[TLS] IANA questions (was Re: changes to draft-ietf-tls-negotiated-ff-dhe-09)

Sean Turner <turners@ieca.com> Fri, 15 May 2015 09:43 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C488D1AD080 for <tls@ietfa.amsl.com>; Fri, 15 May 2015 02:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.332
X-Spam-Status: No, score=0.332 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2Bmr5acc9E1g for <tls@ietfa.amsl.com>; Fri, 15 May 2015 02:43:24 -0700 (PDT)
Received: from gateway16.websitewelcome.com (gateway16.websitewelcome.com []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 459FD1ACDA7 for <tls@ietf.org>; Fri, 15 May 2015 02:43:24 -0700 (PDT)
Received: by gateway16.websitewelcome.com (Postfix, from userid 5007) id 44934B90C541C; Fri, 15 May 2015 04:43:23 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com []) by gateway16.websitewelcome.com (Postfix) with ESMTP id 33D5AB90C53FE for <tls@ietf.org>; Fri, 15 May 2015 04:43:23 -0500 (CDT)
Received: from [] (port=52855 helo=[]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1YtC9K-0003w3-RH for tls@ietf.org; Fri, 15 May 2015 04:43:23 -0500
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <873831bh3y.fsf@alice.fifthhorseman.net>
Date: Fri, 15 May 2015 11:43:18 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F8DEA05-0BC6-464E-8E6A-BF762484E039@ieca.com>
References: <873831bh3y.fsf@alice.fifthhorseman.net>
To: IETF TLS Working Group <tls@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Exim-ID: 1YtC9K-0003w3-RH
X-Source-Sender: ([]) []:52855
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8hImnzH8bIvNwzdFwGrAsHLBK34>
Subject: [TLS] IANA questions (was Re: changes to draft-ietf-tls-negotiated-ff-dhe-09)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 09:43:25 -0000

During the review process, IANA regularly verifies that they understand what they’re do wrt any IANA assignments noted in the IANA considerations section.  Their questions got us to thinking about the following two points:

1. Currently the registry in which the FFDHE groups will be added is named "EC Named Curve Registry.”  Now that we’re adding DH groups into that registry it would be clearer if it were renamed “Supported Groups Registry”.  This change does not affect interoperability, it only impacts the name of the registry.  We can also get them to add a note that indicates this registry was renamed, i.e., “Renamed from EC Named Curve Registry” so folks can follow along. The registry can be found here:

2.  The “Extensions Type” registry associated with this extension is “elliptic_curves”, see value #10 in the registry, this should/could also be changed to “supported_groups”.  The registry can be found here:

If you object to these changes please let us know by May 20th.


On May 12, 2015, at 23:50, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> Hi TLS folks--
> As a result of ongoing feedback, i've made several more minor changes to
> draft-ietf-tls-negotiated-ff-dhe, which are now visible in version 09 of
> that document.
> There were several minor nits addressed, but the following minor changes
> are slightly more than nits:
> * the draft clarifies that the named ffdhe* groups do have a small
>   subgroup, but that it is easily avoided (as opposed to custom groups,
>   in which possible small subgroups are either unknown or expensive to
>   avoid).  
> * slight tuning of some of the RFC 2119 language.
> * explicitly relaxing the old requirement that the Supported Groups
>   extension needed to be sent only when ECDHE ciphersuites were
>   offered, which no one appears to have followed anyway
> * Added a new section describing local policy for compatible clients
>   that are considering accepting custom groups from the server, with
>   baseline guidance for how to protect users by at least ensuring that
>   the length of the group is minimally strong (no attempt is made to
>   enumerate all possible local policy or to claim there is only one
>   legitimate local policy).
> * encourage bounds checking of the public share against the group
>   modulus, regardless of whether a named group is used.
> Thanks to all the folks who gave feedback on the draft.
> Regards,
>        --dkg
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls