attachment
<div dir="ltr"><div>FYI - An important new development in TLS 1.3 extension specs security analysis.</div><div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <b class="gmail_sendername" dir="auto">Deirdre Connolly</b> <span dir="auto"><<a href="mailto:durumcrustulum@gmail.com">durumcrustulum@gmail.com</a>></span><br>Date: Thu, Apr 18, 2024 at 11:37 AM<br>Subject: [TLS] Kicking off the TLS 1.3 formal analysis triage panel<br>To: <a href="mailto:TLS@ietf.org">TLS@ietf.org</a> <<a href="mailto:tls@ietf.org">tls@ietf.org</a>><br></div><br><br><div dir="ltr">Hello everyone! We're kicking off our TLS 1.3 formal analysis triage panel. <br><br>We have these volunteers participating:<br><br>- Douglas Stebila<br>- Dennis Jackson<br>- Franziskus Kiefer<br>- Cas Cremers<br>- Karthikeyan Bhargavan<br>- Vincent Cheval<br><br>Some of them are on this list, some are not, major welcomes and thank yous all around!<br><br>I will <a href="https://mailarchive.ietf.org/arch/msg/tls/RupKEHeJdAzxpNEZnRgerk4en1c/" target="_blank">link to my write up to the working group </a>and the <a href="https://youtu.be/Oo1UzQtfRYw?feature=shared&t=1485" target="_blank">recording of the most recent meeting</a> for more context if you want it.<br><br>The goal of the triage panel is to maintain the high degree of cryptographic assurance in TLS 1.3 as it evolves as a living protocol. To paraphrase a recent analysis of Encrypted Client Hello, one can see three prongs motivating formal analysis of changes or extensions to TLS 1.3:<div><br></div><div>- Preservation of existing security properties: the authentication, integrity, and confidentiality properties that have already been proven are preserved<br>- New, stronger security properties: such as improved privacy demonstrated by ECH, prove that extensions satisfies new goals</div><div>- Downgrade resilience: prove that active attackers cannot downgrade the changed/updated/extended protocol to bypass/remove the new guarantees<br><br>These are especially salient for new features like Encrypted Client Hello, but I would say the top bullet is the front of mind for most proposed documents coming through TLSWG: people want to use TLS 1.3 in new settings, in updated contexts, and want to tweak it a bit for their use case, and we want to make sure these changes do not degrade the already proven security properties of TLS 1.3.<br><div><br></div><div>Here's how I envision this going: every few weeks or so, more likely than not spurred by a document introduced at a (March, July, November) IETF meeting, we chairs ping the triage panel directly with document drafts that we'd like a first pass sniff test on whether these proposals:</div><div><br></div><div>- imply a change to previous security analysis assumptions (via pen and paper, formal methods tools, computer-aided provers, any/all of the above)</div><div>- whether such a change behooves updated analysis</div><div>- if updated analysis is recommended, of what type, what scope, and estimated time to complete, given such and such a person or team <br><br>We (the chairs) will collect responses, collate them, and bring them to the working group as part of an adoption call or other working group discussions about a document. If this process did not occur (say something was adopted long ago and has been dormant but now is being revived etc) we may come back and run a similar procedure again. If the working group agrees on requiring formal analysis for a document before it goes through a last call, we will ask the triage panel for recommendations or advice on trying to match the project with a group or a researcher who can work with the document authors on delivering the analysis.<br><br>The first thing on deck is <a href="https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/" target="_blank">8773bis</a>, with more to come. Hopefully this is useful. <br><br>Yay!<br><br>Deirdre, for the chairs<div></div><br></div></div></div>
_______________________________________________<br>
TLS mailing list<br>
<a href="mailto:TLS@ietf.org" target="_blank">TLS@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/tls" rel="noreferrer" target="_blank">https://www.ietf.org/mailman/listinfo/tls</a><br>
</div></div></div>