Re: [TLS] Inclusion of OCB mode in TLS 1.3

Roland Zink <> Mon, 26 January 2015 09:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 405EC1A701E for <>; Mon, 26 Jan 2015 01:43:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SqfaFf_kffwA for <>; Mon, 26 Jan 2015 01:43:37 -0800 (PST)
Received: from ( [IPv6:2a01:238:20a:202:5300::12]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 274921A1B87 for <>; Mon, 26 Jan 2015 01:43:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1422265414; l=3093; s=domk;; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From: Date; bh=OV8ozPqozhDTpiyRLbdUGK/oblkAbvLTtnNVzyHYiH4=; b=Eeg5IFJgDm82SlpL8+F/+i/ZiX/kOq70Lgg8OMz1TB1n6oqjfgScZABENJh/MoohTxz unj9nKEQwNnmRGpsRxY4G8fHfywlKR664LRx0AgeAfRMvto2o4GDoEq3WRXpdyy1p2YSM VS58YF6froDIZY/4GFttuDF7f8fm/Aa2FYU=
Received: from [IPv6:2001:4dd0:ff67:0:8f9:68cf:6224:1b5b] ([2001:4dd0:ff67:0:8f9:68cf:6224:1b5b]) by (RZmta 37.1 AUTH) with ESMTPSA id L04136r0Q9hY0Sv (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) for <>; Mon, 26 Jan 2015 10:43:34 +0100 (CET)
Message-ID: <>
Date: Mon, 26 Jan 2015 10:43:33 +0100
From: Roland Zink <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------050804060602050404060408"
Archived-At: <>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Jan 2015 09:43:39 -0000

On 25.01.2015 05:05, Peter Gutmann wrote:
> Aaron Zauner <> writes:
>> That's a nice trick but as you point out pretty useless in terms of a PKI.
> It's done solely to deal with browsers, which demand to see a certificate when
> they're connecting to something via TLS.
> (Aside: You can see why some people think the CA/Browser forum as a conspiracy
>   to force the use of certs, despite there being very good alternatives
>   available browsers force you to use certificates whether they're appropriate
>   or not).
You probably need to blame IETF for this, for example RFC2818 (HTTP Over 
TLS) states:

      3.1 <>. Server Identity

In general, HTTP/TLS requests are generated by dereferencing a URI. As a 
consequence, the hostname for the server is known to the client. If the 
hostname is available, the client MUST check it against the server's 
identity as presented in the server's Certificate message, in order to 
prevent man-in-the-middle attacks.