+1
Reading RFC 8773, I feel at least a tension and maybe a contradiction
between the stated motivation, resisting to quantum analysis by
combining an [EC]DH derived secret and a PSK, and the use of the PSK
alone to derive the early secret. If the early secret is used for 0-RTT,
then the adversary have some information that only depend on the PSK.
That information might be used to facilitate the attack on [EC]DH+PSK,
especially if the PSK is not strong enough to resist quantum analysis.
At this point, this consideration is only a gut feeling. A formal
analysis would either dispel my weak guess, or confirm it and result in
specific recommendations such as not using the early secret. Plus, the
formal analysis might also find other issues, behind this one.
-- Christian Huitema
On 12/3/2023 2:00 PM, Eric Rescorla wrote:
To respond directly to the call: I think we should require some level of
formal analysis for this kind of extension.
If there is some, I think the WG should look at it to determine whether
it's sufficient. If there isn't I think this should remain at experimental.
Not having a normative downref is not a good reason; those are trivial to
manage.
-Ekr
On Sun, Dec 3, 2023 at 12:28 PM Deirdre Connolly <durumcrustu...@gmail.com>
wrote:
Whoops wrong one, strike that
On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly <durumcrustu...@gmail.com>
wrote:
At least one bit of work:
https://dl.acm.org/doi/abs/10.1145/3548606.3559360
On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla <e...@rtfm.com> wrote:
What do we have in terms of formal analysis for this extension?
-Ekr
On Fri, Dec 1, 2023 at 11:40 AM Russ Housley <hous...@vigilsec.com>
wrote:
I think this should move forward. I am encouraged that at least two
people have spoken to me about their implementations.
Russ
On Nov 29, 2023, at 10:51 AM, Joseph Salowey <j...@salowey.net> wrote:
RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with
an External Pre-Shared Key) was originally published as experimental due to
lack of implementations. As part of implementation work for the EMU
workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is
ongoing implementation work. Since the implementation status of RFC 8773 is
changing, this is a consensus call to move RFC 8773 to standards track as
reflected in [RFC8773bis](
https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis). This will
also help avoid downref for the EMU draft. Please indicate if you approve
of or object to this transition to standards track status by December 15,
2023.
Thanks,
Joe, Sean, and Deirdre
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
