Re: [TLS] KeyUpdate and unbounded write obligations

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 2:29 PM, Ilari Liusvaara wrote: > On Thu, Sep 01, 2016 at 02:20:02PM -0700, Eric Rescorla wrote: > > On Thu, Sep 1, 2016 at 2:09 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > > I tried to implement this, and discovered an

[TLS] Finished stuffing

2016-09-01 Thread Eric Rescorla
Folks, I have just posted a WIP PR for what I'm calling "Finished Stuffing" https://github.com/tlswg/tls13-spec/pull/615 I would welcome comments on this direction and whether I am missing anything important. OVERVIEW This PR follows on a bunch of discussions we've had about the redundancy

Re: [TLS] Finished stuffing

2016-09-01 Thread Eric Rescorla
I should also mention that this makes the implementation a fair bit simpler because: 1. You can make all the decisions on the server side immediately upon receiving the ClientHello without waiting for Finished. 2. You don't need to derive early handshake traffic keys. >From an implementor's

Re: [TLS] KeyUpdate and unbounded write obligations

2016-09-01 Thread Eric Rescorla
I have created a PR for this at: https://github.com/tlswg/tls13-spec/pull/611 As it seems there was rough consensus for this change, I will merge this weekend absent some violent objections or direction to the contrary from the chairs. -Ekr On Mon, Aug 29, 2016 at 3:06 PM, Russ Housley

Re: [TLS] KeyUpdate and unbounded write obligations

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 2:09 PM, Ilari Liusvaara wrote: > On Thu, Sep 01, 2016 at 12:55:29PM -0700, Eric Rescorla wrote: > > I have created a PR for this at: > > https://github.com/tlswg/tls13-spec/pull/611 > > > > As it seems there was rough consensus for this change, I

Re: [TLS] KeyUpdate and unbounded write obligations

2016-09-01 Thread David Benjamin
On Thu, Sep 1, 2016 at 5:29 PM Ilari Liusvaara wrote: > On Thu, Sep 01, 2016 at 02:20:02PM -0700, Eric Rescorla wrote: > > On Thu, Sep 1, 2016 at 2:09 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > > I tried to implement this, and discovered an

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-09-01 Thread Judson Wilson
> > FWIW, I've definitely seen real-world confusion about SSLv3 being a more > recent protocol than TLS 1.X, by organizations that should know better. If > there's interest and consensus, this could be a good opportunity to reset > the situation with TLS/2 or TLS 4.0. > > I like TLS/2

Re: [TLS] [Cfrg] 3DES diediedie

2016-09-01 Thread Joachim Strömbergson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aloha! Hilarie Orman wrote: > An ARM is far too much hardware to throw at "read sensor/munge > data/send data". No, they are not. The Cortex M0+ is aimed at these kinds of very simple systems that runs for many years on a single battery. Look at

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-09-01 Thread Joseph Lorenzo Hall
+1 On Wed, Aug 31, 2016 at 7:05 PM, Richard Barnes wrote: > I am in total agreement with Nick here. "TLS 1.3" accurately describes what > we're doing here, and it's consistent with our past naming scheme. > > There is no upside to changing away from 1.3, and as Nick notes, lots of

Re: [TLS] SHA-3 in SignatureScheme

2016-09-01 Thread Benjamin Kaduk
On 09/01/2016 12:38 PM, Hubert Kario wrote: > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > include signatures with those hashes then? Why does it need to be part of the core spec instead of a separate document? > 1 -

Re: [TLS] [Cfrg] 3DES diediedie

2016-09-01 Thread Kyle Rose
On Mon, Aug 29, 2016 at 5:00 AM, Hubert Kario wrote: > > we have enough problems weeding out implementation mistakes in TLS, we > don't > need yet another protocol and two dozen implementations that come with it > Strongly agreed. Focusing energy on getting "something"

Re: [TLS] SHA-3 in SignatureScheme

2016-09-01 Thread Hubert Kario
On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > > include signatures with those hashes then? > > Why does it need to be part of the core spec instead of

Re: [TLS] Terminology clarification around SSL & TLS

2016-09-01 Thread Julien ÉLIE
Hi, The technology is SSL, and is sometimes also refered to as SSL/TLS. please no. the technology is TLS. + i would like to continue to be able to say unambiguously that all known versions of SSL are badly broken and should be avoided. Let's not muddy those waters further. + Let's not use

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-09-01 Thread Adam Caudill
> On Aug 31, 2016, at 10:01 PM, Eric Mill wrote: > > > FWIW, I've definitely seen real-world confusion about SSLv3 being a more > recent protocol than TLS 1.X, by organizations that should know better. If > there's interest and consensus, this could be a good opportunity to

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Hubert Kario
On Wednesday, 31 August 2016 11:23:11 CEST Eric Rescorla wrote: > On Wed, Aug 31, 2016 at 11:14 AM, Hubert Kario wrote: > > Current draft has the following text in it: > > If any of these checks fail, the server MUST NOT respond > > with the extension and must discard

Re: [TLS] Terminology clarification around SSL & TLS

2016-09-01 Thread Dave Garrett
On Thursday, September 01, 2016 03:17:50 pm Julien ÉLIE wrote: > There's still something I find confusing: on the one hand, SSL is badly > broken and "diediedied", it is a proprietary protocol name, and the > consensus in the TLS WG seems to be "long live TLS" but on the other > hand major

Re: [TLS] SHA-3 in SignatureScheme

2016-09-01 Thread Dave Garrett
On Thursday, September 01, 2016 02:30:54 pm Scott Fluhrer (sfluhrer) wrote: > > On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > > > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > > > The SHA-3 standard is already published and accepted[1], shouldn't > > > > TLSv1.3 include

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Hubert Kario
On Thursday, 1 September 2016 05:48:02 CEST Eric Rescorla wrote: > On Thu, Sep 1, 2016 at 3:31 AM, Hubert Kario wrote: > > On Wednesday, 31 August 2016 11:23:11 CEST Eric Rescorla wrote: > > > On Wed, Aug 31, 2016 at 11:14 AM, Hubert Kario > > > > wrote: >

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 3:31 AM, Hubert Kario wrote: > On Wednesday, 31 August 2016 11:23:11 CEST Eric Rescorla wrote: > > On Wed, Aug 31, 2016 at 11:14 AM, Hubert Kario > wrote: > > > Current draft has the following text in it: > > > If any of these

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread David Benjamin
On Thu, Sep 1, 2016 at 10:01 AM Eric Rescorla wrote: > On Thu, Sep 1, 2016 at 6:15 AM, Ilari Liusvaara > wrote: > >> On Thu, Sep 01, 2016 at 05:48:02AM -0700, Eric Rescorla wrote: >> > On Thu, Sep 1, 2016 at 3:31 AM, Hubert Kario

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-09-01 Thread Yoav Nir
> On 1 Sep 2016, at 6:31 PM, Dave Garrett wrote: > > On Thursday, September 01, 2016 02:05:25 am Judson Wilson wrote: >>> I like TLS/2 aesthetically, and represents a similar level of >>> progress/reset that HTTP saw when it jumped from 1.1 to /2. >> >> What is the

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 8:46 AM, David Benjamin wrote: > On Thu, Sep 1, 2016 at 11:25 AM Eric Rescorla wrote: > >> On Thu, Sep 1, 2016 at 8:22 AM, Ilari Liusvaara > > wrote: >> >>> On Thu, Sep 01, 2016 at 02:29:00PM +, David

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 6:15 AM, Ilari Liusvaara wrote: > On Thu, Sep 01, 2016 at 05:48:02AM -0700, Eric Rescorla wrote: > > On Thu, Sep 1, 2016 at 3:31 AM, Hubert Kario wrote: > > > > > > I'm afraid that requiring the server to keep the connection

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Eric Rescorla
On Thu, Sep 1, 2016 at 8:22 AM, Ilari Liusvaara wrote: > On Thu, Sep 01, 2016 at 02:29:00PM +, David Benjamin wrote: > > On Thu, Sep 1, 2016 at 10:01 AM Eric Rescorla wrote: > > > > > On Thu, Sep 1, 2016 at 6:15 AM, Ilari Liusvaara < >

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread David Benjamin
On Thu, Sep 1, 2016 at 11:25 AM Eric Rescorla wrote: > On Thu, Sep 1, 2016 at 8:22 AM, Ilari Liusvaara > wrote: > >> On Thu, Sep 01, 2016 at 02:29:00PM +, David Benjamin wrote: >> > On Thu, Sep 1, 2016 at 10:01 AM Eric Rescorla wrote:

Re: [TLS] [Cfrg] 3DES diediedie

2016-09-01 Thread Hilarie Orman
joac...@secworks.se writes: > Aloha! Aloha auinala. > Hilarie Orman wrote: > > An ARM is far too much hardware to throw at "read sensor/munge > > data/send data". > No, they are not. The Cortex M0+ is aimed at these kinds of very simple > systems that runs for many years on a single

Re: [TLS] TLSv1.2 connection renegotiation to TLSv1.3

2016-09-01 Thread Hubert Kario
done: https://github.com/tlswg/tls13-spec/pull/614 On Thursday, 1 September 2016 09:19:46 CEST Eric Rescorla wrote: > This should be prohibited. A PR for this would be welcome. > > -Ekr > > On Thu, Sep 1, 2016 at 9:07 AM, Hubert Kario wrote: > > I didn't notice in the -15

Re: [TLS] TLS 1.3 -> TLS 2.0?

2016-09-01 Thread Dave Garrett
On Thursday, September 01, 2016 02:05:25 am Judson Wilson wrote: > > I like TLS/2 aesthetically, and represents a similar level of > > progress/reset that HTTP saw when it jumped from 1.1 to /2. > > What is the slash in the name all about? Is it simply playing off the HTTP > start line

Re: [TLS] 0-RTT encrypted data limits

2016-09-01 Thread Ilari Liusvaara
On Thu, Sep 01, 2016 at 02:29:00PM +, David Benjamin wrote: > On Thu, Sep 1, 2016 at 10:01 AM Eric Rescorla wrote: > > > On Thu, Sep 1, 2016 at 6:15 AM, Ilari Liusvaara > >> > >> Should there be recommendation for clients to cut transfer and send >