On 5/22/2019 11:06 AM, Russ Housley wrote: > > Christian: > >> On 5/15/2019 6:20 AM, Joseph Salowey wrote: >>> The last call has come and gone without any comment. Please >>> indicate if you have reviewed the draft even if you do not have >>> issues to raise so the chairs can see who has reviewed it. Also >>> indicate if you have any plans to implement the draft. >>> >>> On Tue, Apr 9, 2019 at 8:51 PM Joseph Salowey <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> This is the working group last call for the "TLS 1.3 Extension >>> for Certificate-based Authentication with an External Pre-Shared >>> Key” draft available >>> at >>> https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-cert-with-extern-psk/. >>> Please review the document and send your comments to the list by >>> 2359 UTC on 23 April 2019. >>> >> My only comment regards the trade-off in this draft between privacy >> and resilience. The proposed method uses PSK to provide greater >> resilience against quantum-capable attackers, and as Russ says this >> is something that the US government cares about. But at the same >> time, the use of PSK requires inserting a PSK-ID in the client hello, >> which is sent in clear text. So we have a trade-off: government >> communications are less likely to be decrypted, but the PSK-ID will >> help track government employees. It might make sense to describe the >> trade-off explicitly in the draft, maybe in the security section. >> > > I suggest the following additional section for this document: > > Privacy Considerations > > Appendix E.6 of [RFC8446] discusses identity exposure attacks on > PSKs. The guidance in this section remains relevant. > > This extension makes use of external PSKs to improve resilience > against attackers that gain access to a large-scale quantum computer > in the future. This extension is always accompanied by the > "pre_shared_key" extension to provide the PSK identities in plaintext > in the ClientHello message. Passive observation of the these PSK > identities will aid an attacker to track users of this extension. > > Does that address your comment?
Yes, although "passive observation will help" is somewhat more benign than what I would have written. If the "government employee" is some agent in a foreign country, they may want to think twice before using the proposed option. Or alternatively, you may want a solution in which the PSK-ID is randomized using some ESNI-like process. -- Christian Huitema
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
