Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

On Thu, Jul 26, 2018 at 10:58:05AM -0700, Eric Rescorla wrote: > Here’s a specific construction, but we’re flexible about the details: > >struct { >opaque base_identity<1...2^16-1>; >HashAlgorithm hash; >} imported_psk_identity; > >UPSKx = HKDF-Extract(0, UPSK) // UP

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

On Thu, 2018-07-26 at 10:58 -0700, Eric Rescorla wrote: > Ben, > > Thanks for focusing on this issue. > > Chris and I have been discussing an alternative design which we think > is more consistent with the existing structure, which we call PSK > Importers. As with your design, we have an input u

Re: [TLS] WG adoption call: draft-housley-tls-tls13-cert-with-extern-psk

On Thu, 2018-07-26 at 15:05 -0700, Christopher Wood wrote: > The sense of the TLS@IETF102 room was that the WG should adopt > draft-housley-tls-tls13-cert-with-extern-psk as a WG item. This email > is to confirm this sense on list. If you would like for this draft to > become a WG document and you

Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk

On Mon, 2018-04-23 at 15:30 -0400, Russ Housley wrote: > > > > In the presentation the main driver for it seems to be quantum > > computer > > resistance as temporary measure. If that's the main argument I > > don't > > think it is really significant. PSK can hardly be used with PKI, > > and as >

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

On Fri, Jul 27, 2018 at 12:18 AM, Ilari Liusvaara wrote: > On Thu, Jul 26, 2018 at 10:58:05AM -0700, Eric Rescorla wrote: > > > Here’s a specific construction, but we’re flexible about the details: > > > >struct { > >opaque base_identity<1...2^16-1>; > >HashAlgorithm hash; > >

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

On Fri, Jul 27, 2018 at 05:00:52AM -0700, Eric Rescorla wrote: > On Fri, Jul 27, 2018 at 12:18 AM, Ilari Liusvaara > wrote: > > > On Thu, Jul 26, 2018 at 10:58:05AM -0700, Eric Rescorla wrote: > > > > > Here’s a specific construction, but we’re flexible about the details: > > > > > >struct {

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

> As with Universal PSKs (UPSKs), each input key is a triplet of > (BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity > as used today. To use a UPSK, an implementation takes the set of KDF > hashes it knows about H_i and derives a set of PSKs To be clear, you’re suggesting that

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

On Fri, Jul 27, 2018 at 6:43 AM, Karthikeyan Bhargavan < karthik.bharga...@gmail.com> wrote: > > As with Universal PSKs (UPSKs), each input key is a triplet of > (BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity > as used today. To use a UPSK, an implementation takes the set of

Re: [TLS] Last Call: (Example Handshake Traces for TLS 1.3) to Informational RFC

A couple of comments on draft-ietf-tls-tls13-vectors-06: Ordering of messages: * Whenever the steps '{server} derive secret "tls13 c hs traffic":' and '{server} derive secret "tls13 s hs traffic":' appear, this is corresponding to the steps in the second phase of the key schedule (section

Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk

> On Jul 27, 2018, at 5:23 AM, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-04-23 at 15:30 -0400, Russ Housley wrote: >>> >>> In the presentation the main driver for it seems to be quantum >>> computer >>> resistance as temporary measure. If that's the main argument I >>> don't >>> think i

[TLS] Double-Checking after TLS 1.3 pre-RFC copy edits

Dear TLS WG members. I am doing my final copy-edits for the TLS 1.3 RFC and I noted one technical point and two points I would like to edit for clarity but I wanted more eyes on. 1. https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.2 If the client is attempting a PSK key