IETF Logo Mail Archive

Re: [Last-Call] [art] Artart last call review of draft-ietf-uta-rfc7525bis-09

Peter Saint-Andre <stpeter@stpeter.im> Tue, 02 August 2022 15:51 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A035EC15A723; Tue, 2 Aug 2022 08:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=eEkOJ8q0; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GLonVr0l
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMFPGYViNk4q; Tue, 2 Aug 2022 08:51:40 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E297BC14F723; Tue, 2 Aug 2022 08:51:39 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E41D85C0108; Tue, 2 Aug 2022 11:51:38 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 02 Aug 2022 11:51:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1659455498; x= 1659541898; bh=jTm81zFBCsIKePso/VNQQsOajyRi5m0sMZGi0wy6iTE=; b=e EkOJ8q0c8vAZu4nYhhzEdTO+Kg6kqjU73z4qu43jYif+SUg89s+POztz2YYeJA2q riDHS71nO/B9yX3Us4zwXYAN0sRQsACR7Ujeybcr6dwg8CwCLE9m2zWi5pfXR3LF NsZegTE8TEbGuXdUOyN2ux/1AkKQrcUot+2fQYNqxYGidM/WVGqtktIoRKDU+UCm eFJi8JCmpR4cZeHrhPJD4tiztz//nQ4Rckb8NKT/lp+hDd+j4rEd9ibY5ymJT6PW PYom4xUj06iGrSQ6dFo/KZDnNQTtCZhXcfkCF48m8beWY/2aM9KxnDnJ4gl5GK6/ pz58Z55r5iPoEo4H87Y6A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1659455498; x= 1659541898; bh=jTm81zFBCsIKePso/VNQQsOajyRi5m0sMZGi0wy6iTE=; b=G LonVr0ldapulKgoi8oC604VhIp3cmsez4hIMckibPirSnEHiEvl3p+gtpWI0rlSG 1ZwM5L+yNGrAS0UJOwvj/UacV0kYHE9H3nxaGXeZARRQh2/BclHIvCRjf9f2kScT Cuu4WCQ1NDnUn5HigMXrL7cj2vaKFEEQUuQAw4chve90asUdSFg4y0NW9a8H654H 5XRZdiR8JDOZtzkcjOEs2rQxXiB3HovK8kjFT5WN+gzqh2vwh2ykLk25n17Ilvfq YJMdmw4AxiU+ojbVXAU2nFvLg/7YfyrNMQUgUDOE+cr5L5j8L/ZJQGoeS5dlLzVj FtOckfVbxMH2kjJZAjdUg==
X-ME-Sender: <xms:CkjpYvBqJ8Q7WX-UtC1zf9Y_gzms2WTxl4dviDyz-Hn3lHpSb4nevA> <xme:CkjpYlhEEuzL5Fca9JP0CWpfaxR565_YeYi3iKXvWRDV1weHXe4SBdpmY2Z-GKRks _efGpb0N8B9MZpqNA>
X-ME-Received: <xmr:CkjpYqmBrjUsXKGtBwd-nFqhMUyAzRNnNZtr4DlHq8sLKyRY8sZ0Lg7eMcg4VKw7>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvddvhedgleefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuhffvvehfjggtgfesth ekredttdefjeenucfhrhhomheprfgvthgvrhcuufgrihhnthdqtehnughrvgcuoehsthhp vghtvghrsehsthhpvghtvghrrdhimheqnecuggftrfgrthhtvghrnhepvdehgfdtudethe elgeegtdeftdelfeetveejjeeuveejgfeiffffkefgjeffhfeunecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhtphgvthgvrhesshhtphgvth gvrhdrihhm
X-ME-Proxy: <xmx:CkjpYhx3ev4mGJ6pEAmQlIhz-j4-x82zBAIt9XUWUn-52o37g5VgWg> <xmx:CkjpYkSjO7M50xfLBJQaDj62M4-LAiJZmIzhqPH4ZsN_j0ucMwyjiA> <xmx:CkjpYkY4quAkHXrzxXnywL2mydj9FYQurFonnohZf16HLeXZm0K7vQ> <xmx:CkjpYqOQujwE_G97EadkkUp-bZbOfGbfxPOjh5Qk1ziJ7Zw4FmIDww>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 2 Aug 2022 11:51:38 -0400 (EDT)
Message-ID: <92ad78a4-5e28-31e8-aa25-b41cb0692ff3@stpeter.im>
Date: Tue, 02 Aug 2022 09:51:37 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Cullen Jennings <fluffy@iii.ca>
Cc: draft-ietf-uta-rfc7525bis.all@ietf.org, "art@ietf.org" <art@ietf.org>, last-call@ietf.org, uta@ietf.org
References: <165728991008.45773.10659091812976572509@ietfa.amsl.com> <4c7fcbfe-5055-d33d-e1d1-27e85592551a@stpeter.im> <A0DD6035-C9D1-4FEC-A5E7-7D95FFC55602@iii.ca> <9c9922a8-93b5-611f-6433-dbac122dcc4f@stpeter.im> <e7b17bbe-0b6b-2a54-2100-b220a9afa92e@stpeter.im> <B186BFAC-6584-4395-837E-C8F09FE6AEC7@iii.ca> <e36b7842-9ebc-2fbd-54be-9a8a1fe05771@stpeter.im>
In-Reply-To: <e36b7842-9ebc-2fbd-54be-9a8a1fe05771@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/xbF3Q-BdmdDHF0X24LaWz0NkEuk>
Subject: Re: [Last-Call] [art] Artart last call review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 15:51:44 -0000

Hi Cullen, having looked more closely at the text that's already in 
7525bis, I have a few questions inline...

On 8/1/22 4:18 PM, Peter Saint-Andre wrote:
> On 8/1/22 2:58 PM, Cullen Jennings wrote:
>>
>>
>>> On Jul 30, 2022, at 1:40 PM, Peter Saint-Andre <stpeter@stpeter.im> 
>>> wrote:
>>>
>>> Hi again,
>>>
>>> The authors have conferred on this and at this time we don't think 
>>> that we can recommend anything other than EC ciphers, for several 
>>> reasons:
>>>
>>> 1. DHE negotiation is broken.
>>
>> Perhaps a bit more explanation in the draft about the issues with 
>> DHE-RSA (in context of 7919) would help. 
> 
> For sure. We weren't crafting text yet, merely pointing out the basic 
> rationale behind exclusing non-EC ciphersuites. We can definitely 
> explain each of these three reasons more fully in text to follow. >
>> I was under the perhaps mistaken perception that the RFC 7919 was not 
>> subject to the Raccoon attack and that there were mitigation for the 
>> Racoon timing attacks. Given the reliance on a single class of 
>> algorithms, I think it would be worth highlighting the risks and 
>> provide good info on why alternatives don’t work.
> 
> Agreed.

Section 2.1 already says:

    *  Implementations SHOULD NOT negotiate cipher suites based on non-
       ephemeral (static) finite-field Diffie-Hellman key agreement.

       Rationale: These cipher suites, which have assigned values
       prefixed by "TLS_DH_*", have several drawbacks, especially the
       fact that they do not support forward secrecy.

Do you see the need for further explanation?

>>> 2. Static RSA is out of the question.
>>
>> I agree but would prefer that was phrased as things don’t provide PFS 
>> are out of the question, not that RSA is not usable. 
> 
> That makes sense.

Section 2.1 already says:

    *  Implementations SHOULD NOT negotiate cipher suites based on RSA
       key transport, a.k.a. "static RSA".

       Rationale: These cipher suites, which have assigned values
       starting with the string "TLS_RSA_WITH_*", have several drawbacks,
       especially the fact that they do not support forward secrecy.

Do you see the need for further explanation?

>> I see lots of confusion of those two. I will note that, if EC was 
>> broken by quantum or optical computers but RSA was not, I’m pretty 
>> sure I would be switching to something with no PFS vs something that 
>> was broken.
> 
> Very likely. :-)

Although I agree with the sentiment, it's not clear to me that 7525bis 
needs to include text on this somewhat speculative point.

>>> 3. Post-quantum (PQ) methods aren't ready yet.
>>
>> agree (thought I think they are getting surprising close and probably 
>> plan to ship them well ahead of any schedule I imagine the IETF 
>> getting around to agreeing on )
>>
>>>
>>> Our forecast is that a few years from now the PQ methods will be 
>>> ready for recommending in 7525ter, but for now EC is the best we can do.
> 
> I suspect that 7525ter will be published after the PQ methods have been 
> standardized at the IETF, but as we know it's never smart to make 
> specific forecasts about standardization schedules. ;-)

Here again I'm not sure that we need more text beyond what is already in 
version -10 (see Section 1):

    Naturally, future attacks are likely, and this document does not
    address them.  Those who implement and deploy TLS/DTLS and protocols
    based on TLS/DTLS are strongly advised to pay attention to future
    developments.  In particular, although it is known that the creation
    of quantum computers will have a significant impact on the security
    of cryptographic primitives and the technologies that use them,
    currently post-quantum cryptography is a work in progress and it is
    too early to make recommendations; once the relevant specifications
    are standardized in the IETF or elsewhere, this document should be
    updated to reflect best practices at that time.

Peter

v2.23.0 | Report a Bug | By Email