On Sat, Dec 7, 2024 at 12:14 AM John Mattsson <john.mattsson=
40ericsson....@dmarc.ietf.org> wrote:

> Muhammad Usama Sardar wrote:
>
> >Do we have an I-D which defines how long do we consider as long-term
> connections? or I-D which gives recommendations or best practices for how
> long do we consider TLS 1.3 to provide excellent security?
>
>
>
> - One clear timepoint is when the server certicate expires. TLS 1.3
> removed the ability to do server reauthentication.
>
- RFC 4253 recommends rekeying with PFS after each gigabyte of transmitted
> data or after each hour of connection time.
>
- French ANSSI recommends periodic rekeying with PFS, e.g. every hour and
> every 100 GB of data, in order to limit the impact of a key compromise.
>
> https://cyber.gouv.fr/sites/default/files/2015/09/NT_IPsec_EN.pdf
>

TLS 1.3 KeyUpdate provides forward security: if you recover key N+1, you do
not get key N. What it does not provides is post-compromise security,
namely, if you recover key N, then you also can recover key N+1, etc. PCS
requires a new asymmetric exchange.


-Ekr



>
>
> >If the intention of draft was #2 above, cross-reading with this sentence,
> are we implying that PQC is not an urgent security issue?
>
>
>
> That is a very good point. I suggest changing this to
>
> OLD: “This document specifies that outside of urgent security fixes, no
> new features will be approved for TLS 1.2”
>
> NEW: “This document specifies that, no new features will be approved for
> TLS 1.2”
>
> (TLS WG can always make a future RFC overriding this anyway…)
>
>
>
> >It looks like a more detailed version of tls12-frozen draft. Is there a
> good reason not to merge the two documents?
>
>
>
> I had the same thought. I think they would be better as a single document.
> But I don’t care very much.
>
>
>
> >What does the capitalization of WILL NOT mean?
>
>
>
> Yes, and it is not in RFC 6919 either… ;)
>
>
>
> Cheers,
> John
>
>
>
> *From: *Muhammad Usama Sardar <muhammad_usama.sar...@tu-dresden.de>
> *Date: *Friday, 6 December 2024 at 18:33
> *To: *Valery Smyslov <smyslov.i...@gmail.com>, 'Sean Turner' <
> s...@sn3rd.com>, 'TLS List' <tls@ietf.org>
> *Subject: *[TLS] Re: Working Group Last Call for TLS 1.2 is in Feature
> Freeze
>
> A few quick questions. Sorry if I am missing something obvious or some
> background.
>
> On 04.12.24 08:04, Valery Smyslov wrote:
>
> note, that UTA WG has issued a WGLC for draft-ietf-uta-require-tls13-02 (New 
> Protocols Must Require TLS 1.3) [1].
>
>
>
>  [1] https://datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/
>
> Thanks for pointer to this. It looks like a more detailed version of
> tls12-frozen draft. Is there a good reason not to merge the two documents?
> Is it due to different WGs? or different intended status? or something
> else?
>
>
>
>
>
> On 04.12.24 10:36, John Mattsson wrote:
>
> as-is, TLS 1.3 does not provide excellent security for long-term
> connections.
>
> Do we have an I-D which defines *how long* do we consider as long-term
> connections? or I-D which gives recommendations or best practices for *how
> long *do we consider TLS 1.3 to provide excellent security?
>
> ---
>
> Considering the following two statements in I-D, I have two questions:
>
> >   For TLS it is important to note that the focus of these efforts is
>
> >   TLS 1.3 or later.  Put bluntly, post-quantum cryptography for TLS 1.2
>
> >   WILL NOT be supported.
>
> To me the two sentences are contradicting. Which one of the following is
> intended?
>
>    1. (My understanding from 1st sentence) Some PQC support for TLS 1.2
>    will still continue but it will not be the focus.
>    2. (My understanding from 2nd sentence) We will exclusively work on
>    PQC for TLS 1.3 or later.
>
> What does the capitalization of WILL NOT mean? I did not find any such
> capitalization in RFC 2119 and RFC 8174. Please add the relevant RFC in
> section 2 or define it.
>
> >   This
>
> >   document specifies that outside of urgent security fixes, no new
>
> >   features will be approved for TLS 1.2.
>
> If the intention of draft was #2 above, cross-reading with this sentence,
> are we implying that PQC is not an urgent security issue?
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to