>While renegotiation will never be re-added, there is post-handshake >authentication (RFC 8446, section 4.6.2), and while that is currently >about authenticating the _client_ to the server, it should be trivial to >extend the protocol to support re-authenticating the server to the >client as well.
I think the current Post-Handshake authentication is not really suitable for long-term connections. It assures that the other party is still alive but it does not shut out any other third parties with access to application_traffic_secret_N. Such parties may have gotten the key with or without collaboration with one of the nodes. Agree that the negotiation part of renegotiation should not come back. Below is a sketch of what I think would be needed Post-Handshake for DTLS/SCTP with DTLS 1.3: {KeyShareEntry} --------> {KeyShareEntry} {CertificateVerify} <-------- {Finished} {CertificateVerify} {Finished} --------> Derive-Secret( ... ) = exporter_secret_N Cheers, John -----Original Message----- From: Nico Williams <n...@cryptonector.com> Date: Friday, 5 March 2021 at 18:35 To: John Mattsson <john.matts...@ericsson.com> Cc: "Fries, Steffen" <steffen.fr...@siemens.com>, "TLS@ietf.org" <tls@ietf.org> Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections On Fri, Mar 05, 2021 at 05:01:04PM +0000, John Mattsson wrote: > On Friday, 5 March 2021 at 15:02, Fries, Steffen wrote: > > I've got a question regarding application of TLS 1.3 to protect long > > lasting connections. Specifically on the trigger to perform a > > revocation check for the utilized certificates in the handshake. You can perform OCSP or CRL checks on the RPs at any time. You don't need a protocol trigger for it. You can use a timer. The issue is that the EE certificate (or intermediates in the chain perhaps) could expire or be replaced before the connection ends, and then you might want the EE to present a new certificate and, if for a new key, then also a proof of possession. One could use session renegotiation back when it existed, but it does not now. > > Hence the question if there is a feature in TLS 1.3, which would > > provide the functionality to invoke a mutual certificate based > > authentication. While renegotiation will never be re-added, there is post-handshake authentication (RFC 8446, section 4.6.2), and while that is currently about authenticating the _client_ to the server, it should be trivial to extend the protocol to support re-authenticating the server to the client as well. Authenticating the client to the server and vice-versa would be independent, at least when using certificates, though not so much when using PSK. Each relying party would send a CertificateRequest message on a timer based on local configuration of certificate freshness policy and/or the peer's certificate's expiration time, or whatever you like. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls