Re: [TLS] Ala Carte Cipher suites - was: DSA should die
Aaron Zauner <azet@azet.org> Sat, 04 April 2015 04:52 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8321A89EF for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 21:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkGB9s0guaRj for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 21:52:57 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E991A01EC for <tls@ietf.org>; Fri, 3 Apr 2015 21:52:57 -0700 (PDT)
Received: by wixm2 with SMTP id m2so82556229wix.0 for <tls@ietf.org>; Fri, 03 Apr 2015 21:52:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=nqMIG6IOET3Ac6ufjxzBuHV0GkN1NhN//2GNJ6Mtnbc=; b=jHj8eo+Yp3oZxrqi3EWeHWGNfIko9RuN3j76l3xooJiw+sJW5wDYxidZrWXRErekbD AJFKxlCZ/KkndWc6vVGI0yQ9ocHvim3/gYTZkHibPs6O0OjOqhcUkDeOj5XZuwSHA5U4 p8XqXrvYd5zK8yT875UYAEnTW/rfNR5vzmnj1uTJqIZ9cA27T7xOtFMf7WlSgHJUTp4k TkXk0DiajXi2BaNO64LiZyeObmphIj8F/kwBmq0AGSOfw41kH2OyKU0iF2a5mAhBHl58 Gfk+ALF/nfymCoL1md7ZSXiKB0xsTgfowGkoO9phd3NcdBy4CfnKOXO/h5/k5W4Hdmw/ POoA==
X-Gm-Message-State: ALoCoQl615AXzGq6HpzhzHyqj8RrNknPiwamrK0AolyiQS/rkiDhKqZXsbTu/xWppXLSPyaFo1c4
X-Received: by 10.194.201.164 with SMTP id kb4mr10764215wjc.32.1428123176025; Fri, 03 Apr 2015 21:52:56 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id xy2sm14100793wjc.14.2015.04.03.21.52.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Apr 2015 21:52:54 -0700 (PDT)
Message-ID: <551F6E22.1040207@azet.org>
Date: Sat, 04 Apr 2015 06:52:50 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Dave Garrett <davemgarrett@gmail.com>
References: <20150401201221.163745c2@pc1.fritz.box> <CAFewVt6jKaQh9Z-ySQJr_9PWsBvn41RNk6PNXMdouLwywn8-wA@mail.gmail.com> <CAHOTMVLohRLPw=WwmEhqVrE91+F_nuM9Z9w0=NtzypN1J0xKoA@mail.gmail.com> <201504032121.07726.davemgarrett@gmail.com>
In-Reply-To: <201504032121.07726.davemgarrett@gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig6BCE258E0BB68E0F05356AB0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0MxDpVASb3F5v9kqeg-mvfXAB0U>
Cc: tls@ietf.org
Subject: Re: [TLS] Ala Carte Cipher suites - was: DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 04:52:58 -0000
Hi, Dave Garrett wrote: > (by the way, do we really want plain PSK?) Added the PSK ciphersuites after lengthy discussion with nikos and peter gutmann, they assure me it's of importance to the embedded world. > Just splitting it into only two parts would avoid the risk of support holes you'd get with the full a la carte route. > > There's plenty of space in the registry to keep adding piles and piles of variations for each suite, but I have seen actual instances where a server and client actually do support the same handshake and connection ciphers in TLS 1.2, but don't negotiate it because the specific combination isn't listed. The current system does lead to some support holes as-is. > I actually really like the idea. But there're a couple of open questions to that; What happens to existing ciphersuites? And given we switch to a model of asymmetric and symmetric ciphersuites: (how) do we document all the implicit ciphersuites that are defined once a new symmetric or asymmetric algorithm is defined? Aaron
- Re: [TLS] DSA should die Yoav Nir
- Re: [TLS] DSA should die Dave Garrett
- [TLS] DSA should die Hanno Böck
- Re: [TLS] DSA should die Aaron Zauner
- Re: [TLS] DSA should die David Benjamin
- Re: [TLS] DSA should die Stephen Checkoway
- Re: [TLS] DSA should die Tony Arcieri
- Re: [TLS] DSA should die Bill Frantz
- Re: [TLS] DSA should die Tom Ritter
- Re: [TLS] DSA should die Viktor Dukhovni
- Re: [TLS] DSA should die Stephen Farrell
- Re: [TLS] DSA should die Nico Williams
- Re: [TLS] DSA should die Stephen Farrell
- Re: [TLS] DSA should die Viktor Dukhovni
- Re: [TLS] DSA should die Dave Garrett
- Re: [TLS] DSA should die Martin Thomson
- Re: [TLS] DSA should die Nico Williams
- Re: [TLS] DSA should die Martin Rex
- Re: [TLS] DSA should die Watson Ladd
- Re: [TLS] DSA should die Nico Williams
- Re: [TLS] DSA should die CodesInChaos
- Re: [TLS] DSA should die Martin Thomson
- Re: [TLS] DSA should die Dave Garrett
- Re: [TLS] DSA should die Nico Williams
- Re: [TLS] DSA should die Ilari Liusvaara
- Re: [TLS] DSA should die Joseph Salowey
- Re: [TLS] DSA should die Kurt Roeckx
- Re: [TLS] DSA should die Michael StJohns
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Michael StJohns
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Brian Smith
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Tony Arcieri
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Martin Thomson
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Dave Garrett
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Aaron Zauner
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Dave Garrett
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Salz, Rich
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Tony Arcieri
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Yoav Nir
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Brian Smith
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Tony Arcieri
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Ilari Liusvaara
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Brian Sniffen
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Negotiate only symmetric cipher via cip… Dave Garrett
- Re: [TLS] Negotiate only symmetric cipher via cip… Daniel Kahn Gillmor
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Aaron Zauner
- Re: [TLS] Negotiate only symmetric cipher via cip… Dave Garrett
- Re: [TLS] Negotiate only symmetric cipher via cip… Daniel Kahn Gillmor
- Re: [TLS] Negotiate only symmetric cipher via cip… Dave Garrett
- Re: [TLS] Negotiate only symmetric cipher via cip… Daniel Kahn Gillmor
- Re: [TLS] Negotiate only symmetric cipher via cip… Andrei Popov
- Re: [TLS] Negotiate only symmetric cipher via cip… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Negotiate only symmetric cipher via cip… Viktor Dukhovni
- Re: [TLS] Negotiate only symmetric cipher via cip… Dave Garrett
- Re: [TLS] Negotiate only symmetric cipher via cip… Daniel Kahn Gillmor
- Re: [TLS] Negotiate only symmetric cipher via cip… Ilari Liusvaara
- Re: [TLS] Negotiate only symmetric cipher via cip… Dmitry Belyavsky
- Re: [TLS] Negotiate only symmetric cipher via cip… Daniel Kahn Gillmor
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Geoffrey Keating
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Yoav Nir
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Geoffrey Keating
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Brian Smith
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Brian Smith
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Daniel Kahn Gillmor
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Salz, Rich
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Viktor Dukhovni
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Dave Garrett
- Re: [TLS] Negotiate only symmetric cipher via cip… Ilari Liusvaara
- Re: [TLS] Ala Carte Cipher suites - was: DSA shou… Yoav Nir