From 1f4565eb13ddf09fa9adad0bb58186cbc13fc1a0 Mon Sep 17 00:00:00 2001 From: EKR Date: Mon, 10 Jul 2023 07:16:51 -0700 Subject: [PATCH 1/4] Recommend not using legible identities. Fixes #1308 --- draft-ietf-tls-rfc8446bis.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index 7aeeff0e..cc6b3ce8 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -5327,6 +5327,14 @@ Clients and Servers SHOULD NOT reuse a key share for multiple connections. Reuse of a key share allows passive observers to correlate different connections. Reuse of a client key share to the same server additionally allows the server to correlate different connections. +It is RECOMMENDED that the labels for external identities be selected so that they +do not provide additional information about the identity of the +user. For instance, if the label includes an e-mail address, then +this trivially identifies the user. There are a number of potential +ways to avoid this risk, including (1) using random identity labels +(2) pre-encrypting the identity under a key known to the server or (3) +using the Hello Encrypted Client Hello {{?I-D.ietf-tls-esni}} extension. + If an external PSK identity is used for multiple connections, then it will generally be possible for an external observer to track clients and/or servers across connections. Use of the From a6dac3285ab7138e1adca08dfb0674850adbbdcf Mon Sep 17 00:00:00 2001 From: EKR Date: Mon, 10 Jul 2023 07:18:11 -0700 Subject: [PATCH 2/4] Clarification --- draft-ietf-tls-rfc8446bis.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index cc6b3ce8..79b392d8 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -5330,7 +5330,8 @@ of a client key share to the same server additionally allows the server to corre It is RECOMMENDED that the labels for external identities be selected so that they do not provide additional information about the identity of the user. For instance, if the label includes an e-mail address, then -this trivially identifies the user. There are a number of potential +this trivially identifies the user to a passive attacker +(unlike the client's Certificate, which is encrypted). There are a number of potential ways to avoid this risk, including (1) using random identity labels (2) pre-encrypting the identity under a key known to the server or (3) using the Hello Encrypted Client Hello {{?I-D.ietf-tls-esni}} extension. From f6e3344260766833c181a8bd68c68913168c87c6 Mon Sep 17 00:00:00 2001 From: Christopher Wood Date: Thu, 13 Jul 2023 11:34:47 -0400 Subject: [PATCH 3/4] Update draft-ietf-tls-rfc8446bis.md --- draft-ietf-tls-rfc8446bis.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index 79b392d8..29ead804 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -5334,7 +5334,7 @@ this trivially identifies the user to a passive attacker (unlike the client's Certificate, which is encrypted). There are a number of potential ways to avoid this risk, including (1) using random identity labels (2) pre-encrypting the identity under a key known to the server or (3) -using the Hello Encrypted Client Hello {{?I-D.ietf-tls-esni}} extension. +using the Encrypted Client Hello {{?I-D.ietf-tls-esni}} extension. If an external PSK identity is used for multiple connections, then it will generally be possible for an external observer to track From 02cb675217656c2c0d4a3846cdaab97feb0ecf55 Mon Sep 17 00:00:00 2001 From: EKR Date: Thu, 13 Jul 2023 09:09:11 -0700 Subject: [PATCH 4/4] Remove parenthetical --- draft-ietf-tls-rfc8446bis.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index 29ead804..04e14b34 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -5330,8 +5330,8 @@ of a client key share to the same server additionally allows the server to corre It is RECOMMENDED that the labels for external identities be selected so that they do not provide additional information about the identity of the user. For instance, if the label includes an e-mail address, then -this trivially identifies the user to a passive attacker -(unlike the client's Certificate, which is encrypted). There are a number of potential +this trivially identifies the user to a passive attacker, +unlike the client's Certificate, which is encrypted. There are a number of potential ways to avoid this risk, including (1) using random identity labels (2) pre-encrypting the identity under a key known to the server or (3) using the Encrypted Client Hello {{?I-D.ietf-tls-esni}} extension.