Re: [TLS] Call for WG adoption of draft-mattsson-tls-ecdhe-psk-aead

Nikos Mavrogiannopoulos <> Tue, 26 April 2016 14:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 50AB612D1D4 for <>; Tue, 26 Apr 2016 07:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.918
X-Spam-Status: No, score=-7.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lsH-U_f8xhub for <>; Tue, 26 Apr 2016 07:05:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1644A12D1B2 for <>; Tue, 26 Apr 2016 07:05:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C05C846291; Tue, 26 Apr 2016 14:05:49 +0000 (UTC)
Received: from ([]) by (8.14.4/8.14.4) with ESMTP id u3QE5l2t023776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 26 Apr 2016 10:05:49 -0400
Message-ID: <>
From: Nikos Mavrogiannopoulos <>
To: Sean Turner <>, tls <>
Date: Tue, 26 Apr 2016 16:05:47 +0200
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: <>
Subject: Re: [TLS] Call for WG adoption of draft-mattsson-tls-ecdhe-psk-aead
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Apr 2016 14:05:56 -0000

On Mon, 2016-04-25 at 08:17 -0700, Sean Turner wrote:
> All,
> draft-mattsson-tls-ecdhe-psk-aead includes some cipher suites that
> are needed for TLS1.3.  We need to get these officially registered so
> the chairs would like to hear whether there is WG support for
> adopting draft-mattsson-tls-ecdhe-psk-aead. Please let us know
> whether you:

I support this draft. However see comment below.

The text: "For the AES-128 cipher suites, the TLS Pseudorandom Function
(PRF) with SHA-256 as the hash function SHALL be used and Clients and
Servers MUST NOT negotiate curves of less than 255 bits." is very

Implementations do not restrict ciphersuites based on curves (there is
no such notion in TLS, nor mentioned in rfc4492), and I cannot even
think how a TLS handshake implementation would look like if each
different ciphersuite has specific curve requirements.

Note that this requirement is unlike the suiteB RFC (rfc6460) that also
restricts the curves. SuiteB specifies a profile/set of parameters
which include ciphersuites, while this draft only defines ciphersuite
code points.

If a side goal of this draft is to deprecate the <255 bit elliptic
curves from TLS 1.2, or to unify security levels across ciphersuites
then I'd recommend to do that with a separate RFC rather than bundling
it into a code-point assignment RFC.