Session Date/Time: 26 Jul 2023 20:00

TLS Meeting - IETF 117

Summary

The TLS working group meeting at IETF 117 covered several topics, including updates on Encrypted Client Hello (ECH), certificate compression, and the status of TLS 1.2. There were discussions regarding experimentation with ECH, a new proposed certificate compression scheme leveraging the Common CA Database (CCADB), and whether TLS 1.2 should be considered "frozen" regarding new features. There was also a brief discussion about using exported authenticators in HTTP.

Key Discussion Points

ECH Experimentation: Mozilla and Chrome provided updates on their ECH experimentation in Firefox Nightly and Chrome Canary, respectively. Connection success rates were comparable to baselines, but latency showed some discrepancies. A retry issue in Firefox was identified where servers were providing fresher ECH configs, leading to an extra round trip. Some older TLS 1.2 implementations were found to break when encountering unrecognized TLS extensions.
ECH Draft Progress: The draft is nearing completion, with efforts focused on resolving open issues before a working group last call around IETF 118. Key issues include specifying the inner ALPN when using ECH and verifying ECH configs before publishing DNS resource records.
Certificate Compression: A new certificate compression scheme was presented that aims to reduce certificate chain sizes, particularly for post-quantum certificates, by leveraging the CCADB to compress known intermediate and root certificates. The scheme uses a shared dictionary for compressing common extensions. There was discussion about the equity of the scheme for different CAs and the versioning strategy for dictionaries.
TLS 1.2 "Frozen": A draft proposing that TLS 1.2 be considered "frozen," meaning no new features would be added, was discussed. The intent is to signal to the outside world that the working group is focusing on TLS 1.3 and later. There were concerns about this potentially hindering necessary security fixes and the impact on enterprises still relying on TLS 1.2 features.
Post-Quantum Signature Schemes: An update was provided on candidate post-quantum signature schemes and their suitability for TLS, including analysis of key sizes, signature sizes, and performance.
Exported Authenticators: There was discussion on allowing clients to send certificates unprompted using exported authenticators, a feature requested for use in HTTP. There were concerns about security implications and whether this could be done safely without breaking existing properties.

Decisions and Action Items

ECH Draft: Editors will focus on closing open issues and preparing the draft for working group last call, aiming for IETF 118. Major top-level issues will be brought to the mailing list for discussion and resolution.
Certificate Compression: The working group expressed support for adopting the certificate compression draft. The ADs will consult with the ISG on concerns around standardizing a database construction procedure, but the current approach of a fixed dictionary in the RFC will be kept for now. The author will add some text to the security considerations around potential fingerprinting.
TLS 1.2 "Frozen": The working group voted against adopting the TLS 1.2 "frozen" component of the existing draft. The draft author will split the draft into a recommendation to use TLS 1.3 going forward and resubmit to the mailing list.
Consensus calls for obsolete tech stress and return route ability check WG last call to be completed by chairs.

Next Steps

ECH Draft: Continue implementation work, resolve open issues, and prepare for working group last call.
Certificate Compression: Address feedback from the mailing list, benchmark different dictionary formats, and evaluate latency improvements.
TLS 1.2 "Frozen": Split the draft into two separate documents: one advocating for TLS 1.3 adoption and the other focused on "freezing" TLS 1.2.
Exported Authenticators: Jonathan Hoylens to write an RFC on using the exported authenticators and address concerns related to unprompted transmission, including the context value and security implications raised.