Skip to main content

Guidance for External Pre-Shared Key (PSK) Usage in TLS
draft-ietf-tls-external-psk-guidance-06

Revision differences

Document history

Date Rev. By Action
2022-07-19
06 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2022-07-01
06 (System) RFC Editor state changed to AUTH48
2022-06-16
06 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2022-05-05
06 (System) RFC Editor state changed to EDIT from MISSREF
2022-02-04
06 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-06.txt
2022-02-04
06 (System) New version accepted (logged-in submitter: Christopher Wood)
2022-02-04
06 Christopher Wood Uploaded new revision
2022-02-04
05 (System) IANA Action state changed to No IANA Actions from In Progress
2022-02-03
05 (System) RFC Editor state changed to MISSREF
2022-02-03
05 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2022-02-03
05 (System) Announcement was received by RFC Editor
2022-02-03
05 (System) IANA Action state changed to In Progress
2022-02-03
05 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2022-02-03
05 Cindy Morgan IESG has approved the document
2022-02-03
05 Cindy Morgan Closed "Approve" ballot
2022-02-03
05 Cindy Morgan Ballot approval text was generated
2022-02-03
05 Benjamin Kaduk IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup
2022-01-11
05 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-05.txt
2022-01-11
05 (System) New version accepted (logged-in submitter: Christopher Wood)
2022-01-11
05 Christopher Wood Uploaded new revision
2021-12-16
04 (System) Removed all action holders (IESG state changed)
2021-12-16
04 Cindy Morgan IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation
2021-12-16
04 Jean Mahoney Closed request for Last Call review by GENART with state 'Overtaken by Events'
2021-12-16
04 Jean Mahoney Assignment of request for Last Call review by GENART to Suhas Nandakumar was marked no-response
2021-12-16
04 Francesca Palombini
[Ballot comment]
Thank you for the work on this document.

Many thanks to Martin Thomson for his careful review: https://mailarchive.ietf.org/arch/msg/art/6b5V1TEJL_PB2dc3Xfm62KFGqW8/ , and thanks to the …
[Ballot comment]
Thank you for the work on this document.

Many thanks to Martin Thomson for his careful review: https://mailarchive.ietf.org/arch/msg/art/6b5V1TEJL_PB2dc3Xfm62KFGqW8/ , and thanks to the authors for addressing his comments.

I only had time to scan the document, but did not find any major ART issues.

Francesca
2021-12-16
04 Francesca Palombini [Ballot Position Update] New position, No Objection, has been recorded for Francesca Palombini
2021-12-15
04 John Scudder [Ballot Position Update] New position, No Objection, has been recorded for John Scudder
2021-12-15
04 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2021-12-15
04 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2021-12-15
04 Roman Danyliw
[Ballot comment]
Thank you to Rich Salz for the SECDIR review.

** Section 6.1.  Consider providing information references for OpenSSL, BoringSSL, mbedTLS, gnuTLS and wolfSSL …
[Ballot comment]
Thank you to Rich Salz for the SECDIR review.

** Section 6.1.  Consider providing information references for OpenSSL, BoringSSL, mbedTLS, gnuTLS and wolfSSL

** Section 6.1.  Should it be noted that some libraries (E.g., OpenSSL, BoringSSL, mbedTLS) support PSK lengths below the threshold recommend in this document (i.e., smaller than 128-bits per Section 6)?

** Editorial nits:

-- Section 4.1.  Typo. s/mitigiation/mitigation/
-- Section 6.  Duplicate word. s/exchange exchange/exchange/
-- Section 8. Typo. s/beynond/beyond/
2021-12-15
04 Roman Danyliw [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw
2021-12-15
04 Robert Wilton
[Ballot comment]
Thanks for this document.  I find it always useful, and enlightening, when this sort of guidance is published.

One minor nit/question on 7.  …
[Ballot comment]
Thanks for this document.  I find it always useful, and enlightening, when this sort of guidance is published.

One minor nit/question on 7.  Privacy Considerations

  TLS does little to keep PSK identity
  information private.  For example, an adversary learns information
  about the external PSK or its identifier by virtue of it appearing in
  cleartext in a ClientHello.

I wasn't sure what "it" in the last sentence refers to.  I would potentially read that as being the external PSK, and hence the external PSK appears in cleartext in a ClientHello.  I don't know TLS, but this seemed surprising.  Hence you may want to consider whether this sentence should be tweaked to make it clearer.

Thanks,
Rob
2021-12-15
04 Robert Wilton [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton
2021-12-14
04 Murray Kucherawy
[Ballot comment]
Thanks to Martin Thomson for his ARTART review.

A stylistic point: The Abstract is made up of five sentences all of which start …
[Ballot comment]
Thanks to Martin Thomson for his ARTART review.

A stylistic point: The Abstract is made up of five sentences all of which start "This document".  It's a bit of a rigid read.  Maybe something like this?

  This document provides usage guidance for external Pre-Shared Keys
  (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446.
  It lists TLS security properties provided by PSKs under
  certain assumptions, and then demonstrates how violations of these
  assumptions lead to attacks.  It also discusses PSK use cases
  and provisioning processes.  Advice for
  applications to help meet these assumptions is provided.  Finally,
  it lists the privacy and security properties that are not provided by
  TLS 1.3 when external PSKs are used.

Section 4.1 contains this, which I can't quite parse:

  To illustrate the rerouting attack, consider the group of peers who
  know the PSK be A, B, and C.

Should there be a "to" after "PSK"?

In Section 8:

  Each endpoint SHOULD know the identifier of the other endpoint with
  which its wants to connect and SHOULD compare it with the other

s/its/it/
2021-12-14
04 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2021-12-14
04 Zaheduzzaman Sarker [Ballot comment]
Thanks for working on this document. I read this document and didn't noticed any transport related issues.
2021-12-14
04 Zaheduzzaman Sarker [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker
2021-12-11
04 Rich Salz Request for Telechat review by SECDIR Completed: Ready. Reviewer: Rich Salz. Sent review to list.
2021-12-11
04 Erik Kline
[Ballot comment]

[S4; nit]

* s/quantum computes/quantum computers/?

[S4.2; nit]

* "including, for example, including ..." -> "including, for example, ..."

[S5.2; nit]

* "or …
[Ballot comment]

[S4; nit]

* s/quantum computes/quantum computers/?

[S4.2; nit]

* "including, for example, including ..." -> "including, for example, ..."

[S5.2; nit]

* "or even less number of buttons" -> "or even fewer buttons", perhaps

* "baked into or hardware or software" -> "baked into hardware or software"

[S5.3; question]

* What does "routable" mean in an identities context?  Perhaps there is
  some simpler rewording that preserves the essential meaning (or maybe
  this is well-understood and I'm just not up to speed yet).

  I could not find "rout"-stemmed words in draft-mattsson-emu-eap-tls-psk.

[S8; nit]

* s/beynond/beyond/
2021-12-11
04 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2021-12-11
04 Tero Kivinen Request for Telechat review by SECDIR is assigned to Rich Salz
2021-12-11
04 Tero Kivinen Request for Telechat review by SECDIR is assigned to Rich Salz
2021-12-10
04 Éric Vyncke
[Ballot comment]
[Sorry for duplicate email, I pressed the wrong button...]

Thank you for the work put into this document. The document offers good guidances …
[Ballot comment]
[Sorry for duplicate email, I pressed the wrong button...]

Thank you for the work put into this document. The document offers good guidances and is easy to read.

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits.

Special thanks to Sean Turner for the shepherd's write-up including the section about the WG consensus.

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

-- Section 4.1 --
A wild guess (as I do not know the details of TLS 1.3), but if a group member is compromised and no ephemeral keys were used, then isn't the attacker able to read even the past/recorded traffic ?

-- Section 5.1 --
Suggest to expand "PoP".

Also wonder about the German eID use case... While the BSI specification allows for using PSK, it does not appear as the recommended mode by BSI. I.e., does this reference help the case for this I-D ? Suggest to remove it.

I also wonder why quantum resistance is not at the top ;-)

-- Section 5.2 --
About the IoT "UI", I would assume that some USB ports could also be used. Or are USB/bluetooth/... considered as UI ?

-- Section 5.3 --
"each pair of nodes has a unique key pair" is puzzling as PSK usually consist of a unique key and not a key pair. What am I missing ?


== NITS ==
Section 5.2 "among several node is" (plural ?)
Section 8 "extend beynond proper identification"
2021-12-10
04 Éric Vyncke [Ballot Position Update] Position for Éric Vyncke has been changed to No Objection from No Record
2021-12-10
04 Éric Vyncke
[Ballot comment]
Thank you for the work put into this document. The document offers good guidances and is easy to read.

Please find below some …
[Ballot comment]
Thank you for the work put into this document. The document offers good guidances and is easy to read.

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits.

Special thanks to Sean Turner for the shepherd's write-up including the section about the WG consensus.

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

-- Section 4.1 --
A wild guess (as I do not know the details of TLS 1.3), but if a group member is compromised and no ephemeral keys were used, then isn't the attacker able to read even the past/recorded traffic ?

-- Section 5.1 --
Suggest to expand "PoP".

Also wonder about the German eID use case... While the BSI specification allows for using PSK, it does not appear as the recommended mode by BSI. I.e., does this reference help the case for this I-D ? Suggest to remove it.

I also wonder why quantum resistance is not at the top ;-)

-- Section 5.2 --
About the IoT "UI", I would assume that some USB ports could also be used. Or are USB/bluetooth/... considered as UI ?

-- Section 5.3 --
"each pair of nodes has a unique key pair" is puzzling as PSK usually consist of a unique key and not a key pair. What am I missing ?


== NITS ==
Section 5.2 "among several node is" (plural ?)
Section 8 "extend beynond proper identification"
2021-12-10
04 Éric Vyncke Ballot comment text updated for Éric Vyncke
2021-12-09
04 Amanda Baber IANA Review state changed to IANA OK - No Actions Needed from Version Changed - Review Needed
2021-12-09
04 Cindy Morgan Placed on agenda for telechat - 2021-12-16
2021-12-09
04 Benjamin Kaduk Ballot has been issued
2021-12-09
04 Benjamin Kaduk [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk
2021-12-09
04 Benjamin Kaduk Created "Approve" ballot
2021-12-09
04 Benjamin Kaduk IESG state changed to IESG Evaluation from Waiting for Writeup::AD Followup
2021-12-09
04 Benjamin Kaduk Ballot writeup was changed
2021-12-09
04 (System) Changed action holders to Benjamin Kaduk (IESG state changed)
2021-12-09
04 (System) Sub state has been changed to AD Followup from Revised ID Needed
2021-12-09
04 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed
2021-12-09
04 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-04.txt
2021-12-09
04 (System) New version accepted (logged-in submitter: Christopher Wood)
2021-12-09
04 Christopher Wood Uploaded new revision
2021-12-07
03 (System) Changed action holders to Russ Housley, Mohit Sethi, Benjamin Kaduk, Christopher Wood, Jonathan Hoyland (IESG state changed)
2021-12-07
03 Benjamin Kaduk IESG state changed to Waiting for Writeup::Revised I-D Needed from Waiting for Writeup
2021-11-19
03 (System) IESG state changed to Waiting for Writeup from In Last Call
2021-11-15
03 Scott Bradner Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Scott Bradner. Sent review to list.
2021-11-15
03 Rich Salz Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Rich Salz. Sent review to list.
2021-11-11
03 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2021-11-11
03 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-tls-external-psk-guidance-03, which is currently in Last Call, and has the following comments:

We …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-tls-external-psk-guidance-03, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
Lead IANA Services Specialist
2021-11-05
03 Tero Kivinen Request for Last Call review by SECDIR is assigned to Rich Salz
2021-11-05
03 Tero Kivinen Request for Last Call review by SECDIR is assigned to Rich Salz
2021-11-03
03 Martin Thomson Request for Last Call review by ARTART Completed: Ready with Issues. Reviewer: Martin Thomson. Sent review to list.
2021-11-03
03 Barry Leiba Request for Last Call review by ARTART is assigned to Martin Thomson
2021-11-03
03 Barry Leiba Request for Last Call review by ARTART is assigned to Martin Thomson
2021-11-03
03 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Scott Bradner
2021-11-03
03 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Scott Bradner
2021-10-29
03 Jean Mahoney Request for Last Call review by GENART is assigned to Suhas Nandakumar
2021-10-29
03 Jean Mahoney Request for Last Call review by GENART is assigned to Suhas Nandakumar
2021-10-29
03 Cindy Morgan IANA Review state changed to IANA - Review Needed
2021-10-29
03 Cindy Morgan
The following Last Call announcement was sent out (ends 2021-11-19):

From: The IESG
To: IETF-Announce
CC: draft-ietf-tls-external-psk-guidance@ietf.org, kaduk@mit.edu, sean@sn3rd.com, tls-chairs@ietf.org, tls@ietf.org …
The following Last Call announcement was sent out (ends 2021-11-19):

From: The IESG
To: IETF-Announce
CC: draft-ietf-tls-external-psk-guidance@ietf.org, kaduk@mit.edu, sean@sn3rd.com, tls-chairs@ietf.org, tls@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Guidance for External PSK Usage in TLS) to Informational RFC


The IESG has received a request from the Transport Layer Security WG (tls) to
consider the following document: - 'Guidance for External PSK Usage in TLS'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2021-11-19. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document provides usage guidance for external Pre-Shared Keys
  (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446.
  This document lists TLS security properties provided by PSKs under
  certain assumptions, and then demonstrates how violations of these
  assumptions lead to attacks.  This document discusses PSK use cases
  and provisioning processes.  This document provides advice for
  applications to help meet these assumptions.  This document also
  lists the privacy and security properties that are not provided by
  TLS 1.3 when external PSKs are used.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-tls-external-psk-guidance/



No IPR declarations have been submitted directly on this I-D.




2021-10-29
03 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2021-10-29
03 Cindy Morgan Last call announcement was changed
2021-10-28
03 Benjamin Kaduk Last call was requested
2021-10-28
03 Benjamin Kaduk Last call announcement was generated
2021-10-28
03 Benjamin Kaduk Ballot approval text was generated
2021-10-28
03 Benjamin Kaduk Ballot writeup was generated
2021-10-28
03 Benjamin Kaduk IESG state changed to Last Call Requested from AD Evaluation::AD Followup
2021-10-13
03 (System) Changed action holders to Benjamin Kaduk (IESG state changed)
2021-10-13
03 (System) Sub state has been changed to AD Followup from Revised ID Needed
2021-10-13
03 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-03.txt
2021-10-13
03 (System) New version accepted (logged-in submitter: Christopher Wood)
2021-10-13
03 Christopher Wood Uploaded new revision
2021-08-20
02 (System) Changed action holders to Russ Housley, Mohit Sethi, Benjamin Kaduk, Christopher Wood, Jonathan Hoyland (IESG state changed)
2021-08-20
02 Benjamin Kaduk IESG state changed to AD Evaluation::Revised I-D Needed from AD Evaluation
2021-08-05
02 (System) Changed action holders to Benjamin Kaduk (IESG state changed)
2021-08-05
02 Benjamin Kaduk IESG state changed to AD Evaluation from Publication Requested
2021-02-26
02 Sean Turner
Summary

Sean Turner is the document Shepherd.
Ben Kaduk is the responsible Area Director.

This document was born from a DT (Design Team) formed after …
Summary

Sean Turner is the document Shepherd.
Ben Kaduk is the responsible Area Director.

This document was born from a DT (Design Team) formed after discussions at IETF 106 about draft-ietf-tls-external-psk-importer made it clear that some guidance was needed with respect to PSKs (Pre-Shared Keys).

Including this to avoid a protracted Informational vs BCP discussion: The document is intended as Informational. The Shepherd did ask whether anyone remembered a "BCP discussion," but none did. Thoughts on Informational vs BCP ranged from “informational is fine” to “no strong opinion”. Since the WG has had over a year to request a change as it has not, decided to leave it as is.

Review and Consensus

The DT was comprised of the following participants: Benjamin Beurdouche, Bjoern Haase, Christopher Wood, Colm MacCarthaigh, Eric Rescorla, Jonathan Hoyland, Martin Thomson, Mohamad Badra, Mohit Sethi, Oleg Pekar, Owen Friel, and Russ Housley. In addition to this powerhouse DT providing input on the original version of the document, the document was also reviewed by the following people: Scott Hollenbeck, Jim Schaad, Carrick Bartle, Watson Ladd, John Mattsson, Ben Smyth, and Jonathan Hammell. The Shepherd has no concerns whatsoever about the breadth and depth of reviews.

The DT’s output was presented at a virtual interim meeting.  The remainder of the discussion occurred on the list.

Intellectual Property

The Shepherd has verified that all of the authors have already disclosed any IPR related to this document, as is required by BCPs 78 and 79.

Other Points

There are no DOWNREFs.

There are no IANA considerations.
2021-02-26
02 Sean Turner Responsible AD changed to Benjamin Kaduk
2021-02-26
02 Sean Turner IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2021-02-26
02 Sean Turner IESG state changed to Publication Requested from I-D Exists
2021-02-26
02 Sean Turner IESG process started in state Publication Requested
2021-02-26
02 Sean Turner Changed consensus to Yes from Unknown
2021-02-26
02 Sean Turner
Summary

Sean Turner is the document Shepherd.
Ben Kaduk is the responsible Area Director.

This document was born from a DT (Design Team) formed after …
Summary

Sean Turner is the document Shepherd.
Ben Kaduk is the responsible Area Director.

This document was born from a DT (Design Team) formed after discussions at IETF 106 about draft-ietf-tls-external-psk-importer made it clear that some guidance was needed with respect to PSKs (Pre-Shared Keys).

Including this to avoid a protracted Informational vs BCP discussion: The document is intended as Informational. The Shepherd did ask whether anyone remembered a "BCP discussion," but none did. Thoughts on Informational vs BCP ranged from “informational is fine” to “no strong opinion”. Since the WG has had over a year to request a change as it has not, decided to leave it as is.

Review and Consensus

The DT was comprised of the following participants: Benjamin Beurdouche, Bjoern Haase, Christopher Wood, Colm MacCarthaigh, Eric Rescorla, Jonathan Hoyland, Martin Thomson, Mohamad Badra, Mohit Sethi, Oleg Pekar, Owen Friel, and Russ Housley. In addition to this powerhouse DT providing input on the original version of the document, the document was also reviewed by the following people: Scott Hollenbeck, Jim Schaad, Carrick Bartle, Watson Ladd, John Mattsson, Ben Smyth, and Jonathan Hammell. The Shepherd has no concerns whatsoever about the breadth and depth of reviews.

The DT’s output was presented at a virtual interim meeting.  The remainder of the discussion occurred on the list.

Intellectual Property

The Shepherd has verified that all of the authors have already disclosed any IPR related to this document, as is required by BCPs 78 and 79.

Other Points

There are no DOWNREFs.

There are no IANA considerations.
2021-02-24
02 Sean Turner Tag Revised I-D Needed - Issue raised by WG cleared.
2021-02-24
02 Sean Turner IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead
2021-02-20
02 Russ Housley New version available: draft-ietf-tls-external-psk-guidance-02.txt
2021-02-20
02 (System) New version accepted (logged-in submitter: Russ Housley)
2021-02-20
02 Russ Housley Uploaded new revision
2021-01-21
01 Sean Turner Tag Revised I-D Needed - Issue raised by WG set.
2021-01-21
01 Sean Turner IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call
2021-01-21
01 Sean Turner Intended Status changed to Informational from None
2021-01-21
01 Sean Turner Notification list changed to sean@sn3rd.com because the document shepherd was set
2021-01-21
01 Sean Turner Document shepherd changed to Sean Turner
2020-12-09
01 Sean Turner IETF WG state changed to In WG Last Call from WG Document
2020-11-02
01 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-01.txt
2020-11-02
01 (System) New version accepted (logged-in submitter: Christopher Wood)
2020-11-02
01 Christopher Wood Uploaded new revision
2020-06-19
00 Sean Turner This document now replaces draft-dt-tls-external-psk-guidance instead of None
2020-06-17
00 Christopher Wood New version available: draft-ietf-tls-external-psk-guidance-00.txt
2020-06-17
00 (System) New version accepted (logged-in submitter: Christopher Wood)
2020-06-17
00 Christopher Wood Uploaded new revision