tlswg · yoavnir · Apr 2, 2017
diff --git a/draft-ietf-tls-tls13.md b/draft-ietf-tls-tls13.md
@@ -501,360 +501,26 @@ server: The endpoint which did not initiate the TLS connection.
 
 ##  Major Differences from TLS 1.2
 
-(*) indicates changes to the wire protocol which may require implementations
-    to update.
+The following list of changes is by no means exhaustive. It is meant to 
+be used as an executive summary of what's changed.
 
-draft-19
+- The list of supported ciphersuites has been pruned of all algorithms that
+  are considered legacy. Those that remain are all Authenticated Encryption
+  with Associated Data (AEAD) and all offer Perfect Forward Secrecy (PFS).
 
-- Hash context_value input to Exporters (*)
+- A Zero-RTT mode was added, saving a round-trip at connection setup.
 
-- Add an additional Derive-Secret stage to Exporters (*).
+- More encrypted handshake messages, including Certificate.
+
+- Significant changes to the handshake records and state machine; removal of CCS.
+
+- ECC is now in the base spec.
 
-- Hash ClientHello1 in the transcript when HRR is used. This
-  reduces the state that needs to be carried in cookies. (*)
-
-- Restructure CertificateRequest to have the selectors
-  in extensions. This also allowed defining a "certificate_authorities"
-  extension which can be used by the client instead of trusted_ca_keys (*).
-
-- Tighten record framing requirements and require checking of them (*).
-
-- Consolidate "ticket_early_data_info" and "early_data" into a single
-  extension (*).
-
-- Change end_of_early_data to be a handshake message (*).
-
-- Add pre-extract Derive-Secret stages to key schedule (*).
-
-- Remove spurious requirement to implement "pre_shared_key".
-
-- Clarify location of "early_data" from server (it goes in EE,
-  as indicated by the table in S 10).
-
-- Require peer public key validation
-
-- Add state machine diagram.
-
-
-draft-18
-
-- Remove unnecessary resumption_psk which is the only thing expanded from
-  the resumption master secret. (*).
-
-- Fix signature_algorithms entry in extensions table.
-
-- Restate rule from RFC 6066 that you can't resume unless SNI is the same.
-
-
-draft-17
-
-- Remove 0-RTT Finished and resumption_context, and replace with a
-  psk_binder field in the PSK itself (*)
-
-- Restructure PSK key exchange negotiation modes (*)
-
-- Add max_early_data_size field to TicketEarlyDataInfo (*)
-
-- Add a 0-RTT exporter and change the transcript for the regular exporter (*)
-
-- Merge TicketExtensions and Extensions registry. Changes
-  ticket_early_data_info code point (*)
-
-- Replace Client.key_shares in response to HRR (*)
-
-- Remove redundant labels for traffic key derivation (*)
-
-- Harmonize requirements about cipher suite matching: for resumption you
-  need to match KDF but for 0-RTT you need whole cipher suite. This
-  allows PSKs to actually negotiate cipher suites. (*)
-
-- Move SCT and OCSP into Certificate.extensions (*)
-
-- Explicitly allow non-offered extensions in NewSessionTicket
-
-- Explicitly allow predicting ClientFinished for NST
-
-- Clarify conditions for allowing 0-RTT with PSK
-
-
-draft-16
-
-- Revise version negotiation (*)
-
-- Change RSASSA-PSS and EdDSA SignatureScheme codepoints for better backwards compatibility (*)
-
-- Move HelloRetryRequest.selected_group to an extension (*)
-
-- Clarify the behavior of no exporter context and make it the same
-  as an empty context.(*)
-
-- New KeyUpdate format that allows for requesting/not-requesting an
-  answer. This also means changes to the key schedule to support
-  independent updates (*)
-
-- New certificate_required alert (*)
-
-- Forbid CertificateRequest with 0-RTT and PSK.
-
-- Relax requirement to check SNI for 0-RTT.
-
-
-draft-15
-
-- New negotiation syntax as discussed in Berlin (*)
-
-- Require CertificateRequest.context to be empty during handshake (*)
-
-- Forbid empty tickets (*)
-
-- Forbid application data messages in between post-handshake messages
-  from the same flight (*)
-
-- Clean up alert guidance (*)
-
-- Clearer guidance on what is needed for TLS 1.2.
-
-- Guidance on 0-RTT time windows.
-
-- Rename a bunch of fields.
-
-- Remove old PRNG text.
-
-- Explicitly require checking that handshake records not span
-  key changes.
-
-
-
-draft-14
-
-- Allow cookies to be longer (*)
-
-- Remove the "context" from EarlyDataIndication as it was undefined
-  and nobody used it (*)
-
-- Remove 0-RTT EncryptedExtensions and replace the ticket_age extension
-  with an obfuscated version. Also necessitates a change to
-  NewSessionTicket (*).
-
-- Move the downgrade sentinel to the end of ServerHello.Random
-  to accommodate tlsdate (*).
-
-- Define ecdsa_sha1 (*).
-
-- Allow resumption even after fatal alerts. This matches current
-  practice.
-
-- Remove non-closure warning alerts. Require treating unknown alerts as
-  fatal.
-
-- Make the rules for accepting 0-RTT less restrictive.
-
-- Clarify 0-RTT backward-compatibility rules.
-
-- Clarify how 0-RTT and PSK identities interact.
-
-- Add a section describing the data limits for each cipher.
-
-- Major editorial restructuring.
-
-- Replace the Security Analysis section with a WIP draft.
-
-
-draft-13
-
-- Allow server to send SupportedGroups.
-
-- Remove 0-RTT client authentication
-
-- Remove (EC)DHE 0-RTT.
-
-- Flesh out 0-RTT PSK mode and shrink EarlyDataIndication
-
-- Turn PSK-resumption response into an index to save room
-
-- Move CertificateStatus to an extension
-
-- Extra fields in NewSessionTicket.
-
-- Restructure key schedule and add a resumption_context value.
-
-- Require DH public keys and secrets to be zero-padded to the size
-  of the group.
-
-- Remove the redundant length fields in KeyShareEntry.
-
-- Define a cookie field for HRR.
-
-
-draft-12
-
-- Provide a list of the PSK cipher suites.
-
-- Remove the ability for the ServerHello to have no extensions
-  (this aligns the syntax with the text).
-
-- Clarify that the server can send application data after its first
-  flight (0.5 RTT data)
-
-- Revise signature algorithm negotiation to group hash, signature
-  algorithm, and curve together. This is backwards compatible.
-
-- Make ticket lifetime mandatory and limit it to a week.
-
-- Make the purpose strings lower-case. This matches how people
-  are implementing for interop.
-
-- Define exporters.
-
-- Editorial cleanup
-
-
-draft-11
-
-- Port the CFRG curves & signatures work from RFC4492bis.
-
-- Remove sequence number and version from additional_data, which
-  is now empty.
-
-- Reorder values in HkdfLabel.
-
-- Add support for version anti-downgrade mechanism.
-
-- Update IANA considerations section and relax some of the policies.
-
-- Unify authentication modes. Add post-handshake client authentication.
-
-- Remove early_handshake content type. Terminate 0-RTT data with
-  an alert.
-
-- Reset sequence number upon key change (as proposed by Fournet et al.)
-
-
-draft-10
-
-- Remove ClientCertificateTypes field from CertificateRequest
-  and add extensions.
-
-- Merge client and server key shares into a single extension.
-
-
-draft-09
-
-- Change to RSA-PSS signatures for handshake messages.
-
-- Remove support for DSA.
-
-- Update key schedule per suggestions by Hugo, Hoeteck, and Bjoern Tackmann.
-
-- Add support for per-record padding.
-
-- Switch to encrypted record ContentType.
-
-- Change HKDF labeling to include protocol version and value lengths.
-
-- Shift the final decision to abort a handshake due to incompatible
-  certificates to the client rather than having servers abort early.
-
-- Deprecate SHA-1 with signatures.
-
-- Add MTI algorithms.
-
-
-draft-08
-
-- Remove support for weak and lesser used named curves.
-
-- Remove support for MD5 and SHA-224 hashes with signatures.
-
-- Update lists of available AEAD cipher suites and error alerts.
-
-- Reduce maximum permitted record expansion for AEAD from 2048 to 256 octets.
-
-- Require digital signatures even when a previous configuration is used.
-
-- Merge EarlyDataIndication and KnownConfiguration.
-
-- Change code point for server_configuration to avoid collision with
-  server_hello_done.
-
-- Relax certificate_list ordering requirement to match current practice.
-
-
-draft-07
-
-- Integration of semi-ephemeral DH proposal.
-
-- Add initial 0-RTT support.
-
-- Remove resumption and replace with PSK + tickets.
-
-- Move ClientKeyShare into an extension.
-
-- Move to HKDF.
-
-
-draft-06
-
-- Prohibit RC4 negotiation for backwards compatibility.
-
-- Freeze & deprecate record layer version field.
-
-- Update format of signatures with context.
-
-- Remove explicit IV.
-
-
-draft-05
-
-- Prohibit SSL negotiation for backwards compatibility.
-
-- Fix which MS is used for exporters.
-
-
-draft-04
-
-- Modify key computations to include session hash.
-
-- Remove ChangeCipherSpec.
-
-- Renumber the new handshake messages to be somewhat more
-  consistent with existing convention and to remove a duplicate
-  registration.
-
-- Remove renegotiation.
-
-- Remove point format negotiation.
-
-
-draft-03
-
-- Remove GMT time.
-
-- Merge in support for ECC from RFC 4492 but without explicit
-  curves.
-
-- Remove the unnecessary length field from the AD input to AEAD
-  ciphers.
-
-- Rename {Client,Server}KeyExchange to {Client,Server}KeyShare.
-
-- Add an explicit HelloRetryRequest to reject the client's.
-
-
-draft-02
-
--  Increment version number.
-
--  Rework handshake to provide 1-RTT mode.
-
--  Remove custom DHE groups.
-
--  Remove support for compression.
-
--  Remove support for static RSA and DH key exchange.
-
--  Remove support for non-AEAD ciphers.
+- Other cryptographic improvements including the removal of compression and
+  custom DHE groups, a revision of key derivation which now uses HKDF,
+  change of RSA padding to PSS, and removal of DSA.
 
+- Version negotiation has been simplified.
 
 ## Updates Affecting TLS 1.2