Muhammad Usama Sardar wrote: >Do we have an I-D which defines how long do we consider as long-term >connections? or I-D which gives recommendations or best practices for how long >do we consider TLS 1.3 to provide excellent security?
- One clear timepoint is when the server certicate expires. TLS 1.3 removed the ability to do server reauthentication. - RFC 4253 recommends rekeying with PFS after each gigabyte of transmitted data or after each hour of connection time. - French ANSSI recommends periodic rekeying with PFS, e.g. every hour and every 100 GB of data, in order to limit the impact of a key compromise. https://cyber.gouv.fr/sites/default/files/2015/09/NT_IPsec_EN.pdf - The chief cryptographer of the Swedish NCSA states that asymmetrically distributed keys can be refreshed at very frequent intervals and that options include continuously re-negotiating the encryption keys, and chaining the negotiations, so that the adversary has to record and store an uninterrupted sequence of negotiations, and then break them in sequence. http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf So 1 hour, 1-100 GB, or server cert expiry date, whichever comes sooner? You could also arguee that with blazingly fast algorithms like X25519 and ML-KEM and much faster hardware, best practice have changed since 2006 and excellent security is now asymmetric rekeying at very frequent intervals with chaining, this is e.g., what Signal does. >If the intention of draft was #2 above, cross-reading with this sentence, are >we implying that PQC is not an urgent security issue? That is a very good point. I suggest changing this to OLD: “This document specifies that outside of urgent security fixes, no new features will be approved for TLS 1.2” NEW: “This document specifies that, no new features will be approved for TLS 1.2” (TLS WG can always make a future RFC overriding this anyway…) >It looks like a more detailed version of tls12-frozen draft. Is there a good >reason not to merge the two documents? I had the same thought. I think they would be better as a single document. But I don’t care very much. >What does the capitalization of WILL NOT mean? Yes, and it is not in RFC 6919 either… ;) Cheers, John From: Muhammad Usama Sardar <muhammad_usama.sar...@tu-dresden.de> Date: Friday, 6 December 2024 at 18:33 To: Valery Smyslov <smyslov.i...@gmail.com>, 'Sean Turner' <s...@sn3rd.com>, 'TLS List' <tls@ietf.org> Subject: [TLS] Re: Working Group Last Call for TLS 1.2 is in Feature Freeze A few quick questions. Sorry if I am missing something obvious or some background. On 04.12.24 08:04, Valery Smyslov wrote: note, that UTA WG has issued a WGLC for draft-ietf-uta-require-tls13-02 (New Protocols Must Require TLS 1.3) [1]. [1] https://datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/ Thanks for pointer to this. It looks like a more detailed version of tls12-frozen draft. Is there a good reason not to merge the two documents? Is it due to different WGs? or different intended status? or something else? On 04.12.24 10:36, John Mattsson wrote: as-is, TLS 1.3 does not provide excellent security for long-term connections. Do we have an I-D which defines how long do we consider as long-term connections? or I-D which gives recommendations or best practices for how long do we consider TLS 1.3 to provide excellent security? --- Considering the following two statements in I-D, I have two questions: > For TLS it is important to note that the focus of these efforts is > TLS 1.3 or later. Put bluntly, post-quantum cryptography for TLS 1.2 > WILL NOT be supported. To me the two sentences are contradicting. Which one of the following is intended? 1. (My understanding from 1st sentence) Some PQC support for TLS 1.2 will still continue but it will not be the focus. 2. (My understanding from 2nd sentence) We will exclusively work on PQC for TLS 1.3 or later. What does the capitalization of WILL NOT mean? I did not find any such capitalization in RFC 2119 and RFC 8174. Please add the relevant RFC in section 2 or define it. > This > document specifies that outside of urgent security fixes, no new > features will be approved for TLS 1.2. If the intention of draft was #2 above, cross-reading with this sentence, are we implying that PQC is not an urgent security issue?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
