Re: [TLS] Security review of TLS1.3 0-RTT

On Thu, May 04, 2017 at 10:12:34PM -0700, Eric Rescorla wrote: > On Thu, May 4, 2017 at 10:07 PM, Benjamin Kaduk wrote: > > > > > That seems like an inconsistent position to take (don't do this, but if > > you ignore me, do this in this fashion). Advising application profiles to > > consider one

Re: [TLS] WG review of draft-ietf-tls-rfc4492bis

On Thursday, 4 May 2017 19:59:29 CEST Yoav Nir wrote: > > 2) In Section 6: > >Server implementations SHOULD support all of the following cipher > >suites, and client implementations SHOULD support at least one of > >them: > > > >o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > >o

Re: [TLS] Idempotency and the application developer

On 5/4/17 at 4:47 PM, c...@allcosts.net (Colm MacCárthaigh) wrote: I think you're right; and we could enforce in TLS by encrypting 0-RTT under a key that isn't transmitted until 1-RTT. This might be a generally useful pattern for 0-RTT use cases that are trying to get large quantities of data

Re: [TLS] Idempotency and the application developer

On Fri, May 05, 2017 at 12:04:14AM -0500, Benjamin Kaduk wrote: > >> I'm very skeptical that this position would survive into real-world > >> deployments. > > Which part? > > No matter what we way here, there will be reverse proxies deployed on > the internet in the next 5 years that blindly accep

[TLS] The case for a single stream of data

I wanted to start a separate thread on this, just to make some small aspects of replay mitigating clear, because I'd like to make a case for TLS providing a single-stream, which is what people seem to be doing anyway. Let's look at the DKG attack. There are two forms of the attack, one is as follo

Re: [TLS] Security review of TLS1.3 0-RTT

On Fri, May 05, 2017 at 12:07:09AM -0500, Benjamin Kaduk wrote: > On 05/03/2017 09:33 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > P.S. Care to name (another :) one security-related protocol that > > doesn't provide replay protection? > > Some of the earlier uses of Kerberos are subject to replay

Re: [TLS] WG review of draft-ietf-tls-rfc4492bis

Thanks! That would have been an embarrassing erratum. > On 5 May 2017, at 14:31, Hubert Kario wrote: > > On Thursday, 4 May 2017 19:59:29 CEST Yoav Nir wrote: >>> 2) In Section 6: >>> Server implementations SHOULD support all of the following cipher >>> suites, and client implementations S

[TLS] I-D Action: draft-ietf-tls-rfc4492bis-17.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security of the IETF. Title : Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier Aut

Re: [TLS] WG review of draft-ietf-tls-rfc4492bis

Hi. Draft-17 submitted. Yoav > On 4 May 2017, at 23:09, Kathleen Moriarty > wrote: > > Yoav, > > On Thu, May 4, 2017 at 1:59 PM, Yoav Nir > wrote: >> >> On 4 May 2017, at 16:09, Kathleen Moriarty >> wrote: >> >> I haven't approved it yet as I noticed there was