Why did TLS 1.3 prohibit PGP authentication?
$begingroup$
There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).
Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).
What’s the point of such strong language?
tls pgp standards
$endgroup$
add a comment |
$begingroup$
There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).
Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).
What’s the point of such strong language?
tls pgp standards
$endgroup$
add a comment |
$begingroup$
There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).
Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).
What’s the point of such strong language?
tls pgp standards
$endgroup$
There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).
Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).
What’s the point of such strong language?
tls pgp standards
tls pgp standards
edited Nov 14 '18 at 12:38
Makif
525514
525514
asked Nov 13 '18 at 23:31
Alex ShpilkinAlex Shpilkin
23129
23129
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):
I found this on the TLS mailing list from Ilari Liusvaara:
Ugh, the situation is way worse than what I thought.
Basically, all three assume they have full control of certificate
message, worst of all being OpenPGP, which modifies it in more complex
ways (it isn't a pure element or list anymore).
And even with RPK, which appiles least severe modifications, still
modifies the structure in ways that are not obvious in implications
w.r.t. TLS 1.3.
Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
that it doesn't actually modify the certificate message format. Which
turned out to be wrong assumption (I fixed this after discovering the
format changes).
And then certificate types don't currently work sanely for client
certs, even if you knew how those map to Certificate message.
Client_certificate_type and server_certificate type aren't the only
problematic extensions w.r.t. TLS 1.3. The table of extensions has the
following too (all marked as allowed, I added short reason I think
those are problematic):
- client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).
- user_mapping: Has extra handshake message.
- cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.
With user_mapping, applying similar trick as in status_request is not
completely trivial because extensions that are answered in client
Certificate are offered in CertificateRequest. Okay, except that
extension is not an answer to ClientHello extensions, and the
extension assumes offer-answer relationship between client and server
extensions. Might need some special-casing.
...
Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html
In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.
$endgroup$
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
|
show 1 more comment
$begingroup$
As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.
In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.
In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.
So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.
$endgroup$
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63981%2fwhy-did-tls-1-3-prohibit-pgp-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):
I found this on the TLS mailing list from Ilari Liusvaara:
Ugh, the situation is way worse than what I thought.
Basically, all three assume they have full control of certificate
message, worst of all being OpenPGP, which modifies it in more complex
ways (it isn't a pure element or list anymore).
And even with RPK, which appiles least severe modifications, still
modifies the structure in ways that are not obvious in implications
w.r.t. TLS 1.3.
Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
that it doesn't actually modify the certificate message format. Which
turned out to be wrong assumption (I fixed this after discovering the
format changes).
And then certificate types don't currently work sanely for client
certs, even if you knew how those map to Certificate message.
Client_certificate_type and server_certificate type aren't the only
problematic extensions w.r.t. TLS 1.3. The table of extensions has the
following too (all marked as allowed, I added short reason I think
those are problematic):
- client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).
- user_mapping: Has extra handshake message.
- cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.
With user_mapping, applying similar trick as in status_request is not
completely trivial because extensions that are answered in client
Certificate are offered in CertificateRequest. Okay, except that
extension is not an answer to ClientHello extensions, and the
extension assumes offer-answer relationship between client and server
extensions. Might need some special-casing.
...
Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html
In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.
$endgroup$
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
|
show 1 more comment
$begingroup$
It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):
I found this on the TLS mailing list from Ilari Liusvaara:
Ugh, the situation is way worse than what I thought.
Basically, all three assume they have full control of certificate
message, worst of all being OpenPGP, which modifies it in more complex
ways (it isn't a pure element or list anymore).
And even with RPK, which appiles least severe modifications, still
modifies the structure in ways that are not obvious in implications
w.r.t. TLS 1.3.
Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
that it doesn't actually modify the certificate message format. Which
turned out to be wrong assumption (I fixed this after discovering the
format changes).
And then certificate types don't currently work sanely for client
certs, even if you knew how those map to Certificate message.
Client_certificate_type and server_certificate type aren't the only
problematic extensions w.r.t. TLS 1.3. The table of extensions has the
following too (all marked as allowed, I added short reason I think
those are problematic):
- client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).
- user_mapping: Has extra handshake message.
- cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.
With user_mapping, applying similar trick as in status_request is not
completely trivial because extensions that are answered in client
Certificate are offered in CertificateRequest. Okay, except that
extension is not an answer to ClientHello extensions, and the
extension assumes offer-answer relationship between client and server
extensions. Might need some special-casing.
...
Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html
In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.
$endgroup$
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
|
show 1 more comment
$begingroup$
It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):
I found this on the TLS mailing list from Ilari Liusvaara:
Ugh, the situation is way worse than what I thought.
Basically, all three assume they have full control of certificate
message, worst of all being OpenPGP, which modifies it in more complex
ways (it isn't a pure element or list anymore).
And even with RPK, which appiles least severe modifications, still
modifies the structure in ways that are not obvious in implications
w.r.t. TLS 1.3.
Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
that it doesn't actually modify the certificate message format. Which
turned out to be wrong assumption (I fixed this after discovering the
format changes).
And then certificate types don't currently work sanely for client
certs, even if you knew how those map to Certificate message.
Client_certificate_type and server_certificate type aren't the only
problematic extensions w.r.t. TLS 1.3. The table of extensions has the
following too (all marked as allowed, I added short reason I think
those are problematic):
- client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).
- user_mapping: Has extra handshake message.
- cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.
With user_mapping, applying similar trick as in status_request is not
completely trivial because extensions that are answered in client
Certificate are offered in CertificateRequest. Okay, except that
extension is not an answer to ClientHello extensions, and the
extension assumes offer-answer relationship between client and server
extensions. Might need some special-casing.
...
Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html
In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.
$endgroup$
It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):
I found this on the TLS mailing list from Ilari Liusvaara:
Ugh, the situation is way worse than what I thought.
Basically, all three assume they have full control of certificate
message, worst of all being OpenPGP, which modifies it in more complex
ways (it isn't a pure element or list anymore).
And even with RPK, which appiles least severe modifications, still
modifies the structure in ways that are not obvious in implications
w.r.t. TLS 1.3.
Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
that it doesn't actually modify the certificate message format. Which
turned out to be wrong assumption (I fixed this after discovering the
format changes).
And then certificate types don't currently work sanely for client
certs, even if you knew how those map to Certificate message.
Client_certificate_type and server_certificate type aren't the only
problematic extensions w.r.t. TLS 1.3. The table of extensions has the
following too (all marked as allowed, I added short reason I think
those are problematic):
- client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).
- user_mapping: Has extra handshake message.
- cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.
With user_mapping, applying similar trick as in status_request is not
completely trivial because extensions that are answered in client
Certificate are offered in CertificateRequest. Okay, except that
extension is not an answer to ClientHello extensions, and the
extension assumes offer-answer relationship between client and server
extensions. Might need some special-casing.
...
Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html
In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.
edited Nov 14 '18 at 2:42
answered Nov 14 '18 at 1:34
Maarten Bodewes♦Maarten Bodewes
55.9k679196
55.9k679196
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
|
show 1 more comment
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
4
4
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
$endgroup$
– kiwidrew
Nov 14 '18 at 8:21
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
$begingroup$
@Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:45
1
1
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
$begingroup$
@kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
$endgroup$
– Alex Shpilkin
Nov 14 '18 at 12:48
1
1
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
$begingroup$
There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 14:36
1
1
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
$begingroup$
@Demi I suppose so yes. After all, the only thing required for client authentication is trust of the public key and a signature. I think client authentication is the most useful as PGP is primarily used for providing privacy for individuals. Therefore client authentication is more important than server authentication in my opinion. Server authentication may be trickier to add as you have the additional issue of validating the server name, revocation etc.
$endgroup$
– Maarten Bodewes♦
Nov 22 '18 at 14:59
|
show 1 more comment
$begingroup$
As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.
In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.
In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.
So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.
$endgroup$
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
add a comment |
$begingroup$
As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.
In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.
In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.
So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.
$endgroup$
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
add a comment |
$begingroup$
As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.
In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.
In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.
So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.
$endgroup$
As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.
In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.
In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.
So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.
answered Nov 14 '18 at 14:48
tialaramextialaramex
23113
23113
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
add a comment |
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
2
2
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
$begingroup$
True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
$endgroup$
– Maarten Bodewes♦
Nov 14 '18 at 15:08
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63981%2fwhy-did-tls-1-3-prohibit-pgp-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown