IETF Logo Mail Archive

Re: [Lake] Ways forward on MTI cipher suite text

Göran Selander <goran.selander@ericsson.com> Tue, 25 January 2022 08:32 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C416D3A1196; Tue, 25 Jan 2022 00:32:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjSvE5GLztKN; Tue, 25 Jan 2022 00:32:41 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80048.outbound.protection.outlook.com [40.107.8.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A8C73A114F; Tue, 25 Jan 2022 00:32:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JRbYn76ppc+KV1fu3nOIHQ3pndQUOD17FbJKtEbmJdlH6AFydxmRADoMDv4j8ElVSQm/Ow6yo3MnXalCNKqUAasS3d1Au6/dcAVPwCXTgCaXMkMDMow1n/Zagg9zr9IWJvI64MG5nNxJGsk3p50VDWYrWvaMSfydB3MBvhv+2uxnLc7qgfHM/1DPqriwSHi367hvmyrw2fP5UzaS+k5jnHqvekvv0IzgqLg9NB2ra/PDebVTYgsNqT9OAAgMpMMk7TB/h2MtJkMyf4qgJHW8o0QqNNsAAwvBIa0D/fvA7ZaKbZVUfPgrVOYqKwf9SUonuCBsyhU7jURFfeD9rMv4rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Xzrw/3CYFq4oL8NYPagnWBD9wpNO8Yovuq8lgHVmj6o=; b=Pzj5gFioTWPeWq9/lQ6N1gBCGJ/IGxM/iUEg+0U3lHSfje7+bDmyIaoIuRmRordDb9uacgb7aBlecuLRkDkTLOzMZyH3ZVHR+EObXkVaCDSbeI4pwVa+jnidVej14g6BjX2tGMt5TulDnQlTc7EchVPpBcTDdd3UhQ/BMX82orlMPVhAOBQv7YHi05+Dl96p11ndxBWD+FBVK1c9eAKYhhTQdjnsW1wwMMfeUVJifGH9Ol8H4Z1Ev76CjASy9hHlo9JcFdCJFPyIgZIkT5mL/+c3Kvpw1sPbFKQXNDUxJUJqDz9Z8WqvFui34TL0/jFGPZeT1LsNQaNqOG2oxAaSnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xzrw/3CYFq4oL8NYPagnWBD9wpNO8Yovuq8lgHVmj6o=; b=dZbEu27ZYtyMuhe9XLEUZmeuMXvmvE1ileQ97CKbQe4/HauwxTDQKCOgRyuBn3JO2Wi2InLOfdRO+vqG01IBjt+mREac8DVpyC9WsLLkPW/hajGsZGysKZedNGIMBffPBORzlpXe1LUopP1rU1et1iPDBVnfB2zw+FNUF5Q9oxM=
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com (2603:10a6:200:45::6) by PR1PR07MB4874.eurprd07.prod.outlook.com (2603:10a6:102:1::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15; Tue, 25 Jan 2022 08:32:33 +0000
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::7c02:9e9:ecd3:ed36]) by AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::7c02:9e9:ecd3:ed36%7]) with mapi id 15.20.4930.015; Tue, 25 Jan 2022 08:32:32 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "lake-chairs@ietf.org" <lake-chairs@ietf.org>
CC: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Ways forward on MTI cipher suite text
Thread-Index: AQHYDh/KgYuIcFc38kyxyL1WH2d6e6xyS9oAgAA1UHCAAF3EgIAAirRB
Date: Tue, 25 Jan 2022 08:32:32 +0000
Message-ID: <AM4PR0701MB21950F2FCC8598502E50ABF3F45F9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
References: <2A2081E4-BAAF-4292-925E-0B683AA6CD23@inria.fr> <24192.1643036826@localhost> <AM4PR0701MB2195208CA41C14108E5CD85AF45E9@AM4PR0701MB2195.eurprd07.prod.outlook.com> <14667.1643068411@localhost>
In-Reply-To: <14667.1643068411@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8994a0b5-4854-42d1-4e0f-08d9dfdd3b82
x-ms-traffictypediagnostic: PR1PR07MB4874:EE_
x-microsoft-antispam-prvs: <PR1PR07MB48747EE1E67FA0649B8CE307F45F9@PR1PR07MB4874.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rgGFAfwVBwjuZZ51lLNTAklj2+UnMf0h+Fm8YgulLYrt5/NnbJAHHZm6YFjOEsRbEiar+alUXh1akmUATKp21SYbLFfcILgvRSMna618GqvNBv/+Zt4Xf4xKha5NNkgxrPlA2Bt0svDY2TueKe5faCU9P3FwHOOKHfKxIN9A9zh+QLSfFMb5hcrUDj0ufPlXQPkNCfc9MVI1iSDfe8c66jimi9u7NHJC3SN4+SCK0HU354f76w5APm25hoZ6JZ0qdRiB25L6iOSSg8oiCq88yhRBLmdg1luze9LmW/1n0AhQGjrFc25CcnKl4MhRao08NDrqEwpmT8DT119PIhu7ovKs6zqeOcB8QSKqDkG791bgnVE6sCb10I/vgeHHB6pz/NvLw8jLLBGVkYBdWJY+moSLE2zEOxso0Dv7U5S0kwqqqLmldWwCUIU6guw5x4e3T+EWph9VgJvHx28pONDkKcUv23kRo7D3MF02AojzW7pS6Kq58bhBnUMwMNTzOrJfNiin0v1JqrO9KgEq3c6AkNwxl4+XjJwNkIVqv+z+mv0pYPgRAhOf14dhvsbHWs2yqdVhe8SoGAjeXrNrbdcBavOPh2vFuZqmSqWytTkSJzeRa/MNt308muSLsu5qiUg0TZhG9SpRs1XTNLbPqh50N7+9maxJaggC0/lSjdpB5e6URFmu9atEGzeitUO6Vj3EztFhCdk8rKmfz3PwQog8akzs3dF13Xc9eSCc9Ts1c7l5q+i79Xlw8xCYoul2rB4I
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR0701MB2195.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(91956017)(5660300002)(316002)(66946007)(38100700002)(66556008)(66476007)(76116006)(66446008)(64756008)(7696005)(4326008)(8676002)(53546011)(6506007)(9686003)(8936002)(33656002)(110136005)(38070700005)(52536014)(71200400001)(55016003)(86362001)(99936003)(966005)(508600001)(82960400001)(2906002)(83380400001)(122000001)(186003)(26005)(66574015)(20210929001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: e80G7RYfmUueag5bvR028Gho/RR28zmLVHhupXX0L2tWRxn9MMTQb0q1ocOKJ6/SneoN/TodrIyfvsi5a+pPDccptoiiHZE0SBnIHPsHyM0Zp9CVgVfcKen0QbsVPHRZ1yOBPpE60FXoP5qMDTf/OMWJiRKLEVXBhUcUP4duhslAFAHNJ/Uqz/shFygfkobPLM3vCQomR2ChuOYxGvn+E7hxyb+JhQUobmVW+4M83sZOAXRHvr+yDctKwEJiPyJo/DibmdhCfuotC1VcrKS+xWYrYjlleUUjr/zPTOCCP+g2cH2bEOKJ1lxcY4P3YxDtnfBs0F3vlcHKxYR4RjuAuKZqe3nmcZHMDjTXSFMWuzRnT4+iwnuwKvxw8nRTPOvnGsu0yeD0XIdCSy7Cinseu8mjvqdiV7H85JW89ehfwp/GMRN2d2dIv0cLOamBnsmPQ8IrjiPb4iBn2ot2HuerexkQWzP93hL3v85MY33RsIvsy/SWUnvJh/HR9Ije76ltJeXi2RZAPhSuBbRym4o1sCntRwURa1qydsf/+0AZVUy9J2RlvCQnaoziP1hsxjZsjRemYAPwGO0U8SY48ux1izEM6O+hMHkFhrpZmS0v42nKqK59aNw7bK6KuYO0oSJJ5ABn5Pg32uqcFLHTADIJjfPDSuw4FUODhFEYWSqHJjXtUm+lmeEPkGKIbX8bEORuaoxKm8ABoXNCiD7FcJgUf7pkoTT43OrLwJ7Hkdvv/quHLYqliHwwW+rNT48wbKrSHPrJ6gr1cQymUrHpDGYY052K6UbhmdQ/OE8R0iFy/6Mg1IoWFt7pIXbuDLWqrAhHuztYyqOutlsWDxwFAiepVQbkOJ0J38tQxzmpVsWewiT/CEwNUIyGkqoSYVBhx6GoBWLr5KiQH2WUSfPT/AJnz8EcAgz8h6khNaodxbioboPv8io7ZKEs7nyI/Aql9eIHR3eXWWcXwjKhSBTChA8b4Ycx/4K2vbiJ/3ZoNnkD6Eqj1KWMgaFAKQw4dwPZuD2Giz97Col3amsjswy/sFap3vWZs3Pd8GrA1ikJiCczyuQUckKJfv50Ual9V4lvtbDukllMiMaqVmHOBZnrmLt94Mw8/VLfEC81/KXPQ/FSWOVRwnsf4JCW+rs3zCBkCzUWe/oeHFCAV4LSuqlvRC0ROMr8/Du6/vp4Mr0lhTlbd2wca9ipiBgZeRjw6KfDq7ce8bM2H0LVP6ebIkyP5oenBj3xzBXH/K0n4ZOkhZJgp5wjZBt2i+lRpsTUa3fZGa87Dd0mwmL1aAzcoTDh0svpRAJBhhxukpnv3RCMbbhGwy4V1ZrthjwobKuMQoVLn+0R6iuR9zGX+dF28/EdEr1lZ24kLoqbQB/Yrx65yql7rtDnq5xgMqh41tgBkM7IMfohwgjDru+AaH9SjDaWLuucHwu90JEubsexpcW3ypgyo9D7/gCp5jfTeoJ5bMvcTxdtoMl4X690wyo28ugluIq4XmYfe1Cnce9pDZ2WHE5WcqAPiA6VDk2PRRYYdNimsNk2yeDCqgv6v3C2RROw02T2HUURp27lmLe9/VH9LajFmqSKF3tVeJblRczFRhi+/RrzByPrvLwAnqx7xZkGssheUXhox2+7cCawDmeblYQYbB0Kgb6SGucmNlFjr7RGDsqnKPk4fE/PJV/h6A/0Lxs3/1ViVdjoRxlWySUICi7hF3Y=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_27216BA3-AF4D-CF4D-88D9-70EFFF8670B7_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM4PR0701MB2195.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8994a0b5-4854-42d1-4e0f-08d9dfdd3b82
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2022 08:32:32.8172 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3uJgIIVlN1er/9SaDN9tCgFkVrNEdbb7RVDLgEyUyXX7wJn4+YJNZiVSX8LcMJ/WhmSRzrNW1qJ/E7ryILn/vVbMP3Hapdqi+46+FQFvZtU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB4874
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/ZAfCcPhyLbvZ8u-p_w6jkQ-YMAg>
Subject: Re: [Lake] Ways forward on MTI cipher suite text
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 08:32:47 -0000

Hi Michael, and Chairs

 

Do we have a potential confusion here?

 

On 2022-01-25, 00:53, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:

mcr> I concur with #22, that option 2 is probably the best MTI.

 

Maybe it is just wording, but I had a problem parsing "option 2 is probably the best MTI" in the context of the chairs' call starting this thread

MV> The options we see at this moment in time are:
MV>
MV> Option 1: Keep current text as-is unless/until more feedback
MV> is provided that motivates re-opening this issue
MV> Option 2: Proceed with selecting a single MTI cipher suite

MV>

MV> We'd like to know if the WG can live with Option 1. Note that
MV> doesn't mean you think option 1 is perfect, just that it's
MV> something with which you can live. If you prefer option 2 or
MV> some other option please suggest specific text.
MV>
MV> Mališa and Stephen

 

Then I recalled that issue #22 [0] in itself lists different options, where Option 2 means "Keep MTI cipher suite 0."

Are we all talking about the same options?

Göran

[0] https://github.com/lake-wg/edhoc/issues/22

 

 

 

 

 

 

 

 

Göran Selander <goran.selander@ericsson.com> wrote:

    GS> To comply with the  message size requirements we need the one with

    GS> shorter MAC. Applications that don't have the most extreme size

    GS> requirements may want to support the longer MAC. So we need to

    GS> specify both. And as noted in #209 the difference in terms of code to

    GS> support both is  minimal, which is the reason to require

    GS> implementations to support both when supporting one. If you disagree

    GS> with that, this is a good time to comment on that issue.

 

I think you've state things backwards.

I think that the shorter MAC should be the default for all applications that

can tolerate that amount of security.

 

The question is then, in what situations are the shorter MAC unacceptable, security-wise?

It seems that those devices will know if they need it or not.

 

    GS> In terms of #22 this sounds closer to option 1 than option 2,

    GS> i.e. to not mandate that all devices implement ECDSA, or that all

    GS> devices implement EdDSA. Is that a fair summary?  Göran

 

I concur with #22, that option 2 is probably the best MTI.

 

I don't agree with supporting (0 *and* 1) or (2 *and* 3) on a device.

A device that can afford the extra Tx space for the longer MAC should just use that.

So, if you don't like option 2, then 0.

 

(PS: I will have to check out of virtual interim early tomorrow)

 

--

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )

           Sandelman Software Works Inc, Ottawa and Worldwide

 

 

 

 

 

v2.23.0 | Report a Bug | By Email