(557034005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Mar 2021 08:08:02.0444 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: edc2467b-915d-4ade-9c09-08d8e140211e
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3795
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zDWAv5vZtThvZWu4LZQUm2JmdMI>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 08:08:10 -0000

Nico raised some really good points here.

I think it is useful to start with the problem description.

It seems that you are concerned that there is a possibility for leakage or compromise of keying material during the lifetime of the session.
What could happen?

* Long-term keys*,
* Some keys used in the key hierarchy,
* keys used for protecting the application traffic

Additionally, you could also consider the case that the trust anchor store gets compromised.

In any case, you seem to be concerned about the leakage of long-term keys (at least that's what I get from the email thread).

If your long-term keys got compromised then you have a serious problem. Re-running even the full handshake will not indicate problem. It will just work fine.

You will somehow have to find out that these long-term keys have been leaked, which will not be easy. Then, you need to isolate the endpoints using those compromised keys and reprovision new keys to them. You might want to terminate ongoing connections as well. Since you will often not know what exactly has been compromised (at least not quickly enough), you might need to take a range of steps to re-set it to a known good state (such as doing a firmware update, in case of an IoT device).

Many of these aspects are, however, outside the scope of TLS itself.

Could you elaborate on the threats you are trying to address?

Ciao
Hannes

*: Often a device has more than one long-term key pair (used for different purposes). Without further complicating things, the impact depend a bit on which keys have been leaked.

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Nico Williams
Sent: Friday, March 5, 2021 8:35 PM
To: John Mattsson <john.mattsson@ericsson.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

On Fri, Mar 05, 2021 at 06:42:40PM +0000, John Mattsson wrote:
> >While renegotiation will never be re-added, there is post-handshake
> >authentication (RFC 8446, section 4.6.2), and while that is currently
> >about authenticating the _client_ to the server, it should be trivial
> >to extend the protocol to support re-authenticating the server to the
> >client as well.
>
> I think the current Post-Handshake authentication is not really
> suitable for long-term connections. It assures that the other party is
> still alive but it does not shut out any other third parties with
> access to application_traffic_secret_N. Such parties may have gotten
> the key with or without collaboration with one of the nodes.

We assume local security, so the only way the TLS keys could have leaked to third parties is if either a) the local security assumption fails, in which case you have bigger problems, or b) the cryptographic security of TLS itself failed, in which case you have bigger problems, or c) you're exceeding usage limits on a symmetric cipher.

Changing session keys wouldn't help you in cases (a) or (b).

I think the only interesting case is (c).  If you're using a 128-bit block cipher, you're not in case (c) as you'd have to transfer something like 2PB before you exceed AES key usage limits.

At some point you have to be prepared to reconnect.  Application protocols that work like BGP (destroy the world on RST) simply need to be fixed to not do that.

> Agree that the negotiation part of renegotiation should not come back.
> Below is a sketch of what I think would be needed Post-Handshake for

That's essentially renego-lite.  Note that there's protocol timing trickiness in getting this right.  SSHv2, which does have proper re-keying, has experience with that.

> DTLS/SCTP with DTLS 1.3:

What's special about DTLS vs. TLS?  Why should one get this but not the other?

Nico
--

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email