IETF Logo Mail Archive

Re: [TLS] MTI policy & practice (Was: Re: Comments on various things on agenda)

Dave Garrett <davemgarrett@gmail.com> Wed, 11 March 2015 01:12 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662591A9124 for <tls@ietfa.amsl.com>; Tue, 10 Mar 2015 18:12:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QOJxCEPVh3dQ for <tls@ietfa.amsl.com>; Tue, 10 Mar 2015 18:12:14 -0700 (PDT)
Received: from mail-qc0-x22d.google.com (mail-qc0-x22d.google.com [IPv6:2607:f8b0:400d:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10F041A8782 for <tls@ietf.org>; Tue, 10 Mar 2015 18:12:14 -0700 (PDT)
Received: by qcwr17 with SMTP id r17so6762905qcw.2 for <tls@ietf.org>; Tue, 10 Mar 2015 18:12:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=BEYvyfE3MsrQ187wvJOVUHfGUH1MXDokcUblYlCom+c=; b=TYh406HW9LMQHO1Idwn0zqQPDsyFrvdOLsIlrSK9bX2OmfFQOMG6fYyU/pJnxT5+mO g6IhewnFsB2SVxOmBtghKDBBIy1nn3ZYD8oN+ADTUyI1pSpSM8mIDny0aMrg7foNgWAL ID7BrMK50/TCvRkPzh2+7pbpdV84kllAVm7qyZrWDaueFdguwYKlsNejKnv58Nco87sZ 0DgsVqakYTA+ii+0wl2iI0Dy9BLe3vv+TDdyCD/CTDKfIqpovqIpIoA5zhgoSk4OXxU4 nwwNdlFX11+B/ZskpVq9J6l8/lRR9hhT4dIXudE5LbfAPbeUvOAZbxU9NCECA36b+38r 5/Bg==
X-Received: by 10.55.15.159 with SMTP id 31mr15446716qkp.29.1426036333199; Tue, 10 Mar 2015 18:12:13 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id a73sm1587257qka.0.2015.03.10.18.12.12 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 10 Mar 2015 18:12:12 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 10 Mar 2015 21:12:09 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <65D2FD736B6B2B48B2EAD2BD189DC9CC270CA949@LLE2K10-MBX01.mitll.ad.local> <201503091911.17254.davemgarrett@gmail.com> <CACsn0cn-3mw9rCdiw5mMGZZD3XM1QER0bXRqGe6PcpB+i0XHYg@mail.gmail.com>
In-Reply-To: <CACsn0cn-3mw9rCdiw5mMGZZD3XM1QER0bXRqGe6PcpB+i0XHYg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201503102112.09880.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/214JSnrDSfQ5cGO9sv9W_ejocb4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] MTI policy & practice (Was: Re: Comments on various things on agenda)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 01:12:15 -0000

On Tuesday, March 10, 2015 08:33:45 pm Watson Ladd wrote:
> On Mar 9, 2015 4:11 PM, "Dave Garrett" <davemgarrett@gmail.com> wrote:
> > On Monday, March 09, 2015 06:38:08 pm Aaron Zauner wrote:
> > > In any case, people do argue that algorithmic agility causes more
> > > problems than it's worth. I agree somewhat, but IMHO at least one
> > > backup is a good idea
> >
> > I'd much rather have three than two. (not counting deprecated
> > ciphers/modes) I think of it in this way: if one were to vanish, there
> > would still be a choice left. With only two chosen ones, then a fatal
> > attack on one brings us all the way back to the one-true-cipher again.
> >
> > If you assume eventual failure, a secondary backup is very desirable.
> 
> Both AES-CCM and AES-GCM have security reducing to that of AES as a PRP. So
> they aren't actually independent backups. The issue is that extremely
> limited hardware may only support AES-CCM.

Yes, to be clear, I'm saying we'd ideally want an ecosystem with 3 ciphers, not 3 cipher suites. (the discussion drifted and the words are fuzzy) Too few results in failing back to a risky point, and too many risks fragmenting cipher support and interop too much.

Referencing the whole zoo of newer AES AEAD modes in the TLS 1.3 spec is probably worthwhile, but picking just one for MTI probably means GCM. Hey, if we can do ~another~ MTI, we could go: Chacha/Poly + AES-GCM + one other AES mode, all MTI, with Chacha/Poly as MTD.


Dave

v2.23.0 | Report a Bug | By Email