You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"body": "If transitioning between PAKEs algorithms, a client may find itself needing to offer multiple PAKE shares. But this means computing the initial message for _each_ PAKE and sending all of them. This may be expensive for, e.g. PQ-sized options or just when there are many algorithms to support.\r\n\r\nFor key_share, we had this whole HelloRetryRequest dance. Do we need something similar here?",
397
397
"createdAt": "2024-12-12T20:33:12Z",
398
-
"updatedAt": "2025-01-07T00:38:09Z",
399
-
"closedAt": null,
398
+
"updatedAt": "2025-01-31T22:16:03Z",
399
+
"closedAt": "2025-01-31T22:16:02Z",
400
400
"comments": [
401
401
{
402
402
"author": "baumanl",
403
403
"authorAssociation": "COLLABORATOR",
404
404
"body": "Our take was that unlike key_share and the general situation where the TLS client and server need to be able to handle a broad range of supported group options, in the PAKE case it is unlikely there will be many algorithms. PAKEs are typically used for more peer to peer protocols and require the client to register to the server before running the protocol, so if the server requires a specific PAKE it could feasibly tell the client that at registration time (maybe we don't want to depend on application layer negotiation of TLS parameters, but this seems like a case where it would be possible). \r\n\r\nIn the case where multiple PQ sized options need to be computed and sent then HRR support could be useful. But considering we don't yet have a single PQ PAKE I am not convinced it is worth the complexity to specify the entire HRR flow now as opposed to leaving it for future work if and when it becomes a concern. ",
405
405
"createdAt": "2025-01-07T00:38:07Z",
406
406
"updatedAt": "2025-01-07T00:38:07Z"
407
+
},
408
+
{
409
+
"author": "baumanl",
410
+
"authorAssociation": "COLLABORATOR",
411
+
"body": "@davidben I believe we discussed this offline. I'm going to close, but let me know if there are still concerns here.",
"body": "I'm guessing NamedPAKE was chosen in reference to NamedGroup and NamedCurve? AIUI, \"named\" there is because both ECDHE and DHE had incarnations in TLS where, rather than referencing the algorithm by name, you spelled the parameters out explicitly.\n\n* DHE had the pre-RFC-7919 formulation where the server just specified p and g on the wire. (The post-RFC-7919 formulation is also didn't really fix it, but that's beside the point. \ud83d\ude04)\n* RFC 4492, before RFC 8996 removed it, had `arbitrary_explicit_prime_curves` and `arbitrary_explicit_char2_curves` for spelling the ECDHE curve out.\n\nThese explicit options were widely considered mistakes, so hopefully we won't have this named vs explicit dichotomy to capture anymore. Elsewhere, cipher suites and signature schemes are also names given to parameter sets, and we just call them CipherSuite and SignatureScheme since there is an alternate to distinguish.\n\nGiven that, should we rename `NamedPAKE` to just `PAKE` or something? (And then folks aren't tempted to stick \"named\" in APIs, which seems just confusing. \ud83d\ude04 )",
447
454
"createdAt": "2025-01-17T22:28:04Z",
448
-
"updatedAt": "2025-01-17T22:28:04Z",
449
-
"closedAt": null,
450
-
"comments": []
455
+
"updatedAt": "2025-01-31T23:12:38Z",
456
+
"closedAt": "2025-01-31T23:12:38Z",
457
+
"comments": [
458
+
{
459
+
"author": "baumanl",
460
+
"authorAssociation": "COLLABORATOR",
461
+
"body": "I defer to your knowledge of the history of \"named\" prefixes and I agree we don't want to imply we are also supporting an \"explicit\" parameter mode! But when just `PAKE` is used I think parts of the draft could be confusing to read since there could potentially be different `PAKE`'s all using the same underlying PAKE but with different parameters selected. (e.g. `SPAKE2PLUS_V1` and a theoretical `SPAKE2PLUS_V2`). ",
462
+
"createdAt": "2025-01-31T19:03:15Z",
463
+
"updatedAt": "2025-01-31T19:03:15Z"
464
+
},
465
+
{
466
+
"author": "davidben",
467
+
"authorAssociation": "COLLABORATOR",
468
+
"body": "Ah yeah, having both `PAKE` (the enum) and `pake` (the extension) is confusing. Also gets into philosophical questions about whether SPAKE2+ is a PAKE or a parameterized family of PAKEs. I dunno if \"named\" really captures that either though. (Mostly I feel very silly saying \"named group\" to people because it's such a meaningless combination of words. \ud83d\ude06)\n\nHmm... spitballing, what about PAKEScheme or PAKEAlgorithm or PAKESuite?\n\nSignatures use SignatureScheme, but that's mostly because SignatureAlgorithm was already taken (also by a parameterized family vs instantiation mishap). But scheme is also shorter than algorithm, so I don't particularly regret it.\n\nCipher suites use \"suite\" but that's because they used to be all-encompassing (in SSL 3 they were the only parameter) and then gradually chunks got pulled out (we have `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, not `TLS_ECDHE_P256_RSA_WITH_AES_128_GCM_SHA256`), until we finally gave up on that in TLS 1.3 and made them just the AEAD and PRF hash. (And really the PRF hash was only there because adding a new enum seemed silly.)\n\nI think I would lean more towards \"scheme\" or \"algorithm\". There's also \"ID\" but PAKEID is illegible.\n\nWDYT?",
469
+
"createdAt": "2025-01-31T19:50:05Z",
470
+
"updatedAt": "2025-01-31T19:50:05Z"
471
+
},
472
+
{
473
+
"author": "baumanl",
474
+
"authorAssociation": "COLLABORATOR",
475
+
"body": "I like PAKEScheme. I think algorithm still somewhat implies that it is referring to a particular PAKE/family of PAKEs. I think Scheme is fuzzy enough that it avoids that but still provides enough context on what the enum is. ",
476
+
"createdAt": "2025-01-31T19:54:28Z",
477
+
"updatedAt": "2025-01-31T19:54:28Z"
478
+
},
479
+
{
480
+
"author": "davidben",
481
+
"authorAssociation": "COLLABORATOR",
482
+
"body": "SGTM!",
483
+
"createdAt": "2025-01-31T21:45:58Z",
484
+
"updatedAt": "2025-01-31T21:45:58Z"
485
+
}
486
+
]
451
487
},
452
488
{
453
489
"number": 16,
454
490
"id": "I_kwDOM83jm86num3H",
455
491
"title": "pake removes the need for supported_groups and signature_algorithms",
"body": "RFC 8446, section 9.2 has this text:\n\n> - If not containing a \"pre_shared_key\" extension, it MUST contain\n> both a \"signature_algorithms\" extension and a \"supported_groups\"\n> extension.\n\nThis text is correct for RFC 8446, but this draft introduces another option that removes the need for the certificate-based flow. We probably need a sentence somewhere saying that explicitly.",
"body": "FWIW, this is the version we ended up implementing in BoringSSL. Purely because we already had the code for it and I was too lazy to change it. :-) Though if folks particularly want it to not be sorted, I can go back and tweak it. One way or another, I think we should either:\r\n\r\n* Say it is a client preference order\r\n* Say it is sorted\r\n\r\nRight now I think we say neither. But also I assume everything about negotiation will get reworked to no end later anyway.",
699
+
"createdAt": "2025-01-31T19:35:06Z",
700
+
"updatedAt": "2025-01-31T19:35:06Z"
701
+
}
702
+
],
659
703
"reviews": [
660
704
{
661
705
"id": "PRR_kwDOM83jm86TyMZN",
@@ -713,6 +757,143 @@
713
757
"comments": []
714
758
}
715
759
]
760
+
},
761
+
{
762
+
"number": 17,
763
+
"id": "PR_kwDOM83jm86Jrcb1",
764
+
"title": "add text around modification to supported_groups requirement",
"body": "LGTM with two extremely silly nitpicks. :-)",
797
+
"createdAt": "2025-01-31T19:36:55Z",
798
+
"updatedAt": "2025-01-31T19:39:08Z",
799
+
"comments": [
800
+
{
801
+
"originalPosition": 5,
802
+
"body": "Super nitpicky nitpick: I have never understood whether you are supposed to say \"Client Hello\" or \"ClientHello\" in prose. RFC 8446 uses \"Client Hello\" in section headers, but all the text says \"ClientHello\". I guess that would suggest this should say ClientHello. \ud83e\udd37",
803
+
"createdAt": "2025-01-31T19:36:56Z",
804
+
"updatedAt": "2025-01-31T19:39:08Z"
805
+
},
806
+
{
807
+
"originalPosition": 4,
808
+
"body": "Nitpick: I'm not sure if this is actually the style or if I'm just making this up, but I feel like I usually don't see normative text in Introduction sections. I might suggest either moving this to Client Behavior (where we talk about the client extension) or maybe in a separate section after Key Schedule Modifications.",
809
+
"createdAt": "2025-01-31T19:38:53Z",
810
+
"updatedAt": "2025-01-31T19:39:08Z"
811
+
}
812
+
]
813
+
},
814
+
{
815
+
"id": "PRR_kwDOM83jm86aPPzu",
816
+
"commit": {
817
+
"abbreviatedOid": "ad4a871"
818
+
},
819
+
"author": "davidben",
820
+
"authorAssociation": "COLLABORATOR",
821
+
"state": "COMMENTED",
822
+
"body": "",
823
+
"createdAt": "2025-01-31T19:40:12Z",
824
+
"updatedAt": "2025-01-31T19:40:12Z",
825
+
"comments": [
826
+
{
827
+
"originalPosition": 4,
828
+
"body": "Other reason to move this is that, in the intro, we haven't yet introduced the `pake` extension, so this should probably go somewhere after the point where `pake` is defined.",
0 commit comments