Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Aaron Zauner <> Mon, 01 June 2015 16:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DB5661B2C81 for <>; Mon, 1 Jun 2015 09:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hYs9D2JXwANe for <>; Mon, 1 Jun 2015 09:12:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9CC091B2C61 for <>; Mon, 1 Jun 2015 09:07:02 -0700 (PDT)
Received: by wgv5 with SMTP id 5so118688456wgv.1 for <>; Mon, 01 Jun 2015 09:07:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=Ww8h7Tm2h//S/RSn4RUuzlO46IatuTwjE/YLtCFThm8=; b=D/5MjTqvY7E7quWtgaySqdXcJGjuRJvm1gL5w88HxoUE5NI5gFQzSjiAa32sTzdHWv LR6aVwZOsyQMd1DXEs7ORzBZGMjmhIpKi7r1UoN0ufgVoO3U0RnbtJY7JARpgaQBbAHK IYsF4NiyuYakN2KFoqrOTVCtHZIE+cNtVMQddHj3/BDs++tjg8TFiVaPRVTTg19L0TGi 2RQOjc7veC34ket5NzY1yhZaz82pQJLr/dqsbRAcADQudFG3nWg/kOHFSFXwX/sh8tRm x9P+W4pEscAURlRubU+JftkDZnQLYC58Q+qVvPOkuJLyj8/GKCtPx+Kh/Ao5OjQg10QI boOQ==
X-Gm-Message-State: ALoCoQk9DgMYpD0MtYQmu8QLBmWkYBeRK+tbiHvkiHa3HIuJDnpHl1q2LKxQqpDb+TevsMzu3qXc
X-Received: by with SMTP id bu9mr22268051wib.88.1433174821389; Mon, 01 Jun 2015 09:07:01 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id n1sm17341354wix.0.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Jun 2015 09:07:00 -0700 (PDT)
Message-ID: <>
Date: Mon, 01 Jun 2015 18:06:56 +0200
From: Aaron Zauner <>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig44E65CF632907CF32CB41A1D"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Jun 2015 16:12:39 -0000


Jeffrey Walton wrote:
> What do you suggest for resource constrained devices? What are the
> remaining choices?

There're none.

> When the device cannot do public key, they often use PSK.
> PSK also has two desirable properties: channel binding and mutual
> authentication, and most other cipher suites don't provide them.

I agree, but am unsure to what extent they are used in real life. I'm
trying to reduce the number of cipher-suites that would have to be added
to the IANA TLS parameter list; since PSK is unsupported with GCM
cipher-suites it seems only logical to exclude them here as well.
Because I regularly receive off-list mail that PSK is indeed wanted,
I've not yet removed those cipher-suites.

RFC3268 (CBC modes) also excludes TLS-PSK ciphersuites. There seems to
be a seperate document that deals with TLS-PSK namely RFC5487 (defines
GCM and CBC PSK cipher-suites). It might make sense to update this
document in case OCB mode get's accepted by the TLS-WG instead.

BTW: is TLS-SRP in use anywhere?