draft-ietf-quic-tls-26.txt   draft-ietf-quic-tls-27.txt 
QUIC M. Thomson, Ed. QUIC M. Thomson, Ed.
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track S. Turner, Ed. Intended status: Standards Track S. Turner, Ed.
Expires: 24 August 2020 sn3rd Expires: 24 August 2020 sn3rd
21 February 2020 21 February 2020
Using TLS to Secure QUIC Using TLS to Secure QUIC
draft-ietf-quic-tls-26 draft-ietf-quic-tls-27
Abstract Abstract
This document describes how Transport Layer Security (TLS) is used to This document describes how Transport Layer Security (TLS) is used to
secure QUIC. secure QUIC.
Note to Readers Note to Readers
Discussion of this draft takes place on the QUIC working group Discussion of this draft takes place on the QUIC working group
mailing list (quic@ietf.org), which is archived at mailing list (quic@ietf.org), which is archived at
skipping to change at page 3, line 32 skipping to change at page 3, line 32
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 41
11.1. Normative References . . . . . . . . . . . . . . . . . . 41 11.1. Normative References . . . . . . . . . . . . . . . . . . 41
11.2. Informative References . . . . . . . . . . . . . . . . . 42 11.2. Informative References . . . . . . . . . . . . . . . . . 42
Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 43 Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 43
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 43 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 44 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 44
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 46 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 46
A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 47 A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 47 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 47
B.1. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 47 B.1. Since draft-ietf-quic-tls-26 . . . . . . . . . . . . . . 47
B.2. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 47 B.2. Since draft-ietf-quic-tls-25 . . . . . . . . . . . . . . 47
B.3. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 48 B.3. Since draft-ietf-quic-tls-24 . . . . . . . . . . . . . . 48
B.4. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 48 B.4. Since draft-ietf-quic-tls-23 . . . . . . . . . . . . . . 48
B.5. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 48 B.5. Since draft-ietf-quic-tls-22 . . . . . . . . . . . . . . 48
B.6. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 48 B.6. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 48
B.7. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 48 B.7. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 48
B.8. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 48 B.8. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 48
B.9. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 48 B.9. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 48
B.10. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 49 B.10. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 49
B.11. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 49 B.11. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 49
B.12. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 49 B.12. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 49
B.13. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 49 B.13. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 50
B.14. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 50 B.14. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 50
B.15. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 50 B.15. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 50
B.16. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 50 B.16. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 50
B.17. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 50 B.17. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 50
B.18. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 50 B.18. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 50
B.19. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 50 B.19. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 50
B.20. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 50 B.20. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 50
B.21. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 50 B.21. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 50
B.22. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 51 B.22. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 50
B.23. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 51 B.23. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 51
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 51 B.24. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
1. Introduction 1. Introduction
This document describes how QUIC [QUIC-TRANSPORT] is secured using This document describes how QUIC [QUIC-TRANSPORT] is secured using
TLS [TLS13]. TLS [TLS13].
TLS 1.3 provides critical latency improvements for connection TLS 1.3 provides critical latency improvements for connection
establishment over previous versions. Absent packet loss, most new establishment over previous versions. Absent packet loss, most new
connections can be established and secured within a single round connections can be established and secured within a single round
trip; on subsequent connections between the same client and server, trip; on subsequent connections between the same client and server,
skipping to change at page 41, line 43 skipping to change at page 41, line 43
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/info/rfc7301>. July 2014, <https://www.rfc-editor.org/info/rfc7301>.
[CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>. <https://www.rfc-editor.org/info/rfc8439>.
[QUIC-RECOVERY] [QUIC-RECOVERY]
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", Work in Progress, Internet-Draft, and Congestion Control", Work in Progress, Internet-Draft,
draft-ietf-quic-recovery-26, 21 February 2020, draft-ietf-quic-recovery-27, 21 February 2020,
<https://tools.ietf.org/html/draft-ietf-quic-recovery-26>. <https://tools.ietf.org/html/draft-ietf-quic-recovery-27>.
[QUIC-TRANSPORT] [QUIC-TRANSPORT]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", Work in Progress, Multiplexed and Secure Transport", Work in Progress,
Internet-Draft, draft-ietf-quic-transport-26, 21 February Internet-Draft, draft-ietf-quic-transport-27, 21 February
2020, <https://tools.ietf.org/html/draft-ietf-quic- 2020, <https://tools.ietf.org/html/draft-ietf-quic-
transport-26>. transport-27>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
skipping to change at page 43, line 4 skipping to change at page 43, line 4
November 2014. November 2014.
[NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: [NAN] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed:
AEAD Revisited", DOI 10.1007/978-3-030-26948-7_9, Advances AEAD Revisited", DOI 10.1007/978-3-030-26948-7_9, Advances
in Cryptology - CRYPTO 2019 pp. 235-265, 2019, in Cryptology - CRYPTO 2019 pp. 235-265, 2019,
<https://doi.org/10.1007/978-3-030-26948-7_9>. <https://doi.org/10.1007/978-3-030-26948-7_9>.
[QUIC-HTTP] [QUIC-HTTP]
Bishop, M., Ed., "Hypertext Transfer Protocol Version 3 Bishop, M., Ed., "Hypertext Transfer Protocol Version 3
(HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf-
quic-http-26, 21 February 2020, quic-http-27, 21 February 2020,
<https://tools.ietf.org/html/draft-ietf-quic-http-26>. <https://tools.ietf.org/html/draft-ietf-quic-http-27>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
skipping to change at page 44, line 52 skipping to change at page 44, line 52
4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006 4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006
736572766572ff01000100000a001400 12001d00170018001901000101010201 736572766572ff01000100000a001400 12001d00170018001901000101010201
03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f 03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f
2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403 2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403
05030603020308040805080604010501 060102010402050206020202002d0002 05030603020308040805080604010501 060102010402050206020202002d0002
0101001c00024001 0101001c00024001
The unprotected header includes the connection ID and a 4 byte packet The unprotected header includes the connection ID and a 4 byte packet
number encoding for a packet number of 2: number encoding for a packet number of 2:
c3ff000019088394c8f03e5157080000449e00000002 c3ff00001b088394c8f03e5157080000449e00000002
Protecting the payload produces output that is sampled for header Protecting the payload produces output that is sampled for header
protection. Because the header uses a 4 byte packet number encoding, protection. Because the header uses a 4 byte packet number encoding,
the first 16 bytes of the protected payload is sampled, then applied the first 16 bytes of the protected payload is sampled, then applied
to the header: to the header:
sample = 535064a4268a0d9d7b1c9d250ae35516 sample = 535064a4268a0d9d7b1c9d250ae35516
mask = AES-ECB(hp, sample)[0..4] mask = AES-ECB(hp, sample)[0..4]
= 833b343aaa = 833b343aaa
header[0] ^= mask[0] & 0x0f header[0] ^= mask[0] & 0x0f
= c0 = c0
header[18..21] ^= mask[1..4] header[18..21] ^= mask[1..4]
= 3b343aa8 = 3b343aa8
header = c0ff000019088394c8f03e5157080000449e3b343aa8 header = c0ff00001b088394c8f03e5157080000449e3b343aa8
The resulting protected packet is: The resulting protected packet is:
c0ff000019088394c8f03e5157080000 449e3b343aa8535064a4268a0d9d7b1c c0ff00001b088394c8f03e5157080000 449e3b343aa8535064a4268a0d9d7b1c
9d250ae355162276e9b1e3011ef6bbc0 ab48ad5bcc2681e953857ca62becd752 9d250ae355162276e9b1e3011ef6bbc0 ab48ad5bcc2681e953857ca62becd752
4daac473e68d7405fbba4e9ee616c870 38bdbe908c06d9605d9ac49030359eec 4daac473e68d7405fbba4e9ee616c870 38bdbe908c06d9605d9ac49030359eec
b1d05a14e117db8cede2bb09d0dbbfee 271cb374d8f10abec82d0f59a1dee29f b1d05a14e117db8cede2bb09d0dbbfee 271cb374d8f10abec82d0f59a1dee29f
e95638ed8dd41da07487468791b719c5 5c46968eb3b54680037102a28e53dc1d e95638ed8dd41da07487468791b719c5 5c46968eb3b54680037102a28e53dc1d
12903db0af5821794b41c4a93357fa59 ce69cfe7f6bdfa629eef78616447e1d6 12903db0af5821794b41c4a93357fa59 ce69cfe7f6bdfa629eef78616447e1d6
11c4baf71bf33febcb03137c2c75d253 17d3e13b684370f668411c0f00304b50 11c4baf71bf33febcb03137c2c75d253 17d3e13b684370f668411c0f00304b50
1c8fd422bd9b9ad81d643b20da89ca05 25d24d2b142041cae0af205092e43008 1c8fd422bd9b9ad81d643b20da89ca05 25d24d2b142041cae0af205092e43008
0cd8559ea4c5c6e4fa3f66082b7d303e 52ce0162baa958532b0bbc2bc785681f 0cd8559ea4c5c6e4fa3f66082b7d303e 52ce0162baa958532b0bbc2bc785681f
cf37485dff6595e01e739c8ac9efba31 b985d5f656cc092432d781db95221724 cf37485dff6595e01e739c8ac9efba31 b985d5f656cc092432d781db95221724
87641c4d3ab8ece01e39bc85b1543661 4775a98ba8fa12d46f9b35e2a55eb72d 87641c4d3ab8ece01e39bc85b1543661 4775a98ba8fa12d46f9b35e2a55eb72d
skipping to change at page 46, line 42 skipping to change at page 46, line 42
93a5d0638d32fc51c5c65ff291a3a7a5 2fd6775e623a4439cc08dd25582febc9 93a5d0638d32fc51c5c65ff291a3a7a5 2fd6775e623a4439cc08dd25582febc9
44ef92d8dbd329c91de3e9c9582e41f1 7f3d186f104ad3f90995116c682a2a14 44ef92d8dbd329c91de3e9c9582e41f1 7f3d186f104ad3f90995116c682a2a14
a3b4b1f547c335f0be710fc9fc03e0e5 87b8cda31ce65b969878a4ad4283e6d5 a3b4b1f547c335f0be710fc9fc03e0e5 87b8cda31ce65b969878a4ad4283e6d5
b0373f43da86e9e0ffe1ae0fddd35162 55bd74566f36a38703d5f34249ded1f6 b0373f43da86e9e0ffe1ae0fddd35162 55bd74566f36a38703d5f34249ded1f6
6b3d9b45b9af2ccfefe984e13376b1b2 c6404aa48c8026132343da3f3a33659e 6b3d9b45b9af2ccfefe984e13376b1b2 c6404aa48c8026132343da3f3a33659e
c1b3e95080540b28b7f3fcd35fa5d843 b579a84c089121a60d8c1754915c344e c1b3e95080540b28b7f3fcd35fa5d843 b579a84c089121a60d8c1754915c344e
eaf45a9bf27dc0c1e784161691220913 13eb0e87555abd706626e557fc36a04f eaf45a9bf27dc0c1e784161691220913 13eb0e87555abd706626e557fc36a04f
cd191a58829104d6075c5594f627ca50 6bf181daec940f4a4f3af0074eee89da cd191a58829104d6075c5594f627ca50 6bf181daec940f4a4f3af0074eee89da
acde6758312622d4fa675b39f728e062 d2bee680d8f41a597c262648bb18bcfc acde6758312622d4fa675b39f728e062 d2bee680d8f41a597c262648bb18bcfc
13c8b3d97b1a77b2ac3af745d61a34cc 4709865bac824a94bb19058015e4e42d 13c8b3d97b1a77b2ac3af745d61a34cc 4709865bac824a94bb19058015e4e42d
aebe13f98ec51170a4aad0a8324bb768 38d3b779d72edc00c5cd088eff802b05
A.3. Server Initial A.3. Server Initial
The server sends the following payload in response, including an ACK The server sends the following payload in response, including an ACK
frame, a CRYPTO frame, and no PADDING frames: frame, a CRYPTO frame, and no PADDING frames:
0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988 0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988
cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d
89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002 89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002
0304 0304
The header from the server includes a new connection ID and a 2-byte The header from the server includes a new connection ID and a 2-byte
packet number encoding for a packet number of 1: packet number encoding for a packet number of 1:
c1ff0000190008f067a5502a4262b50040740001 c1ff00001b0008f067a5502a4262b50040740001
As a result, after protection, the header protection sample is taken As a result, after protection, the header protection sample is taken
starting from the third protected octet: starting from the third protected octet:
sample = 7002596f99ae67abf65a5852f54f58c3 sample = 7002596f99ae67abf65a5852f54f58c3
mask = 38168a0c25 mask = 38168a0c25
header = c9ff0000190008f067a5502a4262b5004074168b header = c9ff00001b0008f067a5502a4262b5004074168b
The final protected packet is then: The final protected packet is then:
c9ff0000190008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a c9ff00001b0008f067a5502a4262b500 4074168bf22b7002596f99ae67abf65a
5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493 5852f54f58c37c808682e2e40492d8a3 899fb04fc0afe9aabc8767b18a0aa493
537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3 537426373b48d502214dd856d63b78ce e37bc664b3fe86d487ac7a77c53038a3
cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b99c8ae5833225cb51855 cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92bd8c3a9528d2b6aca20f0
20d61e68cf5f 8047d9f017f0
A.4. Retry A.4. Retry
This shows a Retry packet that might be sent in response to the This shows a Retry packet that might be sent in response to the
Initial packet in Appendix A.2. The integrity check includes the Initial packet in Appendix A.2. The integrity check includes the
client-chosen connection ID value of 0x8394c8f03e515708, but that client-chosen connection ID value of 0x8394c8f03e515708, but that
value is not included in the final Retry packet: value is not included in the final Retry packet:
ffff0000190008f067a5502a4262b574 6f6b656e1e5ec5b014cbb1f0fd93df40 ffff00001b0008f067a5502a4262b574 6f6b656ea523cb5ba524695f6569f293
48c446a6 a1359d8e
Appendix B. Change Log Appendix B. Change Log
*RFC Editor's Note:* Please remove this section prior to *RFC Editor's Note:* Please remove this section prior to
publication of a final version of this document. publication of a final version of this document.
Issue and pull request numbers are listed with a leading octothorp. Issue and pull request numbers are listed with a leading octothorp.
B.1. Since draft-ietf-quic-tls-25 B.1. Since draft-ietf-quic-tls-26
* Updated examples
B.2. Since draft-ietf-quic-tls-25
* No changes * No changes
B.2. Since draft-ietf-quic-tls-24 B.3. Since draft-ietf-quic-tls-24
* Rewrite key updates (#3050) * Rewrite key updates (#3050)
- Allow but don't recommend deferring key updates (#2792, #3263) - Allow but don't recommend deferring key updates (#2792, #3263)
- More completely define received behavior (#2791) - More completely define received behavior (#2791)
- Define the label used with HKDF-Expand-Label (#3054) - Define the label used with HKDF-Expand-Label (#3054)
B.3. Since draft-ietf-quic-tls-23 B.4. Since draft-ietf-quic-tls-23
* Key update text update (#3050): * Key update text update (#3050):
- Recommend constant-time key replacement (#2792) - Recommend constant-time key replacement (#2792)
- Provide explicit labels for key update key derivation (#3054) - Provide explicit labels for key update key derivation (#3054)
* Allow first Initial from a client to span multiple packets (#2928, * Allow first Initial from a client to span multiple packets (#2928,
#3045) #3045)
* PING can be sent at any encryption level (#3034, #3035) * PING can be sent at any encryption level (#3034, #3035)
B.4. Since draft-ietf-quic-tls-22 B.5. Since draft-ietf-quic-tls-22
* Update the salt used for Initial secrets (#2887, #2980) * Update the salt used for Initial secrets (#2887, #2980)
B.5. Since draft-ietf-quic-tls-21 B.6. Since draft-ietf-quic-tls-21
* No changes * No changes
B.6. Since draft-ietf-quic-tls-20 B.7. Since draft-ietf-quic-tls-20
* Mandate the use of the QUIC transport parameters extension (#2528, * Mandate the use of the QUIC transport parameters extension (#2528,
#2560) #2560)
* Define handshake completion and confirmation; define clearer rules * Define handshake completion and confirmation; define clearer rules
when it encryption keys should be discarded (#2214, #2267, #2673) when it encryption keys should be discarded (#2214, #2267, #2673)
B.7. Since draft-ietf-quic-tls-18 B.8. Since draft-ietf-quic-tls-18
* Increased the set of permissible frames in 0-RTT (#2344, #2355) * Increased the set of permissible frames in 0-RTT (#2344, #2355)
* Transport parameter extension is mandatory (#2528, #2560) * Transport parameter extension is mandatory (#2528, #2560)
B.8. Since draft-ietf-quic-tls-17 B.9. Since draft-ietf-quic-tls-17
* Endpoints discard initial keys as soon as handshake keys are * Endpoints discard initial keys as soon as handshake keys are
available (#1951, #2045) available (#1951, #2045)
* Use of ALPN or equivalent is mandatory (#2263, #2284) * Use of ALPN or equivalent is mandatory (#2263, #2284)
B.9. Since draft-ietf-quic-tls-14 B.10. Since draft-ietf-quic-tls-14
* Update the salt used for Initial secrets (#1970) * Update the salt used for Initial secrets (#1970)
* Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) * Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019)
* Change header protection * Change header protection
- Sample from a fixed offset (#1575, #2030) - Sample from a fixed offset (#1575, #2030)
- Cover part of the first byte, including the key phase (#1322, - Cover part of the first byte, including the key phase (#1322,
#2006) #2006)
* TLS provides an AEAD and KDF function (#2046) * TLS provides an AEAD and KDF function (#2046)
- Clarify that the TLS KDF is used with TLS (#1997) - Clarify that the TLS KDF is used with TLS (#1997)
- Change the labels for calculation of QUIC keys (#1845, #1971, - Change the labels for calculation of QUIC keys (#1845, #1971,
#1991) #1991)
* Initial keys are discarded once Handshake keys are available * Initial keys are discarded once Handshake keys are available
(#1951, #2045) (#1951, #2045)
B.10. Since draft-ietf-quic-tls-13 B.11. Since draft-ietf-quic-tls-13
* Updated to TLS 1.3 final (#1660) * Updated to TLS 1.3 final (#1660)
B.11. Since draft-ietf-quic-tls-12 B.12. Since draft-ietf-quic-tls-12
* Changes to integration of the TLS handshake (#829, #1018, #1094, * Changes to integration of the TLS handshake (#829, #1018, #1094,
#1165, #1190, #1233, #1242, #1252, #1450) #1165, #1190, #1233, #1242, #1252, #1450)
- The cryptographic handshake uses CRYPTO frames, not stream 0 - The cryptographic handshake uses CRYPTO frames, not stream 0
- QUIC packet protection is used in place of TLS record - QUIC packet protection is used in place of TLS record
protection protection
- Separate QUIC packet number spaces are used for the handshake - Separate QUIC packet number spaces are used for the handshake
- Changed Retry to be independent of the cryptographic handshake - Changed Retry to be independent of the cryptographic handshake
- Limit the use of HelloRetryRequest to address TLS needs (like - Limit the use of HelloRetryRequest to address TLS needs (like
key shares) key shares)
* Changed codepoint of TLS extension (#1395, #1402) * Changed codepoint of TLS extension (#1395, #1402)
B.12. Since draft-ietf-quic-tls-11 B.13. Since draft-ietf-quic-tls-11
* Encrypted packet numbers. * Encrypted packet numbers.
B.13. Since draft-ietf-quic-tls-10 B.14. Since draft-ietf-quic-tls-10
* No significant changes. * No significant changes.
B.14. Since draft-ietf-quic-tls-09 B.15. Since draft-ietf-quic-tls-09
* Cleaned up key schedule and updated the salt used for handshake * Cleaned up key schedule and updated the salt used for handshake
packet protection (#1077) packet protection (#1077)
B.15. Since draft-ietf-quic-tls-08 B.16. Since draft-ietf-quic-tls-08
* Specify value for max_early_data_size to enable 0-RTT (#942) * Specify value for max_early_data_size to enable 0-RTT (#942)
* Update key derivation function (#1003, #1004) * Update key derivation function (#1003, #1004)
B.16. Since draft-ietf-quic-tls-07 B.17. Since draft-ietf-quic-tls-07
* Handshake errors can be reported with CONNECTION_CLOSE (#608, * Handshake errors can be reported with CONNECTION_CLOSE (#608,
#891) #891)
B.17. Since draft-ietf-quic-tls-05 B.18. Since draft-ietf-quic-tls-05
No significant changes. No significant changes.
B.18. Since draft-ietf-quic-tls-04 B.19. Since draft-ietf-quic-tls-04
* Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) * Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)
B.19. Since draft-ietf-quic-tls-03 B.20. Since draft-ietf-quic-tls-03
No significant changes. No significant changes.
B.20. Since draft-ietf-quic-tls-02 B.21. Since draft-ietf-quic-tls-02
* Updates to match changes in transport draft * Updates to match changes in transport draft
B.21. Since draft-ietf-quic-tls-01 B.22. Since draft-ietf-quic-tls-01
* Use TLS alerts to signal TLS errors (#272, #374) * Use TLS alerts to signal TLS errors (#272, #374)
* Require ClientHello to fit in a single packet (#338) * Require ClientHello to fit in a single packet (#338)
* The second client handshake flight is now sent in the clear (#262, * The second client handshake flight is now sent in the clear (#262,
#337) #337)
* The QUIC header is included as AEAD Associated Data (#226, #243, * The QUIC header is included as AEAD Associated Data (#226, #243,
#302) #302)
* Add interface necessary for client address validation (#275) * Add interface necessary for client address validation (#275)
* Define peer authentication (#140) * Define peer authentication (#140)
* Require at least TLS 1.3 (#138) * Require at least TLS 1.3 (#138)
* Define transport parameters as a TLS extension (#122) * Define transport parameters as a TLS extension (#122)
* Define handling for protected packets before the handshake * Define handling for protected packets before the handshake
completes (#39) completes (#39)
* Decouple QUIC version and ALPN (#12) * Decouple QUIC version and ALPN (#12)
B.22. Since draft-ietf-quic-tls-00 B.23. Since draft-ietf-quic-tls-00
* Changed bit used to signal key phase * Changed bit used to signal key phase
* Updated key phase markings during the handshake * Updated key phase markings during the handshake
* Added TLS interface requirements section * Added TLS interface requirements section
* Moved to use of TLS exporters for key derivation * Moved to use of TLS exporters for key derivation
* Moved TLS error code definitions into this document * Moved TLS error code definitions into this document
B.23. Since draft-thomson-quic-tls-01 B.24. Since draft-thomson-quic-tls-01
* Adopted as base for draft-ietf-quic-tls * Adopted as base for draft-ietf-quic-tls
* Updated authors/editors list * Updated authors/editors list
* Added status note * Added status note
Contributors Contributors
The IETF QUIC Working Group received an enormous amount of support The IETF QUIC Working Group received an enormous amount of support
 End of changes. 42 change blocks. 
68 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/