Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
What do we have in terms of formal analysis for this extension? -Ekr On Fri, Dec 1, 2023 at 11:40 AM Russ Housley wrote: > I think this should move forward. I am encouraged that at least two > people have spoken to me about their implementations. > > Russ > > On Nov 29, 2023, at 10:51 AM, Joseph Salowey wrote: > > RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an > External Pre-Shared Key) was originally published as experimental due to > lack of implementations. As part of implementation work for the EMU > workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is > ongoing implementation work. Since the implementation status of RFC 8773 is > changing, this is a consensus call to move RFC 8773 to standards track as > reflected in [RFC8773bis]( > https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will also > help avoid downref for the EMU draft. Please indicate if you approve of or > object to this transition to standards track status by December 15, 2023. > > Thanks, > > Joe, Sean, and Deirdre > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
At least one bit of work: https://dl.acm.org/doi/abs/10.1145/3548606.3559360 On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote: > What do we have in terms of formal analysis for this extension? > > -Ekr > > > On Fri, Dec 1, 2023 at 11:40 AM Russ Housley wrote: > >> I think this should move forward. I am encouraged that at least two >> people have spoken to me about their implementations. >> >> Russ >> >> On Nov 29, 2023, at 10:51 AM, Joseph Salowey wrote: >> >> RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an >> External Pre-Shared Key) was originally published as experimental due to >> lack of implementations. As part of implementation work for the EMU >> workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is >> ongoing implementation work. Since the implementation status of RFC 8773 is >> changing, this is a consensus call to move RFC 8773 to standards track as >> reflected in [RFC8773bis]( >> https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will also >> help avoid downref for the EMU draft. Please indicate if you approve of or >> object to this transition to standards track status by December 15, 2023. >> >> Thanks, >> >> Joe, Sean, and Deirdre >> ___ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> >> ___ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
Whoops wrong one, strike that On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly wrote: > At least one bit of work: > https://dl.acm.org/doi/abs/10.1145/3548606.3559360 > > On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote: > >> What do we have in terms of formal analysis for this extension? >> >> -Ekr >> >> >> On Fri, Dec 1, 2023 at 11:40 AM Russ Housley >> wrote: >> >>> I think this should move forward. I am encouraged that at least two >>> people have spoken to me about their implementations. >>> >>> Russ >>> >>> On Nov 29, 2023, at 10:51 AM, Joseph Salowey wrote: >>> >>> RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an >>> External Pre-Shared Key) was originally published as experimental due to >>> lack of implementations. As part of implementation work for the EMU >>> workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is >>> ongoing implementation work. Since the implementation status of RFC 8773 is >>> changing, this is a consensus call to move RFC 8773 to standards track as >>> reflected in [RFC8773bis]( >>> https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will >>> also help avoid downref for the EMU draft. Please indicate if you approve >>> of or object to this transition to standards track status by December 15, >>> 2023. >>> >>> Thanks, >>> >>> Joe, Sean, and Deirdre >>> ___ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>> >>> ___ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> ___ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
To respond directly to the call: I think we should require some level of formal analysis for this kind of extension. If there is some, I think the WG should look at it to determine whether it's sufficient. If there isn't I think this should remain at experimental. Not having a normative downref is not a good reason; those are trivial to manage. -Ekr On Sun, Dec 3, 2023 at 12:28 PM Deirdre Connolly wrote: > Whoops wrong one, strike that > > On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly > wrote: > >> At least one bit of work: >> https://dl.acm.org/doi/abs/10.1145/3548606.3559360 >> >> On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote: >> >>> What do we have in terms of formal analysis for this extension? >>> >>> -Ekr >>> >>> >>> On Fri, Dec 1, 2023 at 11:40 AM Russ Housley >>> wrote: >>> I think this should move forward. I am encouraged that at least two people have spoken to me about their implementations. Russ On Nov 29, 2023, at 10:51 AM, Joseph Salowey wrote: RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key) was originally published as experimental due to lack of implementations. As part of implementation work for the EMU workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is ongoing implementation work. Since the implementation status of RFC 8773 is changing, this is a consensus call to move RFC 8773 to standards track as reflected in [RFC8773bis]( https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will also help avoid downref for the EMU draft. Please indicate if you approve of or object to this transition to standards track status by December 15, 2023. Thanks, Joe, Sean, and Deirdre ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls >>> ___ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Call to Move RFC 8773 from Experimental to Standards Track
+1 Reading RFC 8773, I feel at least a tension and maybe a contradiction between the stated motivation, resisting to quantum analysis by combining an [EC]DH derived secret and a PSK, and the use of the PSK alone to derive the early secret. If the early secret is used for 0-RTT, then the adversary have some information that only depend on the PSK. That information might be used to facilitate the attack on [EC]DH+PSK, especially if the PSK is not strong enough to resist quantum analysis. At this point, this consideration is only a gut feeling. A formal analysis would either dispel my weak guess, or confirm it and result in specific recommendations such as not using the early secret. Plus, the formal analysis might also find other issues, behind this one. -- Christian Huitema On 12/3/2023 2:00 PM, Eric Rescorla wrote: To respond directly to the call: I think we should require some level of formal analysis for this kind of extension. If there is some, I think the WG should look at it to determine whether it's sufficient. If there isn't I think this should remain at experimental. Not having a normative downref is not a good reason; those are trivial to manage. -Ekr On Sun, Dec 3, 2023 at 12:28 PM Deirdre Connolly wrote: Whoops wrong one, strike that On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly wrote: At least one bit of work: https://dl.acm.org/doi/abs/10.1145/3548606.3559360 On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla wrote: What do we have in terms of formal analysis for this extension? -Ekr On Fri, Dec 1, 2023 at 11:40 AM Russ Housley wrote: I think this should move forward. I am encouraged that at least two people have spoken to me about their implementations. Russ On Nov 29, 2023, at 10:51 AM, Joseph Salowey wrote: RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key) was originally published as experimental due to lack of implementations. As part of implementation work for the EMU workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is ongoing implementation work. Since the implementation status of RFC 8773 is changing, this is a consensus call to move RFC 8773 to standards track as reflected in [RFC8773bis]( https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will also help avoid downref for the EMU draft. Please indicate if you approve of or object to this transition to standards track status by December 15, 2023. Thanks, Joe, Sean, and Deirdre ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
