I patched the minutes with your change. Best, Chris
On Fri, Aug 10, 2018 at 2:42 PM Russ Housley <hous...@vigilsec.com> wrote: > > I suggest this change to the minutes: > > OLD: > > Russ: Current 1.3 key schedule uses a sig across (?). DH is the thing that > drives the key schedule. Subsequent handshake based on resumption PSK or that > and an additional DH result. Proposal: add an additional option to the initial > hs to include an external PSK and combine with the DH. Want to do this for > quantum protection, you've mixed in this external OOB-distro'd PSK so that any > attacker has to get the PSK too. (See ladder diagram of where this would fit.) > Syntax: boolean, present or not. If you negotiate, you'll agree to do that. > Presently language in the spec that precludes PSK when certs are used. > wouldn't > be used with a resumption, just external. Group of TLS peers would need to get > the PSKs. If the quantum computer comes, have to compromise one of the numbers > of the group to compromise the PSK. Ask: WG adopt as a work item, then review > and comment. > > NEW: > > Russ: In TLS 1.3, initial handshake authentication is based on certificate and > signature, and DH shared secret drives the key schedule. In a subsequent > handshake, authentication is based on resumption PSK, and the key schedule is > driven by the resumption PSK or the resumption PSK plus and an additional DH > shared secret. Proposal: add an additional option to the initial handshake to > include an external PSK that is combined with the DH shared secret. Want to do > this for quantum protection; the external PSK must be distributed out of band. > An attacker with a quantum computer needs to learn the external PSK to crack > the key schedule. (See ladder diagram of where this would fit.) Syntax: a > boolean; the TLS extension is present or not. If the extension is negotiated, > the client and server agree to include the external PSK in the key schedule. > Presently language in TLS 1.3 precludes PSK when certs are used. The external > PSK wouldn't be used for resumption, just initial handshake. Group of TLS > peers would need the same PSK and identifier. If the quantum computer comes > along, the attacker would have to compromise one of the members of the group > to obtain the PSK. Ask: WG adopt as a work item, then review and comment. > > Russ > > > On Aug 10, 2018, at 11:40 AM, Christopher Wood <christopherwoo...@gmail.com> > wrote: > > Thanks for pointing out this formatting issue, Russ. I updated the notes in > an attempt to improve readability. Please have a look and let me know if you > see other (or new) issues. > > Best, > Chris > > On 9 Aug 2018, at 21:53, Kaarthik Sivakumar wrote: > > Could be line ending issues - I see something like these when switching > between different OSes. > > > -kaarthik- > > On 10/08/18 03:37, Russ Housley wrote: > > I do not understand the formatting. Are the '*' characters supposed to be > bullets? If so, them appearing in the middle of paragraphs is confusing. > > Russ > > > On Jul 28, 2018, at 1:32 PM, Christopher Wood <christopherwoo...@gmail.com> > wrote: > > Minutes for both TLS sessions at IETF 102 have been uploaded: > https://datatracker.ietf.org/doc/minutes-102-tls/ > > Many thanks to Joe Hall and Gurshabad Grover for taking detailed notes. > > Please review the minutes and check for inaccuracies. If anything is > incorrect, please let the chairs know ASAP. > > Thanks, > Chris, Joe, and Sean > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
