Re: [TLS] Ala Carte Cipher suites - was: DSA should die

[Brian Smith <brian@briansmith.org>]

Tony Arcieri <bascule@gmail.com> wrote:
> On Sat, Apr 4, 2015 at 4:55 PM, Salz, Rich <rsalz@akamai.com> wrote:
>>
>> > Please don't change the syntax for negotiating cipher suites.
>>
>> +1, for the reasons Brian said.
>
> Looks like the opinion of TLS implementers is this far unanimously against
> this proposal. I would like to give the counterpoint from a TLS user
> perspective.
>
> I am more or less in charge of the ciphersuite selection for a large web
> site with a lot of users. I find the present means of describing
> ciphersuites to TLS stacks to be difficult at best. As myself and many
> others have described, we're essentially being asked to compute the
> combinatorial explosion of different ciphersuite configurations by hand.

As far as I understand, that problem doesn't have much to do with the
syntax of cipher suites in the ClientHello, because that problem is
about describing to your web server software which cipher suites to
enable on the server.
> Guess what happens when you do that? People make mistakes. I think the TLS
> libraries should have an easier-to-use configuration format that computes
> things for me so I don't have to. I understand why TLS implementers are
> reluctant to provide that. It's more work for them. But so far none of them
> have said why this is qualitatively bad.

That can be done already today, without any protocol changes, and
without any TLS library changes (at least as far as OpenSSL is
concerned). Somebody just needs to write the code to do it.

> Seems like a huge win to me. So what's the problem from an implementer
> perspective besides "it'd be hard"?

The client doesn't always (ever?) want to enable the entire set of
(key exchange algorithm * authentication algorithm * encryption
algorithm * integrity algorithm) combinations, so a syntax that only
allows the client to describe cipher suites by the individual
components is too limiting.

More generally, an "a la cart" syntax automates the enabling of lots
of cipher suites. But, how is enabling lots of cipher suites a good
thing? it seems like a bad idea, in general, to me.

If we had a need to have clients enable a whole lot more cipher
suites, such that the size of the ClientHello would become really
large with the current syntax, then that would be a reason to consider
a new syntax. But, it seems that when we consider that the old syntax
has to be supported for backward compatibility with TLS 1.2 and below,
it seems like the set of new cipher suites to enable would have to be
quite large before we would enjoy any positive space savings from
doing that. Thus, the idea seems counterproductive even considering
the area where it would be most likely to help.

Finally, there is a lot of value to getting TLS 1.3 done in a
reasonable time frame. Cutting unnecessary or counterproductive
changes accelerates the schedule while giving us more time to solve
more important problems.

Cheers,
Brian