Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Thanks. I agree. I think that the existing text is more helpful to the implementer. If the details of the analysis do in the document, it should be in the security considerations. Russ > On Mar 9, 2017, at 9:18 PM, Sean Turner wrote: > > After many emails about the

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Hi As an implementer I have no problem counting records, bytes or blocks (OK, the last you usually don’t count directly but (n+15)/16 is not beyond the capabilities of any implementer) So IMO whichever gives the tightest bound should be selected, and that means blocks. Exercising the rekey

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

On 03/02/2017 05:54 PM, Hal Murray wrote: > > cry...@brainhub.org said: >> I also think that counting in blocks is cleaner. Counting in bytes is a >> close alternative. > > Does counting bytes work? If the real limit is blocks, I think you will have > to round up the byte count when you

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

cry...@brainhub.org said: > I also think that counting in blocks is cleaner. Counting in bytes is a > close alternative. Does counting bytes work? If the real limit is blocks, I think you will have to round up the byte count when you send a partial block. If re-keying too often isn't too

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Aaron Zauner wrote: > I'm not sure that text on key-usage limits in blocks in a spec > that fundamentally deals in records is less confusing, quite > the opposite (at least to me). 1. Consider an implementation that negotiates with another implementation to use a very large record

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

"c...@irtf.org<mailto:c...@irtf.org>" <c...@irtf.org<mailto:c...@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

On 2 March 2017 at 05:44, Dang, Quynh (Fed) wrote: > OK. What is the percentage ? Even all records were small, providing a > correct number would be a good thing. If someone wants to rekey a lot often, > I am not suggesting against that. It will vary greatly depending on

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

g>>, "c...@irtf.org<mailto:c...@irtf.org>" <c...@irtf.org<mailto:c...@irtf.org>>, Aaron Zauner <a...@azet.org<mailto:a...@azet.org>>, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk<mailto:kenny.pater...@rhul.ac.uk>> Subject: Re: [T

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

ch 1, 2017 at 9:38 AM > To: 'Quynh' <quynh.d...@nist.gov>, Aaron Zauner <a...@azet.org> > Cc: IRTF CFRG <c...@irtf.org>, "<tls@ietf.org>" <tls@ietf.org> > Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs > (#765/#769

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

From: Aaron Zauner > Date: Wednesday, March 1, 2017 at 9:24 AM To: 'Quynh' > Cc: Sean Turner >, ">" >,

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769). Hi, On 01/03/2017 14:31, "T

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Hi, On 01/03/2017 14:31, "TLS on behalf of Dang, Quynh (Fed)" wrote: >From: Aaron Zauner >Date: Wednesday, March 1, 2017 at 9:24 AM >To: 'Quynh' >Cc: Sean Turner , ""

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

> On 01 Mar 2017, at 13:18, Dang, Quynh (Fed) wrote: > > > > From: Aaron Zauner > Date: Wednesday, March 1, 2017 at 8:11 AM > To: 'Quynh' > Cc: Sean Turner , "" , IRTF CFRG >

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

From: Aaron Zauner > Date: Wednesday, March 1, 2017 at 8:11 AM To: 'Quynh' > Cc: Sean Turner >, ">" >,

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

> On 25 Feb 2017, at 14:28, Dang, Quynh (Fed) wrote: > > Hi Sean, Joe, Eric and all, > > I would like to address my thoughts/suggestions on 2 issues in option a. > > 1) The data limit should be addressed in term of blocks, not records. When > the record size is not the

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Hi Sean, Joe, Eric and all, I would like to address my thoughts/suggestions on 2 issues in option a. 1) The data limit should be addressed in term of blocks, not records. When the record size is not the full size, some user might not know what to do. When the record size is 1 block, the

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

quot; <kenny.pater...@rhul.ac.uk> > Date: Wednesday, February 15, 2017 at 8:46 AM > To: 'Quynh' <quynh.d...@nist.gov> > Cc: Atul Luykx <atul.lu...@esat.kuleuven.be>, Yoav Nir <ynir.i...@gmail.com>, > IRTF CFRG <c...@irtf.org>, "tls@ietf.org" <

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

> On 15 Feb 2017, at 19:25, Martin Thomson wrote: > > On 16 February 2017 at 04:20, Yoav Nir wrote: >> No, not really, but TLS is not just the web, and there are connections that >> last for a long time and transfer large amounts of data. Think

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

.@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Hi Quynh, I'm meant to be on vacation, but I'm finding this on-going discussion fascinating,

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On 16 February 2017 at 04:30, Yoav Nir wrote: > And now I’ve lost you. A moment ago I thought you were concerned that people > would fail to implement KeyUpdate. Are you now suggesting that it be removed > entirely from TLS 1.3? No. My point was that if GCM requires more

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

> On 15 Feb 2017, at 19:25, Martin Thomson wrote: > > On 16 February 2017 at 04:20, Yoav Nir wrote: >> No, not really, but TLS is not just the web, and there are connections that >> last for a long time and transfer large amounts of data. Think

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On 15 Feb 2017, at 19:05, Martin Thomson wrote: > > Frankly, I'm more concerned that this isn't small enough and that it > could it be practical to deploy an implementation that don't support > KeyUpdate. That would cause a real interop problem. Maybe we should

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On 16 February 2017 at 04:20, Yoav Nir wrote: > No, not really, but TLS is not just the web, and there are connections that > last for a long time and transfer large amounts of data. Think datacenter > synchronization. At packet-sized records 24 million records amounts to 36

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Hi Atul, > > I hope you had a happy Valentine! > > From: Atul Luykx <atul.lu...@esat.kuleuven.be> > Date: Tuesday, February 14, 2017 at 4:52 PM > To: Yoav Nir <ynir.i...@gmail.com> > Cc: 'Quynh' <quynh.d...@nist.gov>, IRTF CFRG <c...@irtf.org>, "

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

rg<mailto:c...@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Why is that 2^48 input blocks rather than 2^34.5 input blocks? Bec

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

<mailto:quynh.d...@nist.gov>>, IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Wh

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

> On 14 Feb 2017, at 23:52, Atul Luykx wrote: > >> Why is that 2^48 input blocks rather than 2^34.5 input blocks? > Because he wants to lower the security level. The original text recommends > switching at 2^{34.5} input blocks, corresponding to a success

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Why is that 2^48 input blocks rather than 2^34.5 input blocks? Because he wants to lower the security level. The original text recommends switching at 2^{34.5} input blocks, corresponding to a success probability of 2^{-60}, whereas his text recommends switching at 2^{48} blocks, corresponding

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Hi, Quynh > On 14 Feb 2017, at 20:45, Dang, Quynh (Fed) wrote: > > Hi Sean and all, > > Beside my suggestion at > https://www.ietf.org/mail-archive/web/tls/current/msg22381.html > , I have a > second

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

t; Regards, Quynh. From: Dang, Quynh (Fed) Sent: Tuesday, February 14, 2017 1:20:12 PM To: Atul Luykx; Dang, Quynh (Fed) Cc: Markulf Kohlweiss; Antoine Delignat-Lavaud; IRTF CFRG; tls@ietf.org Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage&q

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

osoft.com>>, Antoine Delignat-Lavaud <an...@microsoft.com<mailto:an...@microsoft.com>>, IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Clos

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

:45 AM To: Markulf Kohlweiss <mark...@microsoft.com>, "Paterson, Kenny" <kenny.pater...@rhul.ac.uk>, Sean Turner <s...@sn3rd.com> Cc: Antoine Delignat-Lavaud <an...@microsoft.com>, IRTF CFRG <c...@irtf.org>, "<tls@ietf.org>" <tls@ietf.org&g

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On Mon, Feb 13, 2017 at 3:21 PM, Aaron Zauner wrote: > I thought the cited paper sorted this out like a year ago. > > In favor of option a I am also in favor of option A. The wording in option B is simultaneously much more unclear and much more verbose. I consider it a

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

> On 10 Feb 2017, at 07:07, Sean Turner wrote: > > All, > > We’ve got two outstanding PRs that propose changes to draft-ietf-tls-tls13 > Section 5.5 “Limits on Key Usage”. As it relates to rekeying, these limits > have been discussed a couple of times and we need to resolve

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

;mailto:s...@sn3rd.com>> Cc: Antoine Delignat-Lavaud <an...@microsoft.com<mailto:an...@microsoft.com>>, IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Sub

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Hello, Our analysis of miTLS also supports option a) A security level of 2^-32 seems too low from a provable security point of view, especially for a confidentiality bound. We verified an implementation of the TLS 1.3 record (https://eprint.iacr.org/2016/1178, to appear at Security & Privacy

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

M >To: 'Quynh' <quynh.d...@nist.gov>, Sean Turner <s...@sn3rd.com> >Cc: IRTF CFRG <c...@irtf.org>, "<tls@ietf.org>" <tls@ietf.org> >Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs >(#765/#769) > > > >&g

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

<rstruik@gmail.com> Sent: Friday, February 10, 2017 2:02:14 PM To: Dang, Quynh (Fed); Sean Turner; <tls@ietf.org> Cc: IRTF CFRG Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Hi Quynh: Not sure where to start (there is vast lite

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

lt;s...@sn3rd.com> >Cc: IRTF CFRG <c...@irtf.org>, "<tls@ietf.org>" <tls@ietf.org> >Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs >(#765/#769) > > > >>Dear Quynh, >> >> >>On 10/02/2017

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

y 10, 2017 at 10:51 AM To: Sean Turner <s...@sn3rd.com <mailto:s...@sn3rd.com>>, "<tls@ietf.org <mailto:tls@ietf.org>>" <tls@ietf.org <mailto:tls@ietf.org>> Cc: IRTF CFRG <c...@irtf.org <mailto:c...@irtf.org>> Subject: Re: [TLS] [Cf

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

>> Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Dear Quynh, On 10/

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Dear colleagues: I would sug

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Dear Quynh, On 10/02/2017 12:48, "Dang, Quynh (Fed)" wrote: >Hi Kenny, > >>Hi, >> >> >>My preference is to go with the existing text, option a). >> >> >>From the github discussion, I think option c) involves a less >>conservative >>security bound (success probability for

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

sn3rd.com>> Cc: IRTF CFRG <c...@irtf.org<mailto:c...@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Hi, My preferenc

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Hi Sean and all, I agree with everyone that the text in (b) was not very good text. The problem with (c) is that it is not precise at places and it leaves out a lot of informative discussions which users should know. The sentence "The maximum amount of plaintext data that can be safely

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On Fri, Feb 10, 2017 at 04:44:58PM +1100, Martin Thomson wrote: > On 10 February 2017 at 16:07, Sean Turner wrote: > > a) Close these two PRs and go with the existing text [0] > > b) Adopt PR#765 [1] > > c) Adopt PR#769 [2] > > > a) I'm happy enough with the current text (I've

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Hi, My preference is to go with the existing text, option a). >From the github discussion, I think option c) involves a less conservative security bound (success probability for IND-CPA attacker bounded by 2^{-32} instead of 2^{-60}). I can live with that, but the WG should be aware of the

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

On 10 February 2017 at 16:07, Sean Turner wrote: > a) Close these two PRs and go with the existing text [0] > b) Adopt PR#765 [1] > c) Adopt PR#769 [2] a) I'm happy enough with the current text (I've implemented that any it's relatively easy). I could live with c, but I'm

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Dear Sean, dear all, I find the existing limits quite reasonable and would prefer that we'll stay conservative here, so I'd prefer option a) go with the existing text. Best regards, Stanislav Smyshlyaev 2017-02-10 8:07 GMT+03:00 Sean Turner : > All, > > We’ve got two