On Wed, Jul 05, 2023 at 09:26:57AM +0200, Thom Wiggers wrote:
> Hi Ilari,
>
> Thanks for pointing this out. I will admit I am pretty unaware of the
> additional constraints that DTLS has, but I will try to look at this issue
> in more detail. In the meantime, I would also appreciate it if people who
> are also concerned about AuthKEM+DTLS share their interest and concerns, as
> that will help with their visibility and maybe give me a list of people to
> ask questions to :)
Actually, the changes might not be quite so nasty:
- The DTLS epoch numbering needs to be changed: If AuthKEM is used,
then epoch 3 needs to be autheticated_handshake epoch instead of
application_0 epoch, which is pushed to epoch 4 and then that pushes
other application epoch one number forward.
- Fortunately even if there are 5 active epochs during handshake,
the 2 bits in DTLS header are still enough, because one of those is
plaintext, and can be recognized from record types used.
- There actually might be chance to make the early auth work. However,
there are subtle details:
* The certificate being a message, it is subject to acknowledgements.
However, server hello must be logically before it. This is required
to meet the acknowledgment epoch rule.
* The server flight needs to be broken into two just before server
Finished, first part being unordered with certificate, and second
being the next flight. This is required to have the certificate
available for computing finished, and to meet the implicit
acknowledgment rule.
Of course, even if the theroetical changes are not so nasty, those can
still play absolute hell with implementations. And there could be some
other gotcha I have not considered.
And then it occured to me earlier today that web browsers might not like
the abbreviated AuthKEM very much: They really do not like to use DNS
for server authentication, instead preferring to use certificates sent
in-band. Of course, adding certificate message would duplicate the key
information, which is a footcannon.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
