Christian: > On 5/15/2019 6:20 AM, Joseph Salowey wrote: >> The last call has come and gone without any comment. Please indicate if you >> have reviewed the draft even if you do not have issues to raise so the >> chairs can see who has reviewed it. Also indicate if you have any plans to >> implement the draft. >> >> On Tue, Apr 9, 2019 at 8:51 PM Joseph Salowey <j...@salowey.net >> <mailto:j...@salowey.net>> wrote: >> This is the working group last call for the "TLS 1.3 Extension for >> Certificate-based Authentication with an External Pre-Shared Key” draft >> available at >> https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-cert-with-extern-psk/ >> <https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-cert-with-extern-psk/>. >> Please review the document and send your comments to the list by 2359 UTC >> on 23 April 2019. > My only comment regards the trade-off in this draft between privacy and > resilience. The proposed method uses PSK to provide greater resilience > against quantum-capable attackers, and as Russ says this is something that > the US government cares about. But at the same time, the use of PSK requires > inserting a PSK-ID in the client hello, which is sent in clear text. So we > have a trade-off: government communications are less likely to be decrypted, > but the PSK-ID will help track government employees. It might make sense to > describe the trade-off explicitly in the draft, maybe in the security section. >
I suggest the following additional section for this document: Privacy Considerations Appendix E.6 of [RFC8446] discusses identity exposure attacks on PSKs. The guidance in this section remains relevant. This extension makes use of external PSKs to improve resilience against attackers that gain access to a large-scale quantum computer in the future. This extension is always accompanied by the "pre_shared_key" extension to provide the PSK identities in plaintext in the ClientHello message. Passive observation of the these PSK identities will aid an attacker to track users of this extension. Does that address your comment? Russ
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
