IETF Logo Mail Archive

Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 01 September 2015 21:19 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE851B2FBC for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 14:19:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YlcCiSFWT00S for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 14:19:08 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FDD01B2F37 for <saag@ietf.org>; Tue, 1 Sep 2015 14:19:08 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 919BD284B6C; Tue, 1 Sep 2015 21:19:06 +0000 (UTC)
Date: Tue, 01 Sep 2015 21:19:06 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150901211906.GA9021@mournblade.imrryr.org>
References: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com> <20150901165526.GU9021@mournblade.imrryr.org> <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/63EMURtm6j0Vj740fSLv4PBBxL4>
Subject: Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 21:19:10 -0000

On Tue, Sep 01, 2015 at 04:58:31PM -0400, Russ Housley wrote:

> I'm trying to pull together the things that I have heard on this thread
> over the last week regarding Section 2.9.  I think I have captured them.
> Please let me know if I missed something?
> 
> 2.9.  Opportunistic Security
> 
>    Despite the guidance in Section 2.4, opportunistic security [RFC7435]
>    also deserves consideration, especially at the time a protocol
>    implementation is deployed and configured.  Using algorithms that are
>    weak against advanced attackers but sufficient against others is one
>    way to make pervasive surveillance significantly more difficult.  As
>    a result, algorithms that would not be acceptable in many negotiated
>    situations are acceptable for opportunistic security when legacy
>    systems are in use for unauthenticated encrypted sessions as
>    discussed in Section 3 of [RFC7435] as long as their use does not
>    facilitate downgrade attacks.  Similarly, weaker algorithms and
>    shorter key sizes are also acceptable for opportunistic security with
>    the same constraints.  That said, the use of strong algorithms is
>    always preferable.

I still think that the focus on just the weak(er) algorithms in OS
is unfortunate.  Rather agility and OS work hand-in-hand to improve
communications to the extent possible.  As new algorithms are
deployed, opportunistic peers will autmatically start to use stronger
cryptography.  

Once new algorithms have largely displaced legacy algorithms, one
can begin considering retirement of algorithms that used to be
required for interoperability.  This process is likely to take
longer for OS protocols/applications because interoperability
carries greater weight when security is not a hard requirement and
the alternative is cleartext.

So I'd like to see text that first emphasises the good news (over
time agility improves the security of OS protocols).  Then the bad
news (retirement of legacy crypto takes longer).  And finally notes
that OS is not carte-blanche for weak crypto, new OS applications
need to start with non-deprecated crypto, and legacy crypto needs
to still be retired once no longer needed.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email