I suggest this change to the minutes: OLD:
Russ: Current 1.3 key schedule uses a sig across (?). DH is the thing that drives the key schedule. Subsequent handshake based on resumption PSK or that and an additional DH result. Proposal: add an additional option to the initial hs to include an external PSK and combine with the DH. Want to do this for quantum protection, you've mixed in this external OOB-distro'd PSK so that any attacker has to get the PSK too. (See ladder diagram of where this would fit.) Syntax: boolean, present or not. If you negotiate, you'll agree to do that. Presently language in the spec that precludes PSK when certs are used. wouldn't be used with a resumption, just external. Group of TLS peers would need to get the PSKs. If the quantum computer comes, have to compromise one of the numbers of the group to compromise the PSK. Ask: WG adopt as a work item, then review and comment. NEW: Russ: In TLS 1.3, initial handshake authentication is based on certificate and signature, and DH shared secret drives the key schedule. In a subsequent handshake, authentication is based on resumption PSK, and the key schedule is driven by the resumption PSK or the resumption PSK plus and an additional DH shared secret. Proposal: add an additional option to the initial handshake to include an external PSK that is combined with the DH shared secret. Want to do this for quantum protection; the external PSK must be distributed out of band. An attacker with a quantum computer needs to learn the external PSK to crack the key schedule. (See ladder diagram of where this would fit.) Syntax: a boolean; the TLS extension is present or not. If the extension is negotiated, the client and server agree to include the external PSK in the key schedule. Presently language in TLS 1.3 precludes PSK when certs are used. The external PSK wouldn't be used for resumption, just initial handshake. Group of TLS peers would need the same PSK and identifier. If the quantum computer comes along, the attacker would have to compromise one of the members of the group to obtain the PSK. Ask: WG adopt as a work item, then review and comment. Russ > On Aug 10, 2018, at 11:40 AM, Christopher Wood <christopherwoo...@gmail.com> > wrote: > > Thanks for pointing out this formatting issue, Russ. I updated the notes in > an attempt to improve readability. Please have a look and let me know if you > see other (or new) issues. > > Best, > Chris > > On 9 Aug 2018, at 21:53, Kaarthik Sivakumar wrote: > > Could be line ending issues - I see something like these when switching > between different OSes. > > -kaarthik- > > On 10/08/18 03:37, Russ Housley wrote: >> I do not understand the formatting. Are the '*' characters supposed to be >> bullets? If so, them appearing in the middle of paragraphs is confusing. >> >> Russ >> >> >>> On Jul 28, 2018, at 1:32 PM, Christopher Wood <christopherwoo...@gmail.com> >>> <mailto:christopherwoo...@gmail.com> wrote: >>> >>> Minutes for both TLS sessions at IETF 102 have been uploaded: >>> https://datatracker.ietf.org/doc/minutes-102-tls/ >>> <https://datatracker.ietf.org/doc/minutes-102-tls/> >>> >>> Many thanks to Joe Hall and Gurshabad Grover for taking detailed notes. >>> >>> Please review the minutes and check for inaccuracies. If anything is >>> incorrect, please let the chairs know ASAP. >>> >>> Thanks, >>> Chris, Joe, and Sean >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >> <https://www.ietf.org/mailman/listinfo/tls> >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
