On Fri, Jul 20, 2018 at 4:39 AM, Nikos Mavrogiannopoulos <n...@redhat.com> wrote:
> On Fri, 2018-07-20 at 02:38 -0700, Eric Rescorla wrote: > > > > > > > This is somewhat timely, as if we do want to introduce a > > > restriction, > > > > it > > > > would ideally be in the form of some text in the TLS 1.3 > > > > specification, > > > > which is very nearly done. > > > > > > > > It would be good to hear more opinions on this question, > > > particularly > > > > from those who have worked on the formal verification directly. > > > > > > > > If I can attempt to summarize some discussion that occurred in > > > the > > > > mic > > > > line today, Hannes was surprised that we would care, likening > > > this > > > > case > > > > to the regular version negotiation, where we are happy to use the > > > > same > > > > certificate to sign messages for both TLS 1.2 and 1.3. David > > > > Benjamin > > > > points out that we explicitly go to the trouble of putting 64 > > > bytes > > > > of > > > > 0x20 padding at the front of the content that gets signed for > > > > CertificateVerify, to enforce separation between the TLS > > > versions. > > > > > > > > My own personal opinion is that we should enforce a domain > > > separation > > > > between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's > > > "Universal > > > > PSKs" > > > > proposal seems like a potential mechanism by which to do so > > > without > > > > doubling the provisioning needs. > > > > > > I think the same rules should apply for PSK and RSA/ECDSA/EdDSA > > > keys. > > > There is no inherent difference between the two keys types. I could > > > have deployed TLS with PKI or TLS with PSK. I should be able to > > > upgrade > > > protocols the same way. > > > > > > If RSA keys can be re-used between TLS1.2 and TLS1.3, then so > > > should > > > PSK keys. The current document specifically allows that re-use, and > > > if > > > you fear that the current document did not take cross-protocol > > > attacks > > > in mind during design, then let's fix that instead. > > > > The issue is not cross-protocol attacks; it's the reuse of PSKs with > > different KDFs, which we don't have any analysis for > > I understand, but as I have already mentioned that argument also > applies for RSA keys which can be used e.g., for RSA encryption under > TLS1.2 and for RSA-PSS signatures under TLS1.3. ECDSA keys can be used > with multiple hashes under TLS1.2 while only one under TLS1.3. > TLS 1.3 did not enforce protocol separation for that ugly scenario, so > I wouldn't expect the treatment of PSKs differently. > I will let Karthik speak for himself, but I believe we do in fact have analysis for these cases. -Ekr > Said that, I want to clarify that I wouldn't necessarily object to an > improvement the situation for externally established PSKs. The issue I > see is that TLS1.3 already gives a "good enough" solution with re-using > the key, and I'm afraid we're going to have interoperation issues if > some implementations move to universal psks and some do not, defeating > the purpose of a standard. > > regards, > Nikos > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
