Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Martin Thomson <martin.thomson@gmail.com> Sun, 12 February 2017 09:44 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C756B1293E8 for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2017 01:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZkTTS1h4jLV for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2017 01:44:25 -0800 (PST)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A910C127A90 for <cfrg@irtf.org>; Sun, 12 Feb 2017 01:44:25 -0800 (PST)
Received: by mail-qt0-x236.google.com with SMTP id w20so65032873qtb.1 for <cfrg@irtf.org>; Sun, 12 Feb 2017 01:44:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=B3mSRZtDtrzqx0u3Fpw+azbjokoktFDc7J9S9Em3PWs=; b=YxRTMNAp3hgnJiuXQt7Lc93hyyd8Amup16GkBEqZcA45CQKFJLya6yQkJZ+aiXsBAW nfTnKgFkBlvXDnUk9b6s7d6i36gvMYqQ8DGctZ0B2/1iDj+f0j22kryE+FS9qqB9xIev rC3LXEz1Y1Y+91zgFgj7dpskVTRZ+tQzlfkMqm1bOdbZL81AqNEdm8JPmvYNjuRTxyer 7LNk7ZRf8m/AqDhHngKx2fYmcvNvQADPqoGjsselI9EpLQiAD7ULNDWzakAAkDHWhowa m7SX6PJ59BZYIxyM4zVlycxi/ALgTA12KUsgXvzaHlFxI8UndNQTbGC+E1qw3B63L/TV miRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=B3mSRZtDtrzqx0u3Fpw+azbjokoktFDc7J9S9Em3PWs=; b=pSjHa+XPrFejUe/A56P4iXoRpn7nMC1aP53/1ltQCbJ25NBU+ui9XOrF8sleUaKSaa okA1lIMi3K0JVMkSNcQ/cSXrr53n/1VOlAqk3NM80fI8Egn0lB9eQ7KkxoGGJh7MEbIN ogu8/PXeS9rjtwz88DVz7PtQOEAKVUTJCbzCqjfOwWetiJJ2F6quW7H2QlIZrZ35f/KP 5eU0AxEbxTrHWlMB2yav55ZSoNkaU5twgiHZtwG2d7NaH7EcinFOti8rH2CslTE1ePbu Nr222J7VZphdCwpPb9f7uZ3cMwHr4otEbfnTItxX5VvkUBc5HTR7iXzIzDSgK+/uGhbW QoWw==
X-Gm-Message-State: AMke39npMCBC0B2d98mqG21mDQ2HcL7shQoRZEWxmEkyINRHtjeBBQvkNS66ncdFAAsHYLh0MIYNLWBbvuIGUQ==
X-Received: by 10.200.39.200 with SMTP id x8mr15875062qtx.159.1486892664764; Sun, 12 Feb 2017 01:44:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.112 with HTTP; Sun, 12 Feb 2017 01:44:24 -0800 (PST)
In-Reply-To: <f4503c6d-5274-83c5-65be-4bb70d59a24a@brainhub.org>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <f4503c6d-5274-83c5-65be-4bb70d59a24a@brainhub.org>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 12 Feb 2017 20:44:24 +1100
Message-ID: <CABkgnnXRswsqDHxeXeoAann5wkZxk1-uZMEi_uyFTJ1yvFAuiQ@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fnQphbd6Ec2CK7V4OHmN8mXvJ1M>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2017 09:44:27 -0000

On 12 February 2017 at 09:26, Andrey Jivsov <crypto@brainhub.org> wrote:
> How should an implementer read [0]? If an implementation sends or receives
> shorter records, it has to re-key sooner.

[0] (the current text) says that there is a maximum number of records.
That's pretty straightforward.  You are required to count them anyway.
No accounting for partial records and other such things.

If that means rekeying sooner, I'd like evidence that this is in some
way harmful.  I think that it's fine.

I'm not disagreeing with the notion of correctness that has been
discussed on this thread and elsewhere, just offering a different set
of criteria upon which you might make this decision.

Ilari made a related point: if you don't rekey occasionally, you might
as well just forget the whole mechanism.  Given the actual limit - for
even the most conservative option, [0] - is so large that common usage
will never hit it, that means rekeying even more often than any
idealized 2^52 octets.