Hi Tony, Remarks below.
-----Original Message----- From: Tony Putman [mailto:[email protected]] Sent: 06 December 2017 15:33 To: Ludwig Seitz; Hannes Tschofenig Cc: [email protected] Subject: RE: [Ace] Independent I-D for new TLS authentication (triple-ECDH) Ludwig, Hannes, The differences with RFC7250 are twofold: 1. The raw public keys are not exchanged in the handshake sequence. Even with cached info (RFC7924), a fingerprint of the certificate (or raw public key) is exchanged. Also, a ClientVerify message is needed if mutual authentication is required (which is automatic with 3ECDH). These extra elements add to the size of the handshake exchange. They also identify the sender (whereas my draft encrypts the client identity), which can be an issue if privacy of the session endpoints is important. [Hannes] It is true that the raw public keys are exchanged unless you use cached info where only the fingerprint of the client side raw public key is provided. For the privacy aspect you are also correct for TLS / DTLS 1.2 but 1.3 changes this procedure. 2. ECDH cannot be used as a raw public key; instead ECDSA or EdDSA is needed. But ECDH is also needed if the handshake includes perfect forward secrecy (highly recommended/mandatory, depending on usage). Therefore the client has to implement two algorithms and may need to implement fast versions of both of them to reduce latency in session establishment. Using 3ECDH, the client only needs a single algorithm; if EdDSA is needed anyway (e.g. for code signing), then a slow version may be used which saves code-space and data-space. [Hannes] It is true that the raw public key RFC does not use long-term ECDH keys but instead uses those only in an ephemeral way. I would consider a design feature rather than a bug. [Hannes] Thanks for clarifying your design. What I am wondering is, however, whether the issues you raised are a concern in deployments (I haven't heard them) and whether it makes sense to continue working on TLS / DTLS 1.2 when 1.3 is already looming on the horizon where the raw public key mode is nicely integrated as well. Ciao Hannes -- Tony > -----Original Message----- > From: Ace [mailto:[email protected]] On Behalf Of Ludwig Seitz Hi > Tony, > > could you explain the differences between your draft and the (D)TLS > handshake with raw public keys (https://tools.ietf.org/html/rfc7250)? > > /Ludwig > https://www.ietf.org/mailman/listinfo/ace Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment. Dyson may monitor email traffic data and content for security & training. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
