| Internet-Draft | Proposed Document Template for TLS FATT | July 2026 |
| Sardar | Expires 3 January 2027 | [Page] |
This document applies only to non-trivial extensions of TLS, which require formal analysis. FATT process has successfully discovered CVEs of CVSS 7.5 and most recently expected CVSS 9.1 in the production implementations of the drafts proposed for adoption in the TLS WG. To achieve high cryptographic assurances, this document proposes the drafts specify a clear threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://muhammad-usama-sardar.github.io/tls-fatt-extension/draft-usama-tls-fatt-extension.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-usama-tls-fatt-extension/.¶
Discussion of this document takes place on the Transport Layer Security Working Group mailing list (mailto:tls@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe at https://www.ietf.org/mailman/listinfo/tls/.¶
Source for this draft and an issue tracker can be found at https://github.com/muhammad-usama-sardar/tls-fatt-extension.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
While the TLS FATT process [TLS-FATT] marks a historic change in achieving high cryptographic assurances by tightly integrating formal methods in the working group (WG) process, it would be helpful to adapt the way in which drafts are typically written to get the benefits.¶
Unverified protocol designs, imprecisely stated threat model and security goals have led to high and critical severity vulnerabilities of the extensions proposed in the drafts.¶
As an illustrative example, authors of [I-D.fossati-tls-attestation-08] asked for adoption in IETF 121, explicitly requesting us (by name) for formal analysis [Intra-handshake-attestation]. We carried out formal analysis of draft in support for FATT process. The formal analysis led to three orthogonal issues:¶
Formal analysis [ID-Crisis-repo] found diversion attacks for [I-D.fossati-tls-attestation-08]. For technical details, please see the corresponding paper [ID-Crisis].¶
Formal analysis [Intra-handshake.fail-repo] of several production implementations of [I-D.fossati-tls-attestation-09] led to discovery of [CVE-2026-33697] of CVSS 7.5 for relay attacks. For technical details, please see the corresponding paper [Intra-handshake.fail].¶
Further formal analysis of production implementation of [I-D.fossati-tls-attestation-09] has led to discovery of another class of attacks and will potentially lead to two CVEs (currently under responsible disclosure) each with an expected CVSS 9.1.¶
This shows the value of FATT process in the design of secure protocols to find subtle vulnerabilities, which could otherwise be missed.¶
To produce high-quality specifications, this document outlines the corresponding changes in the way drafts are typically written. For the draft to be useful for the formal analysis, this document proposes that it would be helpful for the formal analysis if the draft contains four main items, namely:¶
motivation,¶
a threat model,¶
informal security goals, and¶
a protocol diagram (Section 2.1).¶
Each one of these is summarized in Section 3. Future versions of this draft will include further concrete examples.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In the context of this document, a Protocol Diagram specifies the proposed cryptographically-relevant changes compared to the standard TLS protocol [I-D.ietf-tls-rfc8446bis]. This is conceptually similar to the Protocol Model in [RFC4101]. However, while [RFC4101] only recommends diagrams, we consider diagrams to be essential to reduce the gap between:¶
While the needs may differ for some drafts, we propose the following baseline template, with examples of [I-D.wang-tls-service-affinity] and [I-D.sheffer-tls-pqc-continuity]:¶
The template is:¶
TODO: Currently it is almost a copy of the guidance email to the authors. We request feedback on what to add in next versions.¶
Problem statement: Say in general what the problem is.¶
For [I-D.wang-tls-service-affinity], we believe this may preferably not include CATS. Anyone unfamiliar with CATS ought to be able to understand the problem statement.¶
Define any terms not defined in RFC8446bis or point to other drafts from where the definition is used.¶
We really like how the author of [I-D.ietf-tls-8773bis] motivates the problem statement. Use it as a sample.¶
Here authors can address all the concerns from WG, including justification with compelling arguments and authentic references why authors think it ought to be done within TLS WG (and within handshake).¶
For [I-D.wang-tls-service-affinity], authors could put CATS here as a motivational use case.¶
For [I-D.sheffer-tls-pqc-continuity], it should clarify why the problem is specific to PQ-only and why did the WG do such a thing for the transition for other primitives, as requested by several WG participants.¶
Protocol design with Protocol Diagram: we work on the formal analysis of TLS 1.3 exclusively. Please contact someone else if your draft relates to older versions.¶
As draft proceeds these desired security goals will become what the draft actually achieves.¶
For [I-D.sheffer-tls-pqc-continuity], it should clarify which property of the TLS protocol is broken and how does the proposal improve the security.¶
The whole document is about improving security considerations. As mentioned in Section 1.1.1, unverified specifications have led to high and critical severity exploits.¶
Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.¶
This document has no IANA actions.¶
-08¶
-07¶
-06¶
Solution for ML-KEM: FATT analysis¶
Solution for FATT contact: new mailing list¶
Replaced responsibilities by expected contributions¶
Clarified Verifier even further that it is just a WG member; no formal role¶
s/pure/non-hybrid¶
-05¶
-04¶
Extended threat model Section 3.2¶
Helpful discussions on formal analysis in meetings¶
Pointer to formal analysis and costs¶
-03¶
Limitations of formal analysis in security considerations¶
Proposed solutions section¶
More guidance for authors: Threat Model and Informal Security Goals¶
-02¶
-01¶
Pain points of Verifier Section 2.1¶
Small adjustment of phrasing¶
We thankfully acknowledge the following for their valuable input:¶
Eric Rescorla for review of -02, -05, and -06.¶
John Mattsson for proposing text for security considerations.¶
David Benjamin for review of -06.¶
Mike Ounsworth for review of -07.¶
Songbo Bu¶
We gratefully acknowledge the valuable contributions of co-authors of papers for their instrumental contributions in formal analysis: Mariam Moustafa, Tuomas Aura, Viacheslav Dubeyko, and Jean-Marie Jacquet.¶
We sincerely thank the contributors of the formal analyses [ID-Crisis-repo] and [Intra-handshake.fail-repo] mentioned in the respective repositories.¶
We express our appreciation to Yaakov Stein and Ilari Liusvaara for their substantial technical guidance, valuable feedback, and contributions in early attempts to formally model ML-KEM.¶
The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")¶