[Last-Call] Re: [Emu] Re: draft-ietf-emu-bootstrapped-tls-08 ietf last call Artart review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


-----Original Message-----
From: Michael Richardson <mcr+ietf@xxxxxxxxxxxx> 
Sent: Thursday 28 August 2025 22:00
To: Owen Friel (ofriel) <ofriel@xxxxxxxxx>; emu@xxxxxxxx; last-call@xxxxxxxx
Subject: Re: [Emu] Re: draft-ietf-emu-bootstrapped-tls-08 ietf last call Artart review


Owen Friel \(ofriel\) <ofriel=40cisco.com@xxxxxxxxxxxxxx> wrote:
    ofriel> Dan and I went back and forth on this one. We came up with 3
    ofriel> different options here:

    > 1. Always use SHA256
    > 2. Use a SHA length that depends on the BSK prime key length
    > 3. Use a SHA length that matches the target_kdf"

Seems to always be SHA2, right?
I know I read this document a few years ago, but many details are now vague, despite re-reading section 3.  can the choice be deferred until TLS has chosen a KDF?  No, because the ID has to go into the ClientHello, right?

[ofriel] It could match the target_kdf. We use RFC9258 which allows for multiple importedIdentity values, and each value specifies the target_kdf, so we *could* pick a hash that aligns with the target_kdf.

Our draft states: https://datatracker.ietf.org/doc/html/draft-ietf-emu-bootstrapped-tls-08#section-3.1

"The EPSK and ImportedIdentity are used in the TLS handshake as specified in [RFC9258]. Multiple ImportedIdentity values may be imported as per [RFC9258] section 5.1. The target_kdf follows [RFC9258] and aligns with the cipher suite hash algorithms advertised in the TLS 1.3 handshake between the device and the server."

And https://datatracker.ietf.org/doc/html/rfc9258#name-iana-considerations defines the mappings. So, we could include multiple different BSK-derived external_identity values, one for each kdf/hash.

We did get some other feedback at the time when we were debating this (back in January) pointing us to: https://www.imperialviolet.org/2016/05/16/agility.html and recommending sticking with SHA256 and avoiding adding extra options. 

Hence, we are good with sticking to SHA256 unless anyone strongly feels otherwise.

-- 
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux