draft-ietf-tls-8773bis has been in the “Held By WG” state since the Update to Standards Track / Working Group Last Call ended on 01 January 2024, see [0]. On 23 August 2024, we issued a consensus call to determine whether to require formal analysis in the symbolic model; see [1]. Between then and now, we tweaked the process somewhat to introduce a FATT point person and better described the process; see [2]. As a result, we:
1) Identified a FATT point person; Britta Hale generously offered to act as the point person for this draft - many thanks. 2) Received a FATT review report for draft-ietf-tls-8773bis; see [3] and please note the usage restrictions - many thanks again to the FATT members who participated in the review and to Britta for pulling it together. >From that report, we would like to note the following: Reviewer comments highlighted that the [-8773bis] technical changes to TLS through use of PSK are unlikely to introduce vulnerabilities to TLS in its current form, which should allay concerns from developers who rely on TLS security as-is and may have reservations about issues introduced by [-8773bis]. However, there were concerns about the claims of security offered under a quantum attacker and the [-8773bis] technical changes not aligning. To resolve the FATT comments, two courses of action were presented, namely reducing/revising security claims or seeking an analysis. Russ, the author, made adjustments to some of the security claims in the draft (see [4]) specially addressing some reviewer concerns about authenticity claims from the PSK. Some FATT open notes still remain, specifically that the draft claims continued TLS security against HNDL attacks. However, since the draft allows PSK reuse as well as group use, under a quantum attacker the draft does not provide “TLS security” but some form of group-like static key protection without the FS guarantees TLS now provides nor uniqueness of session keys. While this is not an issue with group PSKs under traditional attackers for the reason that the rest of the TLS handshake ensures unique client-server channel keys, it is an issue under a quantum attacker, which is the scenario that this draft claims TLS security against. The FATT recommendation was to select one of the following courses of action: a) restrict such PSK from reuse and group use to better match the intended TLS security, b) reduce or remove security claims on the TLS security provided under a quantum attacker, or c) seek analysis that will breakdown the exact security model that the draft provides and ensure the security considerations section matches that model. We will have time to discuss this at the IETF 122 meeting in Bangkok and will run a consensus call on the way forward soon after. Cheers, Sean, Deirdre, and Joe [0] Link to Update to Standards Track/Working Group Last Call completion message: https://mailarchive.ietf.org/arch/msg/tls/YLDjIzpwNB17dYlxmCPv-G3IdSk/ [1] Link to Consensus Call for Formal Analysis Requirement message: https://mailarchive.ietf.org/arch/msg/tls/M-ZBViaDQ0adftLrjZfZ-l7BMfI/ [2] Link to FATT process: https://github.com/tlswg/tls-fatt [3] Link to FATT report: https://github.com/tlswg/rfc8773bis/blob/main/fatt-review/IETF%20FATT%20Report%20-%208773bis.pdf [4] Link to diffs: https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-04&url2=draft-ietf-tls-8773bis-05&difftype=--hwdiff
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
