Hi TLS working group,
Draft [draft-ietf-tls-extended-key-update] proposes to add a public-key
exchange-based method that can be used in place of the regular KeyUpdate
mechanism in TLS (which only hashes the application keys). In this manner,
Extended Key Update (EKU) aims to achieve post-compromise security.
The Formal Analysis Triage Team [FATT] was asked to form an opinion on
draft-ietf-tls-extended-key-update. This was briefly discussed between
ourselves and I was asked to be "point person” for this draft: i.e., I will be
presenting a summary of the discussion and its conclusion.
This report can be found at [slides] and I will present these slides in the
second meeting of the TLS wg next week (Friday). Our conclusion is that the
extension proposed changes the security properties of TLS 1.3 and does not fit
will in existing analyses of TLS 1.3 – the slides try to explain this gap. I
have also included an example of the subtleties that can have an effect on the
ability to (easily) prove things.
Note that this does not mean that the mechanism proposed is or was insecure. We
also thank the authors for their quick feedback when I had questions. It is
also important to note that the FATT is not a gate keeper for any TLS working
group consensus call; it only intends to inform it.
Cheers,
Thom Wiggers
[draft-ietf-tls-extended-key-update]:
https://datatracker.ietf.org/doc/draft-ietf-tls-extended-key-update/
[FATT]: https://github.com/tlswg/tls-fatt
[report]:
https://datatracker.ietf.org/meeting/125/materials/slides-125-tls-sessa-fatt-report-on-eku-00
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
