| Internet-Draft | Extensions to TLS FATT Process | April 2026 |
| Sardar | Expires 22 October 2026 | [Page] |
This document applies only to non-trivial extensions of TLS, which require formal analysis. It proposes the authors specify a threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft. We also briefly present a few pain points of the team doing the formal analysis which -- we believe -- require refining the process:¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://muhammad-usama-sardar.github.io/tls-fatt-extension/draft-usama-tls-fatt-extension.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-usama-tls-fatt-extension/.¶
Discussion of this document takes place on the Transport Layer Security Working Group mailing list (mailto:tls@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe at https://www.ietf.org/mailman/listinfo/tls/.¶
Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/tls-fatt-extension.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
While the TLS FATT process [TLS-FATT] marks a historic change in achieving high cryptographic assurances by tightly integrating formal methods in the working group (WG) process, the current FATT process has some practical limitations. Given a relatively smaller formal methods community, and a steep learning curve as well as very low consideration of usability in the existing formal analysis tools, this document proposes some solutions to make the FATT process sustainable.¶
Specifically, the TLS FATT process does not outline the division of responsibility between the authors and the team doing the formal analysis (the latter is hereafter referred to as the "Verifier"). This document aims to propose some solutions without putting an extensive burden on either party.¶
An argument is often presented by the authors that an Internet-Draft is written for the implementers. We make several counter-arguments here:¶
Researchers and protocol designers are also stakeholders of such specifications [I-D.irtf-cfrg-cryptography-specification].¶
Even implementers may like to understand the security implications before blindly starting to implement it.¶
With the FATT process, this argument is clearly invalid. The Verifier may not be an implementer.¶
This document outlines the corresponding changes in the way Internet-Drafts are typically written. For the Internet-Draft to be useful for the formal analysis, this document proposes that the draft should contain four main items, namely:¶
motivation,¶
a threat model,¶
informal security goals, and¶
a protocol diagram (Section 2.1).¶
Each one of these is summarized in Section 5. Future versions of this draft will include concrete examples.¶
Responsibilities of the Verifier are summarized in Section 7.¶
A clear separation of responsibilities would help IRTF UFMRG to train the authors and verifiers separately to fulfill their own responsibilities.¶
Moreover, we believe that the experiences can help improve the FATT process. The goal is to document the identified gaps with concrete examples, discuss those and mutually find the best way forward.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In the context of this document, a Protocol Diagram specifies the proposed cryptographically-relevant changes compared to the standard TLS protocol [I-D.ietf-tls-rfc8446bis]. This is conceptually similar to the Protocol Model in [RFC4101]. However, while [RFC4101] only recommends diagrams, we consider diagrams to be essential.¶
In this document, the Verifier refers to the team doing the formal analysis. Note that it is NOT a new formal role in the WG process.¶
Any ambiguity originating from the threat model, informal security goals, and a Protocol Diagram is to be considered as an attack. The authors are, therefore, encouraged to be as precise as possible. The Verifier may propose text for consideration by authors/WG to disambiguate or propose a fix to the attack.¶
From the two extremes -- [I-D.ietf-tls-8773bis] where Russ kindly provided all requested inputs and we were able to get it through (with a small change) without any formal analysis to [I-D.fossati-tls-attestation-08] where formal analysis revealed vulnerabilities [ID-Crisis] and resulted in a separate WG to tackle this problem -- we summarize the pain points of the Verifier with the hope that we can refine the process.¶
Note that we are not at all asserting that the authors have no pain points. They very likely have their own -- that is another indication that the process needs a refinement.¶
The FATT process restricts the Verifier from contacting the FATT directly. We argue that the Verifier should be allowed to contact the FATT (at least the FATT person for a specific draft) because of the following reasons:¶
Formal methods community is small and within this small community, those with deep knowledge of TLS are quite limited.¶
Such a restriction would not have been there if the Verifier were not a member of the TLS WG and analyzing the same draft and free to contact the same FATT for advice. Being a member of the TLS WG actually puts the Verifier at unnecessary disadvantage.¶
The feedback we receive on the list is really limited.¶
Communication via chairs is a source of misunderstandings, as it has already happened with the chairs summarizing the intent of "Tamarin-like" to just "Tamarin".¶
FATT is a 'design team' as per {{RFC2418}}. We kindly request
clarification under which regulation chairs can stop the
Verifier from talking to a design team?
¶
We believe the security considerations of {{I-D.ietf-tls-mlkem}} are
insufficient. We also believe FATT review could have significantly
improved it, including but not limited to the preference of hybrids.
We have provided significant feedback during the two WGLCs. However,
almost none of that is actually reflected in the updated editor's
version.
¶
We have presented observation from our ongoing symbolic security analysis (cf. limitations in Section 8) using ProVerif on the mailing list.¶
We argue that in general:¶
Migration from ECDHE to hybrid is security improvement.¶
Migration from hybrid to pure ML-KEM is security regression.¶
More formally, the property hybrid PQ/T should provide is:¶
Hybrid PQ/T is secure unless both ECDHE and ML-KEM are broken.¶
Hybrid preserves ECDHE, and adds ML-KEM as an additional factor. So as long as one of them is not broken, the system is secure. In particular, even if ML-KEM is completely broken, the system retains the security level of ECDHE.¶
On the other hand, the formal property non-hybrid PQ provides is:¶
Non-hybrid PQ is secure unless ML-KEM is broken.¶
If ML-KEM is broken, the whole system is broken.¶
Leak out the ECDHE key from hybrid PQ/T and you get a pure ML-KEM. Clearly, hybrid is in general more secure, unless ECDHE is fully broken, in which case it still falls equivalent to pure ML-KEM, or in the hypothetical scenario that there is an implementation bug in the ECDHE part which is triggered only in composition.¶
The authors need to understand that the task of the Verifier is to find the subtle corner cases where the protocol may fail. This is naturally opposed to the goal of the authors -- that is, to convince the WG that the protocol is good enough to be adopted/published.¶
Unless the Verifier remains really focused on checking subtleties, there is little value of formal analysis.¶
In particular, some topics like remote attestation need more precise specifications because small changes or ambiguites may make a big difference.¶
If authors do not respond to the Verifier's questions within a reasonable time frame (say a few weeks but not months), the Verifier may not pursue formal analysis of their draft.¶
In addition to those mentioned inline in the previous section, we propose the following:¶
Formal analysis -- just like any other code development -- is an iterative process and needs to be progressively discussed with the WG (and not just authors!) to be able to propose secure solutions.¶
So at least some time should be allocated in the meetings for discussion of formal analysis.¶
If the authors are doing the formal analysis themselves, it would be helpful to also present the current state of formal analysis in meetings for discussion. This may be a single slide describing:¶
Approach used: symbolic or computational¶
Tool used: ProVerif, CryptoVerif etc.¶
Properties established¶
This will help the Verifier give any feedback and avoid any repititive effort.¶
While the needs may differ for some drafts, we propose the following baseline template, with an example of [I-D.wang-tls-service-affinity]:¶
The template is:¶
TODO: Currently it is almost a copy of the guidance email to the authors. We will add details in next versions.¶
Problem statement: Say in general what the problem is.¶
For [I-D.wang-tls-service-affinity], we believe this should not include CATS. Anyone unfamiliar with CATS should be able to understand your problem.¶
Define any terms not defined in RFC8446bis or point to other drafts from where the definition is used.¶
We really like how Russ motivates the problem statement in [I-D.ietf-tls-8773bis]. Use it as a sample.¶
Here authors should address all the concerns from WG, including justification with compelling arguments and authentic references why authors think it should be done within TLS WG (and within handshake).¶
For [I-D.wang-tls-service-affinity], authors could put CATS here as a motivational use case.¶
Protocol design with Protocol Diagram: we work on the formal analysis of TLS 1.3 exclusively. Please contact someone else if your draft relates to older versions.¶
As draft proceeds these desired security goals will become what the draft actually achieves.¶
When the authors declare the version as ready for formal analysis, the Verifier takes the above inputs, performs the formal analysis, and brings the results back to the authors and the WG. Based on the analysis, the verifier may propose updates to the Security Considerations section or other sections of the Internet-Draft.¶
The whole document is about improving security considerations.¶
Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.¶
This document has no IANA actions.¶
-05¶
-04¶
Extended threat model Section 5.2¶
Helpful discussions on formal analysis in meetings in Section 4.2¶
Pointer to formal analysis and costs in Section 3.3¶
-03¶
Limitations of formal analysis in security considerations¶
Proposed solutions section¶
More guidance for authors: Threat Model and Informal Security Goals¶
-02¶
-01¶
Pain points of Verifier Section 2.1¶
Small adjustment of phrasing¶
We thankfully acknowledge Eric Rescorla and John Mattsson for their valuable input.¶
The research work is funded by Deutsche Forschungsgemeinschaft.¶