Why did TLS 1.3 prohibit PGP authentication?











up vote
20
down vote

favorite
2












There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).



Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).



What’s the point of such strong language?










share|improve this question









New contributor




Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    20
    down vote

    favorite
    2












    There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).



    Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).



    What’s the point of such strong language?










    share|improve this question









    New contributor




    Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      20
      down vote

      favorite
      2









      up vote
      20
      down vote

      favorite
      2






      2





      There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).



      Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).



      What’s the point of such strong language?










      share|improve this question









      New contributor




      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      There is a specification, in Informational(!) RFC 6091, for using PGP keys in TLS authentication, although I don’t think it has ever been implemented outside of GnuTLS (it’s certainly not in OpenSSL).



      Yet the TLS 1.3 RFC 8446 §4.4.2 goes as far as to specifically prohibit this obscure extension with a must not. Normally an IETF document would use a should not to recommend against something that’s not fundamentally broken, but still a bad idea in most cases; and RFC 6091 doesn’t seem broken—it just provokes pointless bloat (given the current state of client support and PGP deployment).



      What’s the point of such strong language?







      tls pgp standards






      share|improve this question









      New contributor




      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 4 hours ago









      Makif

      515412




      515412






      New contributor




      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 17 hours ago









      Alex Shpilkin

      20116




      20116




      New contributor




      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Alex Shpilkin is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          18
          down vote













          It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):



          I found this on the TLS mailing list from Ilari Liusvaara:




          Ugh, the situation is way worse than what I thought.



          Basically, all three assume they have full control of certificate
          message, worst of all being OpenPGP, which modifies it in more complex
          ways (it isn't a pure element or list anymore).



          And even with RPK, which appiles least severe modifications, still
          modifies the structure in ways that are not obvious in implications
          w.r.t. TLS 1.3.



          Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
          that it doesn't actually modify the certificate message format. Which
          turned out to be wrong assumption (I fixed this after discovering the
          format changes).



          And then certificate types don't currently work sanely for client
          certs, even if you knew how those map to Certificate message.



          Client_certificate_type and server_certificate type aren't the only
          problematic extensions w.r.t. TLS 1.3. The table of extensions has the
          following too (all marked as allowed, I added short reason I think
          those are problematic):




          • client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).

          • user_mapping: Has extra handshake message.

          • cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.


          With user_mapping, applying similar trick as in status_request is not
          completely trivial because extensions that are answered in client
          Certificate are offered in CertificateRequest. Okay, except that
          extension is not an answer to ClientHello extensions, and the
          extension assumes offer-answer relationship between client and server
          extensions. Might need some special-casing.



          ...




          Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html



          In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.






          share|improve this answer



















          • 4




            Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
            – kiwidrew
            8 hours ago










          • @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
            – Alex Shpilkin
            3 hours ago






          • 1




            @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
            – Alex Shpilkin
            3 hours ago










          • Aha, got it now, thanks for that clarification!
            – kiwidrew
            3 hours ago










          • There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
            – Maarten Bodewes
            2 hours ago




















          up vote
          1
          down vote













          As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.



          In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.



          In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.



          So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.






          share|improve this answer

















          • 1




            True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
            – Maarten Bodewes
            1 hour ago











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "281"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Alex Shpilkin is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63981%2fwhy-did-tls-1-3-prohibit-pgp-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest
































          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          18
          down vote













          It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):



          I found this on the TLS mailing list from Ilari Liusvaara:




          Ugh, the situation is way worse than what I thought.



          Basically, all three assume they have full control of certificate
          message, worst of all being OpenPGP, which modifies it in more complex
          ways (it isn't a pure element or list anymore).



          And even with RPK, which appiles least severe modifications, still
          modifies the structure in ways that are not obvious in implications
          w.r.t. TLS 1.3.



          Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
          that it doesn't actually modify the certificate message format. Which
          turned out to be wrong assumption (I fixed this after discovering the
          format changes).



          And then certificate types don't currently work sanely for client
          certs, even if you knew how those map to Certificate message.



          Client_certificate_type and server_certificate type aren't the only
          problematic extensions w.r.t. TLS 1.3. The table of extensions has the
          following too (all marked as allowed, I added short reason I think
          those are problematic):




          • client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).

          • user_mapping: Has extra handshake message.

          • cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.


          With user_mapping, applying similar trick as in status_request is not
          completely trivial because extensions that are answered in client
          Certificate are offered in CertificateRequest. Okay, except that
          extension is not an answer to ClientHello extensions, and the
          extension assumes offer-answer relationship between client and server
          extensions. Might need some special-casing.



          ...




          Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html



          In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.






          share|improve this answer



















          • 4




            Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
            – kiwidrew
            8 hours ago










          • @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
            – Alex Shpilkin
            3 hours ago






          • 1




            @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
            – Alex Shpilkin
            3 hours ago










          • Aha, got it now, thanks for that clarification!
            – kiwidrew
            3 hours ago










          • There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
            – Maarten Bodewes
            2 hours ago

















          up vote
          18
          down vote













          It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):



          I found this on the TLS mailing list from Ilari Liusvaara:




          Ugh, the situation is way worse than what I thought.



          Basically, all three assume they have full control of certificate
          message, worst of all being OpenPGP, which modifies it in more complex
          ways (it isn't a pure element or list anymore).



          And even with RPK, which appiles least severe modifications, still
          modifies the structure in ways that are not obvious in implications
          w.r.t. TLS 1.3.



          Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
          that it doesn't actually modify the certificate message format. Which
          turned out to be wrong assumption (I fixed this after discovering the
          format changes).



          And then certificate types don't currently work sanely for client
          certs, even if you knew how those map to Certificate message.



          Client_certificate_type and server_certificate type aren't the only
          problematic extensions w.r.t. TLS 1.3. The table of extensions has the
          following too (all marked as allowed, I added short reason I think
          those are problematic):




          • client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).

          • user_mapping: Has extra handshake message.

          • cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.


          With user_mapping, applying similar trick as in status_request is not
          completely trivial because extensions that are answered in client
          Certificate are offered in CertificateRequest. Okay, except that
          extension is not an answer to ClientHello extensions, and the
          extension assumes offer-answer relationship between client and server
          extensions. Might need some special-casing.



          ...




          Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html



          In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.






          share|improve this answer



















          • 4




            Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
            – kiwidrew
            8 hours ago










          • @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
            – Alex Shpilkin
            3 hours ago






          • 1




            @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
            – Alex Shpilkin
            3 hours ago










          • Aha, got it now, thanks for that clarification!
            – kiwidrew
            3 hours ago










          • There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
            – Maarten Bodewes
            2 hours ago















          up vote
          18
          down vote










          up vote
          18
          down vote









          It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):



          I found this on the TLS mailing list from Ilari Liusvaara:




          Ugh, the situation is way worse than what I thought.



          Basically, all three assume they have full control of certificate
          message, worst of all being OpenPGP, which modifies it in more complex
          ways (it isn't a pure element or list anymore).



          And even with RPK, which appiles least severe modifications, still
          modifies the structure in ways that are not obvious in implications
          w.r.t. TLS 1.3.



          Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
          that it doesn't actually modify the certificate message format. Which
          turned out to be wrong assumption (I fixed this after discovering the
          format changes).



          And then certificate types don't currently work sanely for client
          certs, even if you knew how those map to Certificate message.



          Client_certificate_type and server_certificate type aren't the only
          problematic extensions w.r.t. TLS 1.3. The table of extensions has the
          following too (all marked as allowed, I added short reason I think
          those are problematic):




          • client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).

          • user_mapping: Has extra handshake message.

          • cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.


          With user_mapping, applying similar trick as in status_request is not
          completely trivial because extensions that are answered in client
          Certificate are offered in CertificateRequest. Okay, except that
          extension is not an answer to ClientHello extensions, and the
          extension assumes offer-answer relationship between client and server
          extensions. Might need some special-casing.



          ...




          Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html



          In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.






          share|improve this answer














          It seems that PGP certificates have the problem that they can be changed by the user. Furthermore, there were extensions for 1.2 that are incompatible for 1.3 (if they were secure in the first place):



          I found this on the TLS mailing list from Ilari Liusvaara:




          Ugh, the situation is way worse than what I thought.



          Basically, all three assume they have full control of certificate
          message, worst of all being OpenPGP, which modifies it in more complex
          ways (it isn't a pure element or list anymore).



          And even with RPK, which appiles least severe modifications, still
          modifies the structure in ways that are not obvious in implications
          w.r.t. TLS 1.3.



          Oh, and turns out I had implemented RPK in TLS 1.2 wrong by assuming
          that it doesn't actually modify the certificate message format. Which
          turned out to be wrong assumption (I fixed this after discovering the
          format changes).



          And then certificate types don't currently work sanely for client
          certs, even if you knew how those map to Certificate message.



          Client_certificate_type and server_certificate type aren't the only
          problematic extensions w.r.t. TLS 1.3. The table of extensions has the
          following too (all marked as allowed, I added short reason I think
          those are problematic):




          • client_certificate_url: Replaces certificate message. Hardcodes SHA-1 (which is now provably broken).

          • user_mapping: Has extra handshake message.

          • cert_type: All the problems of CCertT and SCertT, combined with fixing both to be the same.


          With user_mapping, applying similar trick as in status_request is not
          completely trivial because extensions that are answered in client
          Certificate are offered in CertificateRequest. Okay, except that
          extension is not an answer to ClientHello extensions, and the
          extension assumes offer-answer relationship between client and server
          extensions. Might need some special-casing.



          ...




          Source: https://www.ietf.org/mail-archive/web/tls/current/msg22576.html



          In other messages in the thread they talk about disabling OpenPGP until somebody comes up with an extension in a separate RFC. So it doesn't seem to be malice, just a whole bunch of compatibility reasons. In other words: as it is now it looks very broken - until somebody manages to fix it.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 14 hours ago

























          answered 15 hours ago









          Maarten Bodewes

          51.3k670188




          51.3k670188








          • 4




            Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
            – kiwidrew
            8 hours ago










          • @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
            – Alex Shpilkin
            3 hours ago






          • 1




            @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
            – Alex Shpilkin
            3 hours ago










          • Aha, got it now, thanks for that clarification!
            – kiwidrew
            3 hours ago










          • There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
            – Maarten Bodewes
            2 hours ago
















          • 4




            Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
            – kiwidrew
            8 hours ago










          • @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
            – Alex Shpilkin
            3 hours ago






          • 1




            @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
            – Alex Shpilkin
            3 hours ago










          • Aha, got it now, thanks for that clarification!
            – kiwidrew
            3 hours ago










          • There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
            – Maarten Bodewes
            2 hours ago










          4




          4




          Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
          – kiwidrew
          8 hours ago




          Nice work on tracking down the original reason! TLS 1.3 really tried to clear out as much accumulated cruft in the protocol as possible (dark corners can hide nasty surprises), so I'm not surprised that they jettisoned the extensions for OpenPGP certs.
          – kiwidrew
          8 hours ago












          @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
          – Alex Shpilkin
          3 hours ago




          @Maarten I’m a bit lost in the terminology here—let’s see if understand this correctly: TLS 1.3 declared a common format for the authentication data (what they call Certificate but is actually a list of X.509 certificates), but RFC 6091 overrides Certificate wholesale, and so is broken in TLS 1.3 protocol-wise even if its security was solid.
          – Alex Shpilkin
          3 hours ago




          1




          1




          @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
          – Alex Shpilkin
          3 hours ago




          @kiwidrew That’s not the surprising part: an Informational RFC outside of the main spec is to begin with about as far as from an official IETF endorsement as it’s possible to get; the surprising part is the must not in the new main spec. But if it changed a part of the wire format the TLS 1.3 designers would like to see frozen, that would explain it.
          – Alex Shpilkin
          3 hours ago












          Aha, got it now, thanks for that clarification!
          – kiwidrew
          3 hours ago




          Aha, got it now, thanks for that clarification!
          – kiwidrew
          3 hours ago












          There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
          – Maarten Bodewes
          2 hours ago






          There seems to be a list of messages or records to be changed below the mail message (which is represented by the ...) in my answer. However, it is not completely clear to me if this is the case and how much change would be required; feel free to have a look though (and the message is part of a thread, but I think this message sums it up nicely).
          – Maarten Bodewes
          2 hours ago












          up vote
          1
          down vote













          As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.



          In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.



          In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.



          So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.






          share|improve this answer

















          • 1




            True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
            – Maarten Bodewes
            1 hour ago















          up vote
          1
          down vote













          As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.



          In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.



          In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.



          So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.






          share|improve this answer

















          • 1




            True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
            – Maarten Bodewes
            1 hour ago













          up vote
          1
          down vote










          up vote
          1
          down vote









          As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.



          In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.



          In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.



          So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.






          share|improve this answer












          As well as the purely mechanical elements Maarten's excellent answer talks about (how should we send these certificates in the new data structures) there's also a change in TLS 1.3 that is relevant to OpenPGP too.



          In prior TLS versions it was possible (and common) to negotiate a key exchange method in which the "master secret" used to create session keys is sent, encrypted, from client to server. This looks a lot like PGP's encrypted mail messages, a simple hybrid system in which bulk data is symmetrically encrypted and then only the symmetric key is encrypted using public key cryptography. This means that server authentication happens implicitly because only the authentic server could decrypt the message.



          In TLS 1.3 only DH key exchange is permitted. Ephemeral symmetric keys will be chosen by the participants at random and used to encrypt a connection immediately. Authentication always happens explicitly, over this encrypted channel. After showing a certificate (now over an encrypted channel unlike TLS 1.2 and earlier) the peer signs a transcript of the steps so far, thus proving that they have the private key corresponding to the certificate AND they witnessed the exact same setup as you.



          So this changes the key usage from encryption to signature which is pretty significant. Certainly worthy of completely fresh consideration from anyone who wants (for some reason) to do TLS with OpenPGP keys and certificates.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 1 hour ago









          tialaramex

          22113




          22113








          • 1




            True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
            – Maarten Bodewes
            1 hour ago














          • 1




            True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
            – Maarten Bodewes
            1 hour ago








          1




          1




          True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
          – Maarten Bodewes
          1 hour ago




          True of course, but it is certainly possible to sign data using PGP private keys. So although it would certainly be an additional hurdle, it should not block PGP from being used (but you could say that of all the other issues as well, I suppose).
          – Maarten Bodewes
          1 hour ago










          Alex Shpilkin is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          Alex Shpilkin is a new contributor. Be nice, and check out our Code of Conduct.













          Alex Shpilkin is a new contributor. Be nice, and check out our Code of Conduct.












          Alex Shpilkin is a new contributor. Be nice, and check out our Code of Conduct.















           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63981%2fwhy-did-tls-1-3-prohibit-pgp-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest




















































































          Popular posts from this blog

          Morgemoulin

          Scott Moir

          Souastre