IETF Logo Mail Archive

Re: [TLS] Comments on various things on agenda (Was: Re: TLS Interim - update and agenda)

Yoav Nir <ynir.ietf@gmail.com> Mon, 09 March 2015 21:42 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8568F1ACD17 for <tls@ietfa.amsl.com>; Mon, 9 Mar 2015 14:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZoOEdj7xq84 for <tls@ietfa.amsl.com>; Mon, 9 Mar 2015 14:42:08 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 921221A90BE for <tls@ietf.org>; Mon, 9 Mar 2015 14:42:08 -0700 (PDT)
Received: by wghk14 with SMTP id k14so24646714wgh.3 for <tls@ietf.org>; Mon, 09 Mar 2015 14:42:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6U68dQCWA2JSJf5v2jFG7zhw2qCm2VH5YSXwL7DDUUY=; b=aNGoFz199a7+mhFZuot8DlBH1tfPvIChqVAAGT2JQcRk/4vXRbSb2hs41u1JCZY7QR HX2UHievehJHZZ5iail3+8qWR+wM4cnIflDAETUAQjGgkngF75W2sY+9d2B+YO9E9bQg TK7hfeZbSnR9Ysrd8/4RVbtKhGnYNccYfLkEXq5eT/FlvSyXSw770r6+Ak2oIFBZF7OE IU6tN2a6FlZbivKC3xLve7geuO5+rSySioTP5q8K5vXhNKzSbzMKvN0U6OITR7v41Qp7 yfmXM/oYpBAkuOfvSyZQN0PJIT/FCoYdr/TG7QQcPG2x8HX1fI8leDtLkVd7E/wk6G31 dx/g==
X-Received: by 10.194.21.137 with SMTP id v9mr61032357wje.140.1425937327401; Mon, 09 Mar 2015 14:42:07 -0700 (PDT)
Received: from [192.168.1.13] ([46.120.13.132]) by mx.google.com with ESMTPSA id fu1sm958622wic.2.2015.03.09.14.42.06 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Mar 2015 14:42:06 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <BB5FC51A-3883-40CD-B0C5-35AA2EE377B5@pahtak.org>
Date: Mon, 09 Mar 2015 23:42:05 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <00420E03-362D-4A04-B7A1-C757838E0560@gmail.com>
References: <CAOgPGoCcexve9+C2bNSGVWUksZCva66OWbf8nrxkg0PquOpZ_w@mail.gmail.com> <201503081450.04610.davemgarrett@gmail.com> <54FDD024.3080309@azet.org> <201503091419.30893.davemgarrett@gmail.com> <BB5FC51A-3883-40CD-B0C5-35AA2EE377B5@pahtak.org>
To: Stephen Checkoway <s@pahtak.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-_LBbNa-ELfau6uObS451d5lhDg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on various things on agenda (Was: Re: TLS Interim - update and agenda)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 21:42:13 -0000

> On Mar 9, 2015, at 9:27 PM, Stephen Checkoway <s@pahtak.org> wrote:
> 
> 
> On Mar 9, 2015, at 2:19 PM, Dave Garrett <davemgarrett@gmail.com> wrote:
> 
>> Generally specs get exactly one MTI.
> 
> We should reevaluate that. Having a single MTI leads to situations like IMAP's STARTTLS (RFC 3501) which makes RC4 the only MTI.

How many IMAP clients and servers support only RC4? If I configured my client or server to work with some popular ciphersuites (like AES-CBC 128-bit with SHA and either RSA or RSA_ECDSA) would I get failures?

The problem with >1 MTI is that it raises the bar for minimum-sized codebase, same as the old “all IPv6 implementations MUST have IPsec”. It’s not a problem for a server, a personal computer or even a phone to have two algorithms, but will that work for smartobjects?  I guess DICE or a successor might create a profile for smartobjects that has only one MTI despite what the TLS 1.3 document might say, just as previous working groups excused smartobjects from supporting IPsec. Do we really want to go there?

Yoav

v2.23.0 | Report a Bug | By Email