Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 19 March 2016 09:31 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB58112D5A3 for <tls@ietfa.amsl.com>; Sat, 19 Mar 2016 02:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaRxwQVEMZgG for <tls@ietfa.amsl.com>; Sat, 19 Mar 2016 02:30:58 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6F7112D591 for <tls@ietf.org>; Sat, 19 Mar 2016 02:30:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1458379857; x=1489915857; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=y6rNcdFSc2DqNh8wl83qQlMY+/kwqXsXLcZK0RsfGY4=; b=pQMIlcRqbfaIvEjxFFF7JlEieRI7NlbHL1Oaq8Uxi4LGDN99Qlw3jO6x QwppaCFVjZ95gZ83pygtYVOgjTL8KTzNmfkRaQGuBZjYwjX5ynbUZe8aU UGVhkntcXArB8K3m7QpB6GqzuZKD1dowzx7sBwgJWiaonzLj8NfYKTKL/ h0dty4WwMADn92npk2TU6qLjhwzMflVG8i2jYvZhckMtyWNU/G51OCtBl GW5XbUaeCst2B34zDYdo0pFD65yjP5ZvHoqyc/WfC8mjCRClwZ+E70coF DqZ7CyjyT90c4RJcHuODK0y37FAEvDUXWYcBzyQEFaJhlbTErvKGmJsMA w==;
X-IronPort-AV: E=Sophos;i="5.24,360,1454929200"; d="scan'208";a="75186239"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Mar 2016 22:30:26 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.241]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Sat, 19 Mar 2016 22:30:26 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] TLS 1.2 Long-term Support Profile draft posted
Thread-Index: AdF/gGiJXC2ZI/lER3iVToFYg5p2ev//TwgAgAOYO3D//9JUAIAByROr
Date: Sat, 19 Mar 2016 09:30:26 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4C26CD5@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4C2374E@uxcn10-tdc05.UoA.auckland.ac.nz> <CACsn0cks1tvdcYkVRj9r3TZe1GEcNA5f2x14PQntk3j1Ws+rPg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C25E6A@uxcn10-tdc05.UoA.auckland.ac.nz>, <1561199.VzgNuqeJQW@pintsize.usersys.redhat.com>
In-Reply-To: <1561199.VzgNuqeJQW@pintsize.usersys.redhat.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.6.3.2]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5XaPdf1JdMAWKeznUf9kaaBEPG0>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Mar 2016 09:31:03 -0000
Hubert Kario <hkario@redhat.com> writes: >also, if it really is supposed to be Long Term Support, why it doesn't say >anything about implementation explicitly being able to handle big key sizes? >both RSA and DHE? I've deliberately avoided getting into that because it's such a rathole, you've got everything from the NIST numerologists at one extreme to the "good enough for now" folks at the other, and you'll never get any consensus because there are completely different worldviews involved. A possible median is: Implementations SHOULD choose public-key algorithm key sizes that are appropriate for the situation, weighted by the value of the information being protected, the probability of an attack, and the ability of the hardware to deal with large keys. For example a SCADA system being used to switch a ventilator on and off doesn't require anywhere near the keysize-based security of a system used to transfer classified information. One way to avoid having to use very large public keys is to switch keys periodically. This can be done by regenerating DH parameters in a background thread and rolling them over from time to time, or if this isn't possible, by pre-generating a selection of DH parameters and choosing one at random for each new handshake, or again rolling them over from time to time. >I might have missed, but where is the specification of the acceptable >signature algorithms (hash especially) on Server and Client Key Exchange >messages? That's implicit in the cipher suites, RSA or ECDSA + SHA256. Peter.
- [TLS] TLS 1.2 Long-term Support Profile draft pos… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Watson Ladd
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Wan-Teh Chang
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Paterson, Kenny
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Watson Ladd
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Paterson, Kenny
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Sven Schäge
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Ilari Liusvaara
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Karthikeyan Bhargavan
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Karthikeyan Bhargavan
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Eric Rescorla
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… D. J. Bernstein
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Joachim Strömbergson
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Salz, Rich
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Yoav Nir
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Tony Arcieri
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Tony Arcieri
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Joachim Strömbergson
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Hubert Kario
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile draft… Henrick Hellström
- [TLS] TLS 1.2 Long-term Support Profile vs HTTP/2… Nikos Mavrogiannopoulos
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Dave Garrett
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Peter Gutmann
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Martin Thomson
- Re: [TLS] TLS 1.2 Long-term Support Profile vs HT… Yoav Nir