Re: [TLS] Comments on TLS-ECJ-PAKE draft

Watson Ladd <watsonbladd@gmail.com> Mon, 18 July 2016 14:39 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 385A712DE02 for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 07:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7iJZRFNyd97 for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 07:39:15 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2110C12DC58 for <tls@ietf.org>; Mon, 18 Jul 2016 07:09:18 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id x130so240147291vkc.0 for <tls@ietf.org>; Mon, 18 Jul 2016 07:09:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JbK7AovuTSC8QWO1n1ABoUQm19EcvbSnbMi3wY0idBY=; b=lZYomnj+5jrBboaBFKwquW/QdrCbZPNuwHolhdm+SyPOoj9isiu1pD1DJyWVobGHGn W7H2ff1WqofMTCXaSEnHs0UNAfoewG5CipdBrHgNtMZOT0HIH7AYPXGNTAqzquqOB7UG ooV5yb+c5GKutv0PPk1Oj26WJ9CyiG/4LkwGZ51ig5GX2SWtnOYpHFbYHZ0TCsS/bTxN b0Z8FRurE1iXUTxRmTWjXzmYIlbGgjq8kc88r5GqL1ypzFAfNCY1M1dqnJykqO78j9e9 //CPlqJ6wqJV2NU3S+Qtp9pbZxaHOTTcFN0sDQqui26ud8Cvy8OBxUWOufvmJ8enXQ9s 3nSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JbK7AovuTSC8QWO1n1ABoUQm19EcvbSnbMi3wY0idBY=; b=GoVcTGLriMLupg9oV4rs8WmZWWYvnVjU5epEv/ePnWnWw4Dm57UBKz0PyF+Op2XAeo rNk6TgvixGY9nBrUW2TqDsEZ3nibWvNiUeB3kSHgtzzCGh6kjFoZf40II9vabfZNKZk5 GS32GrtL22ES87zHIul8OMxmJczouG6OQ8JrXmRHJ2kuRD4JIKD9K6OmLRHlmaXSA+up kQtXMklL6bMl9iZX49gXH2J6Q4eI1+/ZEkXBz5aKH+j5tVmZwdjGh0GJqpc4U6T2ghII dkoyvULYJp9to8+gRrQn8Qakvnk/RKCk03Wezi41IO2kNxlMfgtBgC5MOQlXCIbmviiK Scuw==
X-Gm-Message-State: ALyK8tIL2DTDMCR2tSbO7thTeGr4lsljfMxc7SX3hyCqVX7aoSzmLtnmh3TCAvA36fk+56V2rape3PyUAXyucg==
X-Received: by 10.31.93.129 with SMTP id r123mr16999810vkb.149.1468850957200; Mon, 18 Jul 2016 07:09:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.39.194 with HTTP; Mon, 18 Jul 2016 07:09:16 -0700 (PDT)
In-Reply-To: <52173e33a5b14592b16ac6b6eae8fe81.squirrel@www.trepanning.net>
References: <CADrU+d+V3MNuUPp-FmJopS=SRn5Zp673758i5Y+Sg4qP+gUaMA@mail.gmail.com> <52173e33a5b14592b16ac6b6eae8fe81.squirrel@www.trepanning.net>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 18 Jul 2016 07:09:16 -0700
Message-ID: <CACsn0c=6aXuxH-ctZBgw+16wCMpnRUY16OrxF5te5Stf=Kyiiw@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/A-2kyQC98yKdgRfGP5oVWJopN44>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on TLS-ECJ-PAKE draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2016 14:39:17 -0000

On Mon, Jul 18, 2016 at 3:06 AM, Dan Harkins <dharkins@lounge.org>; wrote:
>
>   Hi Robert,
>
>   This draft moves the NamedCurve/EllipticCurveList into the
> ClientHello, and since the client sends X1 and ZKP(X1) in the
> ClientHello it means that is going to be a list of 1. It basically
> moves the client's key exchange portion from ClientKeyExchange into
> ClientHello. So basically, if a client wants to do TLS-ECJ-PAKE
> then that's the only thing it can offer and the parameters of
> that exchange are all selected by the client, not the server.
>
>   This is a fundamental change to TLS. If it's going to be offered,
> it's the only thing that can be offered and therefore the only thing
> that can be used. Seems like for a deployment either it's never used
> or it's the only thing used and that makes it sort of a proprietary
> protocol, not TLS.

This stems from the multiple rounds used in JPAKE. SPAKE2 uses only 2
rounds, and would be easier to put into TLS. I'm still working on the
draft, but haven't gotten to it in a while.

Sincerely,
Watson
>
>   Dan.
>
> On Thu, June 16, 2016 2:51 am, Robert Cragie wrote:
>> I would like to ask the working group for comments on the TLS-ECJ-PAKE
>> draft:
>>
>> https://tools.ietf.org/html/draft-cragie-tls-ecjpake-00
>>
>> Some brief notes:
>>
>> * This intended status is informational.
>> * The draft is based on TLS/DTLS 1.2 as the Thread group required basis on
>> existing RFCs wherever possible. For that reason and due to the WGs focus
>> on TLS 1.3, I have understood from the chairs that it would not have
>> received a great deal of attention from the WG, hence the intended status
>> of informational.
>> * The draft reflects the current use of the TLS_ECJPAKE_WITH_AES_128_CCM_8
>> cipher suite in Thread (http://threadgroup.org/).
>> * There is an experimental implementation in mbed TLS (
>> https://github.com/ARMmbed/mbedtls)
>> * The Thread group would like to get IANA assignments for 4 cipher suite
>> values and one ExtensionType value as soon as possible.
>> * There are at least four independent implementations, which have been
>> used
>> in interop. testing over the last 18 months.
>> * The security considerations recommend restriction of the use of this
>> cipher suite to Thread and similar applications and recommends it should
>> not be used with web browsers and servers (mainly due to the long
>> discussions regarding the use of PAKEs on this and other mailing lists).
>>
>> Robert
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.