Re: [Tls-reg-review] [IANA #1132414] Re: Request to register TLS integrity only cipher suites for TLS 1.3
Benjamin Kaduk <kaduk@mit.edu> Thu, 10 December 2020 02:57 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: tls-reg-review@ietfa.amsl.com
Delivered-To: tls-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A53E3A0816 for <tls-reg-review@ietfa.amsl.com>; Wed, 9 Dec 2020 18:57:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SJwX0rBC6zSG for <tls-reg-review@ietfa.amsl.com>; Wed, 9 Dec 2020 18:57:06 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EADE23A0822 for <tls-reg-review@ietf.org>; Wed, 9 Dec 2020 18:57:05 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BA2ua3o015188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 9 Dec 2020 21:56:40 -0500
Date: Wed, 09 Dec 2020 18:56:35 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "iana-prot-param@iana.org" <iana-prot-param@iana.org>, "ncamwing@cisco.com" <ncamwing@cisco.com>, "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>, "jmvisoky@ra.rockwell.com" <jmvisoky@ra.rockwell.com>
Message-ID: <20201210025635.GD64351@kduck.mit.edu>
References: <RT-Ticket-1132414@icann.org> <CFEF8F6B-9136-4B4C-B6DE-0E635786A240@akamai.com> <rt-4.4.3-21493-1544578196-1273.1132414-37-0@icann.org> <B8FCF390-4B0A-46BC-B3AB-E92A7C7D4FCF@akamai.com> <rt-4.4.3-23334-1544633480-1124.1132414-37-0@icann.org> <rt-4.4.3-4154-1544656355-1253.1132414-37-0@icann.org> <6D19FB88-FBA8-4F50-A004-067AE6218344@akamai.com> <20201210004439.GB64351@kduck.mit.edu> <96E22077-B954-4C3C-82AC-E311594D71A3@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <96E22077-B954-4C3C-82AC-E311594D71A3@akamai.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls-reg-review/kPAhFov6s8K3cz2iPDjYq2ZWrTc>
Subject: Re: [Tls-reg-review] [IANA #1132414] Re: Request to register TLS integrity only cipher suites for TLS 1.3
X-BeenThere: tls-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TLS REVIEW <tls-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls-reg-review/>
List-Post: <mailto:tls-reg-review@ietf.org>
List-Help: <mailto:tls-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 02:57:10 -0000
Sorry, "these ciphers" was intended to mean TLS_SHA256_SHA256 and TLS_SHA384_SHA384. -Ben On Thu, Dec 10, 2020 at 02:54:07AM +0000, Salz, Rich wrote: > Not sure what "these ciphers" means, but in retrospect it was ambiguous to say DTLS-OK because that doesn't have version info and DTLS 1.3 was still a draft. > > On 12/9/20, 7:44 PM, "Benjamin Kaduk" <kaduk@mit.edu> wrote: > > Digging up this old thread since we may have to revisit the DTLS-OK > value... > My AD review of draft-ietf-tls-dtls13 notes that the mechanism for sequence > number encryption makes some assumptions on the underlying cipher of the > AEAD construction. One proposal for changing the draft to make different > assumptions that are more future-proof may involve setting DTLS-OK to 'N' > for these ciphers (https://urldefense.com/v3/__https://github.com/tlswg/dtls13-spec/pull/166/files__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_-zfT79$ ). > Regardless, the authors of this draft might do well to provide some > indication of the expected sequence number (non-)protection mechanism. > > -Ben > > On Thu, Dec 13, 2018 at 03:55:03AM +0000, Salz, Rich wrote: > > DLTS-OK is Y > > > > On 12/12/18, 6:12 PM, "Sabrina Tanamal via RT" <iana-prot-param@iana.org> wrote: > > > > Hi Rich, all, > > > > Sorry we have one more question. Can you let us know how to fill in the "DTLS-OK" column in the TLS Cipher Suites registry? > > > > Thanks, > > > > Sabrina Tanamal (filling in for Amanda) > > Senior IANA Services Specialist > > > > On Wed Dec 12 16:51:20 2018, rsalz@akamai.com wrote: > > > To avoid creating new holes, how about right after dragonfly: > > > 0xC0,0xB3 TLS_ECCPWD_WITH_AES_256_CCM_SHA384 Y N > > > [RFC-harkins-tls-dragonfly-03] > > > 0xC0,0xB4-FF Unassigned > > > > > > On 12/11/18, 8:29 PM, "Amanda Baber via RT" <iana-prot- > > > param@iana.org> wrote: > > > > > > Hi Rich, > > > > > > Which values should we assign? There are a number of ranges available, > > > and I haven't been able to find any text in RFC 8447 or RFC 8446 that > > > identifies which section is for "Not Recommended" assignments: > > > > > > https://urldefense.com/v3/__https://www.iana.org/assignments/tls-parameters/tls-__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF5GSbsmF$ > > > parameters.xhtml#tls-parameters-4 > > > > > > Thanks for your patience, > > > > > > Amanda Baber > > > Lead IANA Services Specialist > > > > > > On Tue Dec 11 20:34:22 2018, rsalz@akamai.com wrote: > > > > We discussed this and approve. Please assign two numbers in the "not > > > > recommended" space. > > > > > > > > Thanks! > > > > > > > > On 12/5/18, 2:54 PM, "Nancy Cam-Winget (ncamwing)" > > > > <ncamwing@cisco.com> wrote: > > > > > > > > > Contact Name: > > > > > Nancy Cam-Winget > > > > > > > > > > Contact Email: > > > > > ncamwing@cisco.com > > > > > > > > > > Type of Assignment: > > > > > "Not Recommended" TLS Cipher suite assignment > > > > > > > > > > Registry: > > > > > TLS 1.3 cipher suite > > > > > > > > > > Description: > > > > > At least two IoT (ODVA and IEC) forums are requesting the need for > > > > > enabling TLS 1.3 with integrity only protection in the data plane. > > > > > Under security considerations, we are not recommending this cipher > > > > > suite to be widely used and note that no privacy is provided when > > > > > this > > > > > cipher suite is used and several use cases have been noted where > > > > > privacy is not required. > > > > > > > > > > Additional Info: > > > > > We have noted the use cases and security (and privacy) > > > > > considerations > > > > > in https://urldefense.com/v3/__https://tools.ietf.org/html/draft-camwinget-tls-ts13-__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF7v813C7$ > > > > > macciphersuites-01 as well as how the cipher suite would be used > > > > > with > > > > > TLS 1.3 > > > > > > > > > > > > > > > > _______________________________________________ > > > > tls-reg-review mailing list > > > > tls-reg-review@ietf.org > > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$ > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > tls-reg-review mailing list > > tls-reg-review@ietf.org > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$ > > > > > > _______________________________________________ > > tls-reg-review mailing list > > tls-reg-review@ietf.org > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$ >
- [Tls-reg-review] Request to register TLS integrit… Nancy Cam-Winget (ncamwing)
- Re: [Tls-reg-review] Request to register TLS inte… Salz, Rich
- Re: [Tls-reg-review] Request to register TLS inte… Nick Sullivan
- Re: [Tls-reg-review] Request to register TLS inte… Yoav Nir
- Re: [Tls-reg-review] Request to register TLS inte… Salz, Rich
- [Tls-reg-review] [IANA #1132414] Re: Request to r… Amanda Baber via RT
- Re: [Tls-reg-review] [IANA #1132414] Re: Request … Salz, Rich
- [Tls-reg-review] [IANA #1132414] Re: Request to r… Sabrina Tanamal via RT
- Re: [Tls-reg-review] [IANA #1132414] Re: Request … Salz, Rich
- [Tls-reg-review] [IANA #1132414] Re: Request to r… Sabrina Tanamal via RT
- Re: [Tls-reg-review] [IANA #1132414] Re: Request … Benjamin Kaduk
- Re: [Tls-reg-review] [IANA #1132414] Re: Request … Salz, Rich
- Re: [Tls-reg-review] [IANA #1132414] Re: Request … Benjamin Kaduk
- Re: [Tls-reg-review] EXTERNAL: Re: [IANA #1132414… Jack Visoky
- Re: [Tls-reg-review] EXTERNAL: Re: [IANA #1132414… Salz, Rich
- [Tls-reg-review] [IANA #1184629] Re: Re: Request … Amanda Baber via RT
- Re: [Tls-reg-review] [IANA #1184629] Re: Re: Requ… Salz, Rich
- Re: [Tls-reg-review] EXTERNAL: Re: [IANA #1132414… Benjamin Kaduk