Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
Aaron Zauner <azet@azet.org> Thu, 16 February 2017 19:33 UTC
Return-Path: <azet@azet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B405129697 for <cfrg@ietfa.amsl.com>; Thu, 16 Feb 2017 11:33:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 729kz6G_IP2Q for <cfrg@ietfa.amsl.com>; Thu, 16 Feb 2017 11:33:45 -0800 (PST)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CB1012955E for <cfrg@irtf.org>; Thu, 16 Feb 2017 11:33:45 -0800 (PST)
Received: by mail-wr0-x22e.google.com with SMTP id i10so18617403wrb.0 for <cfrg@irtf.org>; Thu, 16 Feb 2017 11:33:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=fw2jktFOTSwYWkYtcPGQS13BqI8oauZo3a0+Xvpcc9Q=; b=ID6PGVxtjoWxu9B/gfGZTeClZQEATGGW5CC5hsKjTAT5JtIBFHNaTEI4Yzi911DhFh qMpZXHaytKRRWx1t9c4IDnxGgkwcjsTq8h/LNhrfsJPwMPcNrNw1AGTkT4yCuNbJmn93 xpZHnEpKlgT5dk5xpjl/oUX2Cy21T0ADGMrao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=fw2jktFOTSwYWkYtcPGQS13BqI8oauZo3a0+Xvpcc9Q=; b=bKyzfWsmvnEZEP/Lg5eMfQ3ZxnxN7+9udtdJAmZE35+1zx1tv6oKF2ZeBFDmZc84VM JWWd9qrsv0dJV4ozlI3avZ8jU6UdIzBoepRTB6FsQ4lZMP05kekan5O2NpvDuTChyP7J ZHsXsp/n5yNOH3cqIgagT/+49iYsH+datclBEhKpoxhtIce2bXYsDpxJ+S9wDiTn6D9i sDViAXdWP/erV7qqqG26uga7YrGNNMMWs3xKRzWT1N8ekH+AcXOZXqw0pTHCfbpOTkWK Hq4k0EnJ1l/4WuiTdkVVOLO+RdlyVKqICxRtGQP5NM+IBhE+1LLZcdRvoVJc0PyRFLWY 6IlA==
X-Gm-Message-State: AMke39ls3ztHkr3DX9NqQuoVmW0NiX5H6AIFf2V75LvwcSOEXJcKZ/BJeYfTHeeDTAPgmw==
X-Received: by 10.223.131.99 with SMTP id 90mr3791850wrd.146.1487273623585; Thu, 16 Feb 2017 11:33:43 -0800 (PST)
Received: from [192.168.1.120] ([156.218.58.77]) by smtp.gmail.com with ESMTPSA id v128sm1464652wmv.2.2017.02.16.11.33.41 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 16 Feb 2017 11:33:42 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_461E11DF-8232-41A2-B8E2-A699F4C242C4"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <CABkgnnURRPNEGEFKJvBJ=of=pqSD6CLJ+M3CB5KepEQA38XeHQ@mail.gmail.com>
Date: Thu, 16 Feb 2017 21:33:39 +0200
Message-Id: <FFCF8465-1B10-4202-8AE6-37DE152C5D17@azet.org>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk> <VI1PR8303MB0094D686941D99290BB431FCAB590@VI1PR8303MB0094.EURPRD83.prod.outlook.com> <D4C73D19.2FB4B%qdang@nist.gov> <D4C85054.2FDA4%qdang@nist.gov> <be49d59e37339cbaea8fef9bdb2a8971@esat.kuleuven.be> <D4C8AE28.30145%qdang@nist.gov> <CY4PR09MB1464278F1845979862CA9C8EF3580@CY4PR09MB1464.namprd09.prod.outlook.com> <BD6FC1F4-F2ED-46F8-9E53-862B69D9C00A@gmail.com> <e7c9bc1fb1b57333bacbe2def2687d18@esat.kuleuven.be> <D4C9AB9C.302D5%qdang@nist.gov> <CDDC7812-27AF-4566-AE33-6DF829FEB81E@rhul.ac.uk> <CABkgnnX78HnPnudEYOciS-VgJ4opYQX56OQ1R4yYvqxOQkO7Bg@mail.gmail.com> <859B3094-61BF-40B3-9473-4220E830D70F@gmail.com> <CABkgnnURRPNEGEFKJvBJ=of=pqSD6CLJ+M3CB5KepEQA38XeHQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_PY0xwX5TLHeqi2UOvpBJ3oXeJo>
Cc: IRTF CFRG <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 19:33:46 -0000
> On 15 Feb 2017, at 19:25, Martin Thomson <martin.thomson@gmail.com> wrote: > > On 16 February 2017 at 04:20, Yoav Nir <ynir.ietf@gmail.com> wrote: >> No, not really, but TLS is not just the web, and there are connections that >> last for a long time and transfer large amounts of data. Think datacenter >> synchronization. At packet-sized records 24 million records amounts to 36 >> GB. That is considerably larger than a 4 GB software update I downloaded >> over HTTPS a few years ago, but not out of the ballpark. > > I realize that's going to require updates pretty often (once you open > up the CWND), but I don't think that it is frequent enough to be a > concern. > > I well know that HTTP gets used at these volumes more often than > people realize. I'd rather recommend ChaCha for those niche uses > though if the rate was sufficiently high. I agree with Yoav Nir here, it's certainly not a niche use* and one's implementation should not be forced to use a certain cipher mode if there would be better options (e.g. because -- as pointed out earlier -- hardware support is available). * We'll all agree that most of the TLS traffic is made up by HTTPS requests, still, there are many other uses and we design protocols not just for the web. That's W3C. Aaron
- [Cfrg] Closing out tls1.3 "Limits on key usage" P… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Stanislav V. Smyshlyaev
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Paterson, Kenny
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Ilari Liusvaara
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Markulf Kohlweiss
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Tony Arcieri
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Watson Ladd
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Brian Smith
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Hal Murray
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Russ Housley