Re: [MLS] confirming cipher suites decisions

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Thu, 27 February 2020 10:48 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299333A0854 for <mls@ietfa.amsl.com>; Thu, 27 Feb 2020 02:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0XSjGU23uFF for <mls@ietfa.amsl.com>; Thu, 27 Feb 2020 02:48:47 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D213A0850 for <mls@ietf.org>; Thu, 27 Feb 2020 02:48:47 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,491,1574118000"; d="scan'208,217";a="437874666"
Received: from 82-64-165-115.subs.proxad.net (HELO [192.168.1.13]) ([82.64.165.115]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Feb 2020 11:48:36 +0100
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Message-Id: <77B4B842-16AF-40C0-BFBB-B58420AA89AA@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_212B10E5-CDC4-4D87-B476-173C10087303"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Thu, 27 Feb 2020 11:48:36 +0100
In-Reply-To: <4AEB16AA-BF20-4238-9B6E-2C0BD7760AC2@inria.fr>
Cc: Cas Cremers <cas.cremers@gmail.com>, Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>, ML Messaging Layer Security <mls@ietf.org>, Konrad Kohbrok <konrad.kohbrok@datashrine.de>
To: Britta Hale <britta.hale@nps.edu>
References: <D107086A-ED6C-48D8-8BC3-B3AE7E424F85@sn3rd.com> <D2B8EAF9-9109-4247-B714-13306724F712@nps.edu> <B02410C5-F6C3-4580-AA92-C48687731919@nps.edu> <06d1ebbf-2163-02bc-1cf5-4dc3633ce64a@datashrine.de> <0BE1075B-081C-4D44-82CB-56044BCAC0CC@sn3rd.com> <CAL02cgS813EWDm8g=_P18XHVJJJErgit4OWP7fDCMPzkQcJQQw@mail.gmail.com> <15F5F403-B3DD-4CE9-B47E-FA5D04BBBDC6@sn3rd.com> <83F1DE47-1230-4118-81C6-E065F5049995@inria.fr> <619cf3d1-eb09-485c-595f-3bfbb4b175b5@gmail.com> <463B50F6-67FF-4E40-8CAE-14D272CDD965@inria.fr> <5A69070B-BF2F-4A91-939F-0BD473F3FB0A@inria.fr> <A6881857-406E-45E9-BEC7-823E15633619@nps.edu> <4AEB16AA-BF20-4238-9B6E-2C0BD7760AC2@inria.fr>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/XRd-EYDe_Jl2Dq7pbeh7HJYfLRo>
Subject: Re: [MLS] confirming cipher suites decisions
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 10:48:49 -0000


> On 27 Feb 2020, at 11:47, Benjamin Beurdouche <benjamin.beurdouche@inria.fr <mailto:benjamin.beurdouche@inria.fr>> wrote:
> 
> Hi Britta,
> 
>> On 27 Feb 2020, at 10:57, Hale, Britta (CIV) <britta.hale@nps.edu <mailto:britta.hale@nps.edu>> wrote:
>> 
>> Benjamin,
>>  
>> The issues you describe are primarily TLS-type problems, where uncontrolled, large-scale agility and interop issues exist.
> 
> Yes exactly, and I think two-party short lived connections for TLS are easier to handle
> than will be the long-lived multi-party connections of MLS.
> 
>> As has been stated in the working group as a supporting argument to many changes over the different drafts, within the messaging/MLS space we are looking at significantly more client-specific control.
> 
> Yes, and we keep being careful that it is the case when writing the drafts,
> but this doesn’t mean that we should be willing to risk interoperability.
> 
>> It is not unreasonable for a newcomer to support a selection of signature schemes. If the group creator really wants full interop, they can always define the set of available schemes to consist only of the MTI.
> 
> I think at reverse, if you are willing to break interop, you should be selecting something

S/should be selecting/can select/

> else than the MTI when creating the group. And again, in what I say, nothing prevents
> you to pick the NIST ciphersuite for compliance and use only that.
> But I don’t see the interest of mixing algs and put at risk implementations and interoperability.
> 
> Out of curiosity, where you somehow arguing for multiple MTIs here ?
> 
> B.