On Wed, Mar 16, 2016 at 11:22 AM, Paterson, Kenny <kenny.pater...@rhul.ac.uk> wrote: > Hi > > On 16/03/2016 15:02, "TLS on behalf of Watson Ladd" <tls-boun...@ietf.org > on behalf of watsonbl...@gmail.com> wrote: > >>On Wed, Mar 16, 2016 at 5:36 AM, Peter Gutmann >><pgut...@cs.auckland.ac.nz> wrote: >>> After a number of, uh, gentle reminders from people who have been >>>waiting for >>> this, I've finally got around to posting the TLS-LTS draft I mentioned >>>a while >>> back. It's now available as: >>> >>> http://www.ietf.org/id/draft-gutmann-tls-lts-00.txt >>> >>> Abstract: >>> >>> This document specifies a profile of TLS 1.2 for long-term support, >>> one that represents what's already deployed for TLS 1.2 but with the >>> security holes and bugs fixed. This represents a stable, known-good >>> profile that can be deployed now to systems that can't can't roll out >>> patches every month or two when the next attack on TLS is published. >>> >>> Several people have already commented on it off-list while it was being >>> written, it's now open for general comments... >> >>Several comments: > > <snip> > >>The analysis of TLS 1.3 is just wrong. TLS 1.3 has been far more >>extensively analyzed then TLS 1.2. It's almost like you don't believe >>cryptography exists: that is a body of knowledge that can demonstrate >>that protocols are secure, and which has been applied to the draft. > > This is patently untrue. There is a vast body of research analysing TLS > 1.2 and earlier. A good survey article is here: > > https://eprint.iacr.org/2013/049
There's a vast literature, but much of it makes simplifying assumptions or doesn't address the complete protocol. The first really complete analysis was miTLS AFAIK. Furthermore, a lot of the barriers to analysis in TLS 1.2 got removed in TLS 1.3. The question is not how many papers are written, but how much the papers can say about the protocol as implemented. And from that perspective TLS 1.3's Tamarin model is a fairly important step, where the equivalent steps in TLS 1.2 got reached only much later. It's true 0-RTT isn't included: so don't do it. But I think if we subset (not add additional implementation requirements) TLS 1.3 appropriately we end up with a long-term profile that's more useable than if we subset TLS 1.2, and definitely more than adding to the set of mechanisms. I think claims that TLS 1.3 outside of 0-RTT is likely to have crypto weaknesses due to newness are vastly overstated. > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
