On Thu, Oct 8, 2015 at 12:16 PM, Simon Josefsson <si...@josefsson.org> wrote:
> Eric Rescorla <e...@rtfm.com> writes: > > > On Thu, Oct 8, 2015 at 11:29 AM, Simon Josefsson <si...@josefsson.org> > > wrote: > > > >> The notes from the interim meeting mentions 'tls-unique' and points to > >> issue #228 on github. I want to get your attention on the draft below. > >> Doesn't it do what you are looking for? There is a little in the way of > >> a problem statement in the TLS interim meeting notes, so it is hard to > >> tell what the perceived problem with 'tls-unique' is in this context. > >> Does my draft need to be updated for TLS 1.3 in any way? It might serve > >> as a starting point for future work. > >> > >> https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03 > > > > > > Well, TLS 1.3 doesn't have a PRF, but instead explicitly uses HKDF. > > > > With that said, I don't really understand the structure of your draft: > > Instead of referencing the PRF and session_hash directly, why not instead > > use RFC 5705 exporters and require the use of the session_hash > > extension? > > The introduction says: > > There exists a TLS extension [I-D.ietf-tls-session-hash] that modify > TLS so that the definition of 'tls-unique' [RFC5929] has the intended > properties. If widely implemented and deployed, the channel binding > type in this document would not offer any additional protection. The > purpose of this document is to provide an alternative channel binding > that offers the intended properties without requiring TLS protocol > changes. However, keep in mind that TLS implementations needs to > offer the appropriate APIs necessary to be able to implement the > channel binding described in this document. > > I agree that one alternative is to require session_hash for all > connections. Given that you need to modify *some* software in any case, it seems like one ought to adopt session-hash. > But then what is the problem with use of 'tls-unique'? > The general consensus is that 96 bits is too short. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
