Re: [rtcweb] Security architecture: Making ECDSA mandatory

Randell Jesup <randell-ietf@jesup.org> Thu, 09 June 2016 06:53 UTC

Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D13BC12D125 for <rtcweb@ietfa.amsl.com>; Wed, 8 Jun 2016 23:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAQRI_u5w8PC for <rtcweb@ietfa.amsl.com>; Wed, 8 Jun 2016 23:53:39 -0700 (PDT)
Received: from relay.mailchannels.net (nov-007-i611.relay.mailchannels.net [46.232.183.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 875EB12B043 for <rtcweb@ietf.org>; Wed, 8 Jun 2016 23:53:36 -0700 (PDT)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id AB9F9A0040 for <rtcweb@ietf.org>; Thu, 9 Jun 2016 06:53:31 +0000 (UTC)
Received: from rcentral501.webserversystems.com (ip-10-213-0-221.us-west-2.compute.internal [10.213.0.221]) by relay.mailchannels.net (Postfix) with ESMTPA id CDB06A0183 for <rtcweb@ietf.org>; Thu, 9 Jun 2016 06:53:30 +0000 (UTC)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from rcentral501.webserversystems.com (rcentral501.webserversystems.com [10.25.19.46]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.6.14); Thu, 09 Jun 2016 06:53:31 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: wwwh|x-authuser|randell@jesup.org
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1465455211013:3098467555
X-MC-Ingress-Time: 1465455211012
Received: from pool-71-162-135-19.phlapa.fios.verizon.net ([71.162.135.19]:56759 helo=[192.168.1.12]) by rcentral501.webserversystems.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <randell-ietf@jesup.org>) id 1bAtqT-00023K-P8 for rtcweb@ietf.org; Thu, 09 Jun 2016 02:53:37 -0400
References: <CABkgnnWjaBqVdNurt+sd3w9U_rpTi0WJKFce12KfA2W1mrnsTA@mail.gmail.com> <57457874.1010708@alvestrand.no>
To: rtcweb@ietf.org
From: Randell Jesup <randell-ietf@jesup.org>
Message-ID: <d48b4aee-6618-4dee-eed7-906c48eebdcc@jesup.org>
Date: Thu, 9 Jun 2016 02:52:12 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <57457874.1010708@alvestrand.no>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-AuthUser: randell@jesup.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/Yn4XcVmnWMjPZLDoW9aj9TNXp78>
Subject: Re: [rtcweb] Security architecture: Making ECDSA mandatory
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2016 06:53:41 -0000

On 5/25/2016 6:03 AM, Harald Alvestrand wrote:
> In my search for status on ECDSA (we're in the process of switching 
> the Chrome default), I came across this in the current draft:
>
>     All implementations MUST implement DTLS 1.0, with the cipher suite
>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and the DTLS-SRTP protection
>     profile SRTP_AES128_CM_HMAC_SHA1_80.  Implementations SHOULD
>     implement DTLS 1.2 with the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>     cipher suite.  Implementations SHOULD favor cipher suites which
>     support PFS over non-PFS cipher suites and GCM over CBC cipher
>     suites.  [[OPEN ISSUE: Should we require ECDSA?  Waiting for WG
>     Consensus.]]
>
> I also found Martin's PR. It's 11 months old, still open.
>
> Can we merge this now?

PLEASE :-)  Is there any objection at all?  If not, let's do it ASAP.

>
>
> On 06/13/2015 12:06 AM, Martin Thomson wrote:
>> I've openedhttps://github.com/rtcweb-wg/security-arch/pull/33


-- 
Randell Jesup -- rjesup a t mozilla d o t com
Please please please don't email randell-ietf@jesup.org!  Way too much spam