Hi Peter, Mike

Peter Gutmann wrote:

Just because it's possible to rules-lawyer your way around something doesn't
make it valid (I also see nothing in the spec saying a TLS 1.3 implementation
can't reformat your hard drive, for example, so presumably that's OK too).
The point is that P256 is a MTI algorithm and Chrome doesn't provide any MTI
keyex in its client hello, making it a noncompliant TLS 1.3 implementation.

As Nick quoted from the spec:

A TLS-compliant application MUST support key exchange with secp256r1 (NIST 
P-256)
Chrome advertises support for P-256 in the supported groups extension. As a factual matter, Chrome can successfully connect to a site that only implements support for P-256. I cannot find any basis for Peter's claims in the spec.

Ekr wrote:

One more thing: we are finalizing RFC 8446-bis right now, so if there is
WG consensus to require that clients offer all MTI curves in the key_shares
of their initial CH, then that would be a straightforward text change.

I think we are closer to going in the other direction and allow TLS1.3 spec-compliant implementations aiming at post-quantum support to drop support for P-256 entirely.

Best,
Dennis

On 05/06/2024 14:34, Peter Gutmann wrote:
Mike Shaver<mike.sha...@gmail.com>  writes:

You mentioned in another message that some embedded TLS implementations also
omit MTI support for code size or attack surface reasons.
They don't omit MTI support, they *only* support MTI (think Grigg's Law,
"there is only one mode and that is secure").  So when faced with an
implementation that doesn't, they can't talk to each other.

do you have any sense of why Chrome chose to omit this MTI support?
I suspect it's just because Google does whatever Google wants to (see e.g.
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/,
section "The Warnings").  This may not be politically expendient to say out
loud :-).

Peter.
_______________________________________________
TLS mailing list --tls@ietf.org
To unsubscribe send an email totls-le...@ietf.org
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to