Re: [TLS] Reminders
Dave Garrett <davemgarrett@gmail.com> Mon, 11 July 2016 16:59 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5080F12D5A8 for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 09:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZSrnrBAOgwC for <tls@ietfa.amsl.com>; Mon, 11 Jul 2016 09:59:34 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 898CF128E18 for <tls@ietf.org>; Mon, 11 Jul 2016 09:59:34 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id s63so62796681qkb.2 for <tls@ietf.org>; Mon, 11 Jul 2016 09:59:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=iT+FW5qbqioTSllYebxcvNb7cUWvljBXS/vnO9ctleo=; b=pDbv6ze2xwWLF15AuP7Q6zqIqSnbgSo1wqBCqRVSDh+HrXHGxKPKwq/el0kQbjA/Un 5uBVTDP553v/Yy54rBBsWOkYrzwdmUSGtXaG6s4Or2TQXbcoJ4qCrzck0IIICS6Er16v FVcIdp/loBOw56al7Ac7Mncwzx1XJjdRbI/ixrCgOxHz5Y8GnRKp+mCUdBUv/MswK0X9 3XXEbC6kfMRpvE9op3SrmJmnHPHVoj2LDV32C40bbrdUz4KkMnMFFWdjArT107+/GyKm etJ921Rv/xT7wmikwdgfSdQqRdPDk1wuStnS1YBLAVHpnFGl78lZ5f8DeAI0f3BdBG++ Mb3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=iT+FW5qbqioTSllYebxcvNb7cUWvljBXS/vnO9ctleo=; b=MDKJ8cpJqReEI2XzQ27WIZ44ycW1LJ9E3Blz7nUiUa9aUx8yyuOXvHcZQvbDjCHQ8x oYida83N0mnL7aVq99m59As59F1yaUUxCLqYJghkRZdhg8dYCgMuaob1X2p7EENUSk1h XD1vL1wn+TpkzGaovuPJVSjSKOTLG1WMJNM9SPQXYZaFRmnHq5iVW95BPBSRps5FZHr1 1buTqPiLJGcDkQqgUSc13zKLhSd9wWLPiXovcV2VzJsrjqyhgicoowocDGmn1PcF0zq9 DLGmIUG+nzfbFUuCMXRKf88idcVLHNvbKHHElVxTNUlu8PgfAQjEKuZjIz/YFauBOea6 mjsw==
X-Gm-Message-State: ALyK8tKS8Ip1SYPbJ2l1wAyfHuG53gjjtd+hXUmyL344XkxZRLJ26STrrBHQ642eeCw34A==
X-Received: by 10.55.22.154 with SMTP id 26mr26645996qkw.193.1468256364396; Mon, 11 Jul 2016 09:59:24 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-27-22.phlapa.fios.verizon.net. [71.185.27.22]) by smtp.gmail.com with ESMTPSA id f53sm2869980qtf.25.2016.07.11.09.59.23 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 11 Jul 2016 09:59:23 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Mon, 11 Jul 2016 12:59:21 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <47E3268E-46F0-4308-88EA-250042EF2B80@sn3rd.com>
In-Reply-To: <47E3268E-46F0-4308-88EA-250042EF2B80@sn3rd.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201607111259.22367.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3adyR__tjO_w7huLt_vnbbx_c2o>
Subject: Re: [TLS] Reminders
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 16:59:36 -0000
On Monday, July 11, 2016 10:27:21 am Sean Turner wrote: > - Before 12 July, we’d like to know your thoughts about progressing draft-ietf-tls-pwd (Watson and ekr responded): > https://mailarchive.ietf.org/arch/msg/tls/WrNa7PXTZn2ZhfmoQDA_pnUVuN4 This document defines new cipher suites using obsolete crypto. Quoting https://tools.ietf.org/html/draft-ietf-tls-pwd-07#section-5 : > This memo adds the following ciphersuites: > > CipherSuite TLS_FFCPWD_WITH_3DES_EDE_CBC_SHA = ( TBD, TBD ); > > CipherSuite TLS_FFCPWD_WITH_AES_128_CBC_SHA = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_128_CBC_SHA = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256 = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_256_GCM_SHA384 = (TBD, TBD ); > > CipherSuite TLS_FFCPWD_WITH_AES_128_CCM_SHA = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_128_CCM_SHA = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_128_CCM_SHA256 = (TBD, TBD ); > > CipherSuite TLS_ECCPWD_WITH_AES_256_CCM_SHA384 = (TBD, TBD ); > > Implementations conforming to this specification MUST support the > TLS_ECCPWD_WITH_AES_128_CBC_SHA ciphersuite; they SHOULD support > TLS_ECCPWD_WITH_AES_128_CCM_SHA, TLS_FFCPWD_WITH_AES_128_CCM_SHA, > TLS_ECCPWD_WITH_AES_128_GCM_SHA256, > TLS_ECCPWD_WITH_AES_256_GCM_SHA384; and MAY support the remaining > ciphersuites. Most of those should not be defined in any new document approved by this WG, let alone one based on a low entropy secret. In particular, the SHA1 suites shouldn't be there, and the CBC suites should be scrapped as well. The spec allows for these suites to be negotiated with TLS 1.0-1.1 (hence the CBC), which should just be dropped to focus on TLS 1.2 & TLS 1.3+. The MTI is not even supported by TLS 1.3. Don't define new crypto systems using obsolete crypto systems. I don't see how we could expect any implementations that don't even support TLS 1.2 to implement something new like this, anyway. If this draft moves forward in any way, it should be reduced to AES 128/256 GCM/CCM, with possible addition of a ChaCha/Poly suite. Quoting https://tools.ietf.org/html/draft-ietf-tls-pwd-07#section-1.1 : >1.1. The Case for Certificate-less Authentication > > TLS usually uses public key certificates for authentication > [RFC5246]. This is problematic in some cases: > > o Frequently, TLS [RFC5246] is used in devices owned, operated, and > provisioned by people who lack competency to properly use > certificates and merely want to establish a secure connection > using a more natural credential like a simple password. The > proliferation of deployments that use a self-signed server > certificate in TLS [RFC5246] followed by a PAP-style exchange over > the unauthenticated channel underscores this case. [...] If we're setting up new systems to lower the barrier to entry, ACME is the way to go, not this. Dave
- Re: [TLS] Reminders Dave Garrett
- Re: [TLS] Reminders Benjamin Kaduk
- Re: [TLS] Reminders David Benjamin
- Re: [TLS] Reminders Eric Rescorla
- Re: [TLS] Reminders Watson Ladd
- Re: [TLS] Reminders Anirudh Ramachandran
- [TLS] Reminders Sean Turner