Yup, that's right!
(Ah yeah, it was confusing to talk about key shares reflecting preferences
because we might be talking about the relative order or which were included
or omitted. I was thinking the latter since the relative order already
comes from supported_groups. I.e. I was thinking of the
Hi David,
Thanks for posting this and for the discussion on the list.
Before commenting on this proposal, I'd like to make sure we're all
on the same page about the situation.
# Background
1. RFC 8446 states that both supported_groups and key_shares
are in client's preference order but
I support adoption of this document.
On Tue, 26 Sept 2023 at 20:46, David Benjamin wrote:
>
> Hi all,
>
> A while back, we discussed using a DNS hint to predict key shares and reduce
> HelloRetryRequest, but this was dropped due to downgrade issues. In thinking
> through post-quantum KEMs and
On Mon, Oct 16, 2023 at 9:18 AM David Benjamin
wrote:
> I've thus rephrased it in terms of just one group, which I think is much
> tidier. How does this look to you?
>
> https://github.com/davidben/tls-key-share-prediction/commit/310fa7bbddd1fe0c81e3a6865a59880efc901b33
>
I agree with the
On Fri, Oct 13, 2023 at 1:29 AM Rob Sayre wrote:
> On Wed, Oct 11, 2023 at 8:43 AM David Benjamin
> wrote:
>
>> Tossed onto GitHub and removed the discussion of authenticated records
>> in
>> https://github.com/davidben/tls-key-share-prediction/commit/cabd76f7b320ab4f970f396db3d962ca9f510875
On Wed, Oct 11, 2023 at 8:43 AM David Benjamin
wrote:
> Tossed onto GitHub and removed the discussion of authenticated records in
> https://github.com/davidben/tls-key-share-prediction/commit/cabd76f7b320ab4f970f396db3d962ca9f510875
>
Apologies in advance for this one, but what is the document
> But if we can at least make it secure, that gives us a bit more breathing
> room in case anyone needs it.
>
For those who missed it: we need it for Edge -> Origin connections, as some
origins do break on split ClientHello. (See e-mail sept 29th.)
___
On Tue, Oct 10, 2023 at 1:24 PM Bas Westerbaan wrote:
> OK, I see. It's worse than a compatibility risk, though, isn't it? If you
>> just let them break in case (a), and then maybe try again with (b), that
>> opens up a downgrade attack. Intermediaries can observe the size of the
>> Client Hello
>
> OK, I see. It's worse than a compatibility risk, though, isn't it? If you
> just let them break in case (a), and then maybe try again with (b), that
> opens up a downgrade attack. Intermediaries can observe the size of the
> Client Hello and make it break
>
Exactly.
On Tue, Oct 10, 2023 at 10:01 AM David Benjamin
wrote:
> On Tue, Oct 10, 2023 at 12:42 PM Rob Sayre wrote:
>
>> On Tue, Oct 10, 2023 at 8:28 AM David Benjamin
>> wrote:
>>
>>> On Tue, Oct 10, 2023 at 6:06 AM Dennis Jackson >> 40dennis-jackson...@dmarc.ietf.org> wrote:
>>>
To make sure
On Tue, Oct 10, 2023 at 12:42 PM Rob Sayre wrote:
> On Tue, Oct 10, 2023 at 8:28 AM David Benjamin
> wrote:
>
>> On Tue, Oct 10, 2023 at 6:06 AM Dennis Jackson > 40dennis-jackson...@dmarc.ietf.org> wrote:
>>
>>> To make sure I've understood correctly, we're trying to solve three
>>> problems:
On Tue, Oct 10, 2023 at 8:28 AM David Benjamin
wrote:
> On Tue, Oct 10, 2023 at 6:06 AM Dennis Jackson 40dennis-jackson...@dmarc.ietf.org> wrote:
>
>> To make sure I've understood correctly, we're trying to solve three
>> problems:
>>
>>- Some servers don't tolerate large Client Hellos
>>
> If the client is happy with either X25519 alone or X25519Kyber768, why not
> send shares for both in the first ClientHello?
>
This is what Chrome does, and what we do if the user opts for "preferred"
mode. [1]
Would be good if draft-tls-westerbaan-xyber768d00 either mentions this as a
>
On Fri, 29 Sept 2023 at 15:45, Bas Westerbaan wrote:
> We have been investigating turning on post-quantum key agreement for
> connections from Cloudflare to origin servers. In testing, we found that
> 0.34% of origins will fail to establish a connection if we send
> X25519Kyber768Draft00
This is a useful and very timely draft — I would like to see it adopted.
I'll argue it's more urgent than sketched by David.
We have been investigating turning on post-quantum key agreement for
connections from Cloudflare to origin servers. In testing, we found that
0.34% of origins will fail to
Hi all,
A while back, we discussed using a DNS hint to predict key shares and
reduce HelloRetryRequest, but this was dropped due to downgrade issues. In
thinking through post-quantum KEMs and the various transitions we'll have
in the future, I realized we actually need to address those downgrade
16 matches
Mail list logo
