[TLS] TLS False Start
Hannes Tschofenig Fri, 28 November 2014 19:36 UTC
Date: Fri, 28 Nov 2014 20:36:23 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2bcyGLpL_ngTyo2Jc6RGg4jARog
Subject: [TLS] TLS False Start
Hi Bodo, Hi all, I read through <draft-bmoeller-tls-falsestart-01>. The document is well written but I have a few questions. There are various conditions specified when the TLS False Start mechanism is fit for use. I believe there is room for improvement regarding the way how these conditions are formulated. At the moment, they are more written as examples rather than a list of security properties. I am worried that many of the provided examples will be outdated fairly soon as algorithms continuously evolve. For example, you say that AES-GCM is OK. You cite the key length and I guess you are also including the current state of security analysis of the given cipher in that consideration. Would it be OK to use AES-CCM with False Start? I think so. Then, you list a couple of key exchange methods (DHE_RSA, ECDHE_RSA, DHE_DSS, ECDHE_ECDSA), which you consider being fit for TLS False Start. You indicate that an ephemeral DH exchange is need and I was wondering why this is the case? Why isn't a "normal" DH not acceptable? Would a ciphersuite like TLS_PSK_WITH_AES_128_CCM_8 be acceptable since it does not use a public key based ciphersuite and it also does not use an ephemeral Diffie-Hellman exchange. Finally, you list "client certificate types". As someone who is interested in the PSK case I am wondering whether you would consider PSK ciphersuites as acceptable as well. With the indicated criteria it is a bit hard to tell. Ciao Hannes
