At IETF 104, I presented a slide with informal reasoning about TLS 1.3 Security.
Authentication:
The certificate processing is exactly the same. It is not better or worse.
Key Schedule computation of Early Secret:
– Initial Handshake
Without extension: HKDF-Extract(0, 0)
With extension: HKDF-Extract(ExternalPSK, 0)
– Subsequent Handshake No changes.
Conclusion: Any entropy contributed by the External PSK can only make the Early
Secret better; the External PSK cannot make it worse.
I will be glad to work with someone that already has things set up for TLS 1.3
without this extension to do a more formal analysis.
Russ
> On Dec 3, 2023, at 5:00 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> To respond directly to the call: I think we should require some level of
> formal analysis for this kind of extension.
>
> If there is some, I think the WG should look at it to determine whether it's
> sufficient. If there isn't I think this should remain at experimental. Not
> having a normative downref is not a good reason; those are trivial to manage.
>
> -Ekr
>
>
> On Sun, Dec 3, 2023 at 12:28 PM Deirdre Connolly <durumcrustu...@gmail.com
> <mailto:durumcrustu...@gmail.com>> wrote:
>> Whoops wrong one, strike that
>>
>> On Sun, Dec 3, 2023, 3:28 PM Deirdre Connolly <durumcrustu...@gmail.com
>> <mailto:durumcrustu...@gmail.com>> wrote:
>>> At least one bit of work:
>>> https://dl.acm.org/doi/abs/10.1145/3548606.3559360
>>>
>>> On Sun, Dec 3, 2023, 3:23 PM Eric Rescorla <e...@rtfm.com
>>> <mailto:e...@rtfm.com>> wrote:
>>>> What do we have in terms of formal analysis for this extension?
>>>>
>>>> -Ekr
>>>>
>>>>
>>>> On Fri, Dec 1, 2023 at 11:40 AM Russ Housley <hous...@vigilsec.com
>>>> <mailto:hous...@vigilsec.com>> wrote:
>>>>> I think this should move forward. I am encouraged that at least two
>>>>> people have spoken to me about their implementations.
>>>>>
>>>>> Russ
>>>>>
>>>>>> On Nov 29, 2023, at 10:51 AM, Joseph Salowey <j...@salowey.net
>>>>>> <mailto:j...@salowey.net>> wrote:
>>>>>>
>>>>>> RFC 8773 (TLS 1.3 Extension for Certificate-Based Authentication with an
>>>>>> External Pre-Shared Key) was originally published as experimental due to
>>>>>> lack of implementations. As part of implementation work for the EMU
>>>>>> workitem draft-ietf-emu-bootstrapped-tls which uses RFC 8773 there is
>>>>>> ongoing implementation work. Since the implementation status of RFC 8773
>>>>>> is changing, this is a consensus call to move RFC 8773 to standards
>>>>>> track as reflected in
>>>>>> [RFC8773bis](https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis).
>>>>>> This will also help avoid downref for the EMU draft. Please indicate if
>>>>>> you approve of or object to this transition to standards track status by
>>>>>> December 15, 2023.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Joe, Sean, and Deirdre
>>>>>>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
