tls

Summary

This TLS working group meeting covered several key topics, including status updates on working group documents, adoption calls for new drafts, and discussions around post-quantum cryptography (PQC). A significant portion of the meeting focused on the transition to PQC, including dual certificates, hybrid key exchange, and ML-KEM only key agreement. The meeting also addressed extended key update, jumbo records and a potential applicability statement.

Key Discussion Points

Working Group Document Status: Several documents are nearing completion, including 8447 BIS, ECH drafts, and TLS 1.3 updates. Concerns regarding expired drafts and the need for author availability were raised.
Adoption Calls: Discussion on adoption calls for SLHDSA, composite MLDSA, dual certs, and MTLS flags. The working group will proceed with adoption calls with an awareness of address harvesting and the need for a hybrid approach.
PQ Algorithm Considerations: The need to decide whether PQ algorithms will be informational or standards track documents was highlighted, as well as the development of applicability statements and security considerations.
Stephen's Catch Draft: A working group last call was considered, but delayed to incorporate community comments.
Extended Key Update: Discussion of forward secrecy vs post compromise security and simplification of conflict resolution and rejection of key updates.
Jumbo Records: Presentation on large record sizes for TLS and DTLS, including implementing variable length length field and new record type format.
ML-KEM Only Key Agreement: Updates on the draft, including removing unnecessary text and addressing concerns about failures.
PAKE Authentication: Presentation on TLS 1.3 PAKE authentication, with concerns on how to integrate with three-move PAKE integration.
Dual Certificates: Extensive discussion on the transition to PQC and the pros and cons of dual certificates versus composite certificates. The working group members have conflicting ideas and a consensus needs to be met.

Decisions and Action Items

Extended Key Update: Work with FAT on proper text and address DTLS section to retransmissions.
Jumbo Records: Review, and implement variable length length field in a PR, then discuss on the list.
PAKE Authentication: Schedule an adoption call with the understanding that the content will be open to change after adoption.
Dual Certificates: Revisit on the mailing list.

Next Steps

Authors to address action items, and implement suggested changes.
Continue discussions on PQC transition strategies on the mailing list.
Initiate adoption calls for drafts deemed ready.

Session Date/Time: 23 Jul 2025 14:00

TLS

Summary

The TLS working group met to discuss several individual drafts, including workload identifier scope hints, TLS 1.3 certificate updates, reliable transparency and revocation mechanisms, remote attestation, extensions to the FAT process, and ECH configuration updates. Discussions focused on the technical merits of each proposal, potential drawbacks, and areas for further consideration.

Key Discussion Points

Workload Identifier Scope Hint: A proposal to introduce a TLS extension to signal workload identity scopes in the Client Hello. Concerns were raised about application-specific behavior and the appropriateness of including strings that dictate user agent behavior. The applicability of ALPN as an alternative was also discussed.
TLS 1.3 Certificate Update: A proposal to implement certificate updates on the TLS layer to address scenarios with long-lived connections and shorter certificate lifetimes. Concerns were raised about the added complexity to the TLS protocol, the justification for the changes, and alternative application-layer solutions. There was also a question about the utility of the extension in revocation scenarios if the signing authority were compromised.
Reliable Transparency and Revocation Mechanisms: A draft based on Key Transparency (KT) to improve the security of the Certificate Transparency (CT) ecosystem. Concerns were raised about the complexity of the solution, the size of proofs, the operational overhead on servers, and privacy implications. Suggestions were made to focus the work in the appropriate working group.
Remote Attestation: Update after the BOF. Model and security goals for remote attestation within TLS. The main point was to bind remote attestation to the TLS protocol. Discussion revolved around assumptions, threat models, and time-of-check to time-of-use vulnerabilities.
Extensions to FAT process: A call for additions to the FAT process that would specify the inclusion of threat models, security goals, and protocol diagrams within the drafts. Points were raised against this, suggesting the approach was overly prescriptive, and that it could add unneeded burden to the draft adoption process.
ECH Configuration Updates: A proposal to sign ECH configurations to allow for easier updates. Discussions centered on potential trust mechanisms, the retry flow case, and the threat modeling driving the proposal. Questions were raised about key management and the integration with existing PKI.

Decisions and Action Items

Workload Identifier Scope Hint: Take the discussion to the mailing list.
TLS 1.3 Certificate Update: Take the discussion to the mailing list for further consideration.
Reliable Transparency and Revocation Mechanisms: Further discussion in the appropriate Key Transparency or privacy mailing list, the plant's mailing list and a BOF.
Remote Attestation: The work should continue and further be discussed, building upon the current model.
FAT Process Extensions: The process should not be prescriptive and should be open to the working group for advice and recommendations.
ECH Configuration Updates: Present a write up covering the discussion to address concerns over current implementations.

Next Steps

Working group adoption call for the PAKE draft.
Working group last call for the legacy RSA bkcs version 1.5 signatures for TLS 1.3.
SLH DSA working group adoption call.