Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Subodh Iyengar
With option (2) would the keys end up being independent anyway? I think we might need to share the sequence number space between the handshake messages and the application data messages to avoid truncation attacks. I might have missed this, but was there a proposal to deal with sequence numbers

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Björn Tackmann
Just to be clear: the "+1" I sent earlier meant "I agree with Karthik" -- so it means solution (2). > On Jun 14, 2016, at 1:18 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Key reuse often ends up causing problems. IMHO a more sound approach is (2). > IMHO it isn't

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Will Serumgard
+2 Will Serumgard > On Jun 14, 2016, at 4:22 AM, Watson Ladd wrote: > > > On Jun 13, 2016 10:08 PM, "Karthikeyan Bhargavan" > wrote: > > > > I prefer (2) > > Same. It's clear 1 makes proofs more complicated, making mistakes easier to >

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Benjamin Dowling
I am in favour of option (2). Cheers Ben. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Ilari Liusvaara
On Tue, Jun 14, 2016 at 11:33:11AM +0300, Yoav Nir wrote: > > > (1) +1 > One important (for me) use case for handshake messages after the > original handshake is client certificate authentication. Disclosing > that the user has just touched the magic resource that causes > certificate

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Felix Günther
I also prefer (2). Cheers, Felix On 14/06/2016 14:45 +0200, Cas Cremers wrote: > It is not quite as simple as saying "(1) makes proofs more complicated" > since it depends on what you are trying to prove. > > (1) makes some styles of standard AKE property proofs (key secrecy, > authentication)

Re: [TLS] Adoption of TLS-LTS

2016-06-14 Thread Geoffrey Keating
Peter Gutmann writes: > Hubert Kario writes: > > >to be pedantic, the RFC describes itself "a profile" while in reality it > >modifies the protocol in a way that will make it incompatible with "vanilla" > >TLS 1.2 implementations > > Oh, right.

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Cas Cremers
It is not quite as simple as saying "(1) makes proofs more complicated" since it depends on what you are trying to prove. (1) makes some styles of standard AKE property proofs (key secrecy, authentication) harder (2) might make some privacy proofs harder Given that the proof-effort has mostly

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Blumenthal, Uri - 0553 - MITLL
Key reuse often ends up causing problems. IMHO a more sound approach is (2). IMHO it isn't prohibitively expensive either. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.   Original Message   From: Björn Tackmann Sent: Tuesday, June 14, 2016 05:23 To: tls@ietf.org

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

2016-06-14 Thread Joseph Lorenzo Hall
s/it's/its/ in one place in your errata text, Aaron. On Tue, Jun 14, 2016 at 5:04 AM, Aaron Zauner wrote: > Hi, > > It's been a few weeks. We by now know of at least one other affected vendor. > I think this errata is valid and should be accepted. I'll take any feedback > and

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Björn Tackmann
+1 > On Jun 14, 2016, at 7:08 AM, Karthikeyan Bhargavan > wrote: > > I prefer (2) > >> On 13 Jun 2016, at 22:27, Daniel Kahn Gillmor wrote: >> >> On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote: >>> 1. Use the same key for

Re: [TLS] Closing on keys used for handshake and data messages

2016-06-14 Thread Björn Tackmann
Hi dkg, sorry for my late response. Let me start by saying that I do not believe that this is really critical; after all, we can prove alternative (1) as well — it’s just less clean and makes the proofs harder to write, read, and verify, which is generally not a good thing for a cryptographic

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Martin Thomson
On 13 June 2016 at 21:27, Daniel Kahn Gillmor wrote: > On Mon 2016-06-13 15:00:03 -0400, Joseph Salowey wrote: >> 1. Use the same key for handshake and application traffic (as in the >> current draft-13) >> > > or >> >> 2. Restore a public content type and different keys

Re: [TLS] Consensus call for keys used in handshake and data messages

2016-06-14 Thread Yoav Nir
> On 13 Jun 2016, at 10:00 PM, Joseph Salowey wrote: > > For background please see [1]. > > Please respond to this message indicating which of the following options you > prefer by Monday June, 20, 2016 > > 1. Use the same key for handshake and application traffic (as in