IETF Logo Mail Archive

Re: [Tcpcrypt] Initial questions

ianG <iang@iang.org> Thu, 19 June 2014 10:46 UTC

Return-Path: <iang@iang.org>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78CB11A0139 for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 03:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWdTwW71UCTL for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 03:46:06 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357DE1A011F for <tcpcrypt@ietf.org>; Thu, 19 Jun 2014 03:46:06 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 79AC06D605; Thu, 19 Jun 2014 06:46:02 -0400 (EDT)
Message-ID: <53A2BF69.3040001@iang.org>
Date: Thu, 19 Jun 2014 11:46:01 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com> <53A2066A.4090802@isi.edu>
In-Reply-To: <53A2066A.4090802@isi.edu>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/P_hJ4uwfD0KfR5cJGgLfBbOrWyQ
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jun 2014 10:46:07 -0000

On 18/06/2014 22:36 pm, Joe Touch wrote:
> Comments on your other points:
> 
> On 6/18/2014 2:15 PM, Sandy Harris wrote:
> 
> As to the specific algorithms and how many, we probably all agree that a
> small number of required algorithms is preferable. I think 2 is a good
> upper bound on the MUST algorithms, though.


Actually, no.  I for one disagree.  There should be one true cipher
suite [0].

> Algorithm agility just means that the protocol isn't inherently
> dependent on any one algorithm, so that it can be extended in the future
> to support other algorithms - that seems prudent.


If an exploit is found, then it's time to role out version 2.  You'll
need a way to negotiate the version anyway, may as well use it.

(I know it is popular to approximate the whole 'all' thing in WG-speak
and I'm happy to go down in flames on the rough consensus.)



iang

[0] http://iang.org/ssl/h1_the_one_true_cipher_suite.html

v2.23.0 | Report a Bug | By Email