Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Yoav Nir <ynir.ietf@gmail.com> Wed, 15 February 2017 17:30 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF44A129572 for <cfrg@ietfa.amsl.com>; Wed, 15 Feb 2017 09:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgnoTBQFN3od for <cfrg@ietfa.amsl.com>; Wed, 15 Feb 2017 09:30:09 -0800 (PST)
Received: from mail-wr0-x244.google.com (mail-wr0-x244.google.com [IPv6:2a00:1450:400c:c0c::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E0DE1293DC for <cfrg@irtf.org>; Wed, 15 Feb 2017 09:30:09 -0800 (PST)
Received: by mail-wr0-x244.google.com with SMTP id q39so1391171wrb.2 for <cfrg@irtf.org>; Wed, 15 Feb 2017 09:30:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+P9AJ22m0W1uR0IeGX8lhwirkFyNvSm4ddY0ivyy1EE=; b=l2G2/eWiTmKtTmyxMJSTgK9UaOIK9so4V60VJ3ZOpTEc3AcnpdRXaS50KcxbDxYcGC qv7br8TfEkdxbnIeyI2kLOclKMQSn24igR3IZGxSDiumkoFdyUwpRV4vO+na7+81lZX3 hD4dW5iVqSvoMHchS9QAgoce5GQ2Ds5EK+N80A+Q72tH5xaC7kuPTyPJvVAoV5G8WRzA vVqLw9DQsV63yRrscmU6+gG1eTh1sXdLrEQ7oBgPWMl9EuVPj5KaAsPki+SxrkztY4/U JKzftGXBCVfFNBDGhOs9Q7G/pTDzwOFpwXz88chAj6uVkmBlVrkiVQLtwOatYJLrE7pm 8//w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+P9AJ22m0W1uR0IeGX8lhwirkFyNvSm4ddY0ivyy1EE=; b=Dm2tsaICyzfnLM69+xLJQ0UskznAd1VC8oB/lAC7ERvtENHk82RDzogkt7qibKM61t lcSpIYAgwQ/lBrtMNuQ8f7W33TWPAdS9374mxLsQGBlFGUWVBmnnQv8n5E3p7pETRdhx 0+y4XkumTVXTSo4ZiwYm8bWi/HzH7uenonwWQg7fqltfaQc6P25L3NCNsrnRw2z01pQ7 baWm2/s+R03ipQg6FfauGXO+MfXlgcpSYcWM3D7hIi/y7CgCjPm70mm421hBI/Iz/nRF JlskFM+7HbGTS8G0AEltdAwcxhZko1MRWLpzQxq0PBI84wEtFXguDkMn4v7qIRAcFymt CJQw==
X-Gm-Message-State: AMke39nzHb3tR1NnDom1aoTbEYONri9J57jgBR82AiNmyhejCA8uDBglJ1qaQpNSd6wJpw==
X-Received: by 10.223.161.130 with SMTP id u2mr35286995wru.127.1487179807685; Wed, 15 Feb 2017 09:30:07 -0800 (PST)
Received: from [192.168.137.219] ([176.13.243.119]) by smtp.gmail.com with ESMTPSA id i73sm212628wmd.11.2017.02.15.09.30.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Feb 2017 09:30:06 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <4639F8A9-1DD7-48E5-ABE4-2658311E0C33@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_89B8EC13-4F33-4FF1-AD79-19F8A4074C04"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 15 Feb 2017 19:30:04 +0200
In-Reply-To: <CABkgnnURRPNEGEFKJvBJ=of=pqSD6CLJ+M3CB5KepEQA38XeHQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk> <VI1PR8303MB0094D686941D99290BB431FCAB590@VI1PR8303MB0094.EURPRD83.prod.outlook.com> <D4C73D19.2FB4B%qdang@nist.gov> <D4C85054.2FDA4%qdang@nist.gov> <be49d59e37339cbaea8fef9bdb2a8971@esat.kuleuven.be> <D4C8AE28.30145%qdang@nist.gov> <CY4PR09MB1464278F1845979862CA9C8EF3580@CY4PR09MB1464.namprd09.prod.outlook.com> <BD6FC1F4-F2ED-46F8-9E53-862B69D9C00A@gmail.com> <e7c9bc1fb1b57333bacbe2def2687d18@esat.kuleuven.be> <D4C9AB9C.302D5%qdang@nist.gov> <CDDC7812-27AF-4566-AE33-6DF829FEB81E@rhul.ac.uk> <CABkgnnX78HnPnudEYOciS-VgJ4opYQX56OQ1R4yYvqxOQkO7Bg@mail.gmail.com> <859B3094-61BF-40B3-9473-4220E830D70F@gmail.com> <CABkgnnURRPNEGEFKJvBJ=of=pqSD6CLJ+M3CB5KepEQA38XeHQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zXYbO5UgTiyy_ct67HLc5nPSO9M>
Cc: IRTF CFRG <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 17:30:11 -0000

> On 15 Feb 2017, at 19:25, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 16 February 2017 at 04:20, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> No, not really, but TLS is not just the web, and there are connections that
>> last for a long time and transfer large amounts of data. Think datacenter
>> synchronization. At packet-sized records 24 million records amounts to 36
>> GB. That is considerably larger than a 4 GB software update I downloaded
>> over HTTPS a few years ago, but not out of the ballpark.
> 
> I realize that's going to require updates pretty often (once you open
> up the CWND), but I don't think that it is frequent enough to be a
> concern.
> 
> I well know that HTTP gets used at these volumes more often than
> people realize.  I'd rather recommend ChaCha for those niche uses
> though if the rate was sufficiently high.

And now I’ve lost you. A moment ago I thought you were concerned that people would fail to implement KeyUpdate. Are you now suggesting that it be removed entirely from TLS 1.3?

There’s no getting around the fact that AES-GCM is faster on certain processors than ChaCha, and speed is likely to be a major concern for exactly the same systems that use the high data volumes.

Yoav