IETF Logo Mail Archive

Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06

Russ Housley <housley@vigilsec.com> Tue, 01 September 2015 23:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B944B1B5129 for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 16:56:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UWfHY_WnPpF for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 16:56:38 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 419091B510F for <saag@ietf.org>; Tue, 1 Sep 2015 16:56:38 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id E3C63F2412D for <saag@ietf.org>; Tue, 1 Sep 2015 19:56:27 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 4OaQKaDoGQly for <saag@ietf.org>; Tue, 1 Sep 2015 19:55:30 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 64BA2F2412B for <saag@ietf.org>; Tue, 1 Sep 2015 19:56:27 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1085)
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20150901211906.GA9021@mournblade.imrryr.org>
Date: Tue, 01 Sep 2015 19:56:16 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <E44EE5B3-1469-49D7-9C15-299230E13779@vigilsec.com>
References: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com> <20150901165526.GU9021@mournblade.imrryr.org> <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com> <20150901211906.GA9021@mournblade.imrryr.org>
To: saag@ietf.org
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/pr4c98yHEiO-EnraSW-WxTeAQMs>
Subject: Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 23:56:39 -0000

On Sep 1, 2015, at 5:19 PM, Viktor Dukhovni wrote:

> On Tue, Sep 01, 2015 at 04:58:31PM -0400, Russ Housley wrote:
> 
>> I'm trying to pull together the things that I have heard on this thread
>> over the last week regarding Section 2.9.  I think I have captured them.
>> Please let me know if I missed something?
>> 
>> 2.9.  Opportunistic Security
>> 
>>   Despite the guidance in Section 2.4, opportunistic security [RFC7435]
>>   also deserves consideration, especially at the time a protocol
>>   implementation is deployed and configured.  Using algorithms that are
>>   weak against advanced attackers but sufficient against others is one
>>   way to make pervasive surveillance significantly more difficult.  As
>>   a result, algorithms that would not be acceptable in many negotiated
>>   situations are acceptable for opportunistic security when legacy
>>   systems are in use for unauthenticated encrypted sessions as
>>   discussed in Section 3 of [RFC7435] as long as their use does not
>>   facilitate downgrade attacks.  Similarly, weaker algorithms and
>>   shorter key sizes are also acceptable for opportunistic security with
>>   the same constraints.  That said, the use of strong algorithms is
>>   always preferable.
> 
> I still think that the focus on just the weak(er) algorithms in OS
> is unfortunate.  Rather agility and OS work hand-in-hand to improve
> communications to the extent possible.  As new algorithms are
> deployed, opportunistic peers will autmatically start to use stronger
> cryptography.  
> 
> Once new algorithms have largely displaced legacy algorithms, one
> can begin considering retirement of algorithms that used to be
> required for interoperability.  This process is likely to take
> longer for OS protocols/applications because interoperability
> carries greater weight when security is not a hard requirement and
> the alternative is cleartext.
> 
> So I'd like to see text that first emphasises the good news (over
> time agility improves the security of OS protocols).  Then the bad
> news (retirement of legacy crypto takes longer).  And finally notes
> that OS is not carte-blanche for weak crypto, new OS applications
> need to start with non-deprecated crypto, and legacy crypto needs
> to still be retired once no longer needed.

The whole point of the document is to make it easy to migrate from one algorithm suite to another more desirable one.  However, sometimes we want to keep an algorithm around that would otherwise have been discarded to achieve opportunistic security.  You seem to be trying to pull the points from the rest of the document into this paragraph.

Russ

v2.23.0 | Report a Bug | By Email