For people that currently use keyupdates or who are planning to use key updates, which layer are you planning to trigger a key update? Would the TLS implementation itself trigger the update or would the application trigger it? For renegotation, I believe it was mostly triggered by the application.
For the use cases you mentioned Keith, they seem to be specific to application triggered key updates, i.e. key updates do not mean anything to the TLS layer apart from I got a key update and I must change keys. The fact that other side has thrown away it's key is only meaningful to the higher layer protocol. I imagine protocols like HTTP would not add these semantics, and these semantics would be added to very specific IoT protocols? Would the scope of the auditor be defined as a part of that protocol, or does it need to be defined as a part of TLS? If key update is an application triggered mechanism, does the generation identifier need to be an integer to be understood by the TLS layer or could it also be an opaque identifier sent by the application. It would be much simpler not to have to deal with the requirements of consistency at the TLS layer and would make the API simpler. Subodh ________________________________________ From: TLS [tls-boun...@ietf.org] on behalf of Keith Winstein [kei...@cs.stanford.edu] Sent: Friday, August 19, 2016 8:40 PM To: Stephen Farrell Cc: Adam Langley; tls@ietf.org Subject: Re: [TLS] KeyUpdate and unbounded write obligations On Fri, Aug 19, 2016 at 2:29 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > And for me, the dodgiest, by far. The scope for an "auditor" > (what is that?) actually being an attacker is IMO way too > high to consider standardising that kind of feature and any > idea that it'd involve informed consent of someone seems to > me fictional. I appreciate the sensitivity of this issue to the WG. My read of your email is that there's a concern that by standardizing a protocol mechanism that allows a node to learn when its own KeyUpdate has happened, the WG would imply approval of features that permit the bad kind of eavesdropping. Here's why I don't think that's the case: Our PR is for a piggyback integer field to provide security property P3: "An implementation can learn that its request to rekey its outgoing traffic has been read by the other side." KeyUpdate is an *instruction* to the other side: "please update my key in a forward-secure manner." We think some implementations will want to know that the instruction has been carried out. And there's an easy opportunity to do that here as a piggyback, without any extra protocol messages. A node will naturally care more about forward secrecy, and confirmation of a forward-secure ratcheting event, the more it has reason to suspect the keys might later be exposed to a third party. In Berlin, I described three escalating cases: the (1) node going to sleep, (2) node closing a connection without a mechanism for secure bidi close, and (3) node that itself intends to release keys to a read-only auditor after a ratchet is complete. By "read-only auditor," we mean a curious person or security researcher who owns an IoT device and wants to know what the heck it is sending out of their house, where the device doesn't want to allow its owner to add trusted certificates for an MITM. (This describes most such devices today.) Obviously I think it's valuable to make this mechanism available for IoT device manufacturers. Having talked to several manufacturers, I'm cautiously optimistic that some would use this. But the WG doesn't have to take a position on this. These use cases are up to implementers. There's nothing stopping an implementer today from releasing session keys, or allowing complete MITM, as is the case in the browser context with user- or admin-installed root CA certificates. The TLS WG hasn't opined on these either. To restate: Property P3 allows a node to learn that its KeyUpdate instruction has actually happened, which in our view is useful and a strict benefit over the status quo. It's also orthogonal to the issue of unbounded write obligations raised in this thread. -Keith _______________________________________________ TLS mailing list TLS@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DQICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=dPWRCHpTfdtxfXYBMZF__UyOa7wszKFnA6criwmMDHI&s=E7sRstn6vNQHPiX3CXAa6BbWSWtMW7VKtN4f3yblZ5U&e= _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
