Re: [TLS] A la carte handshake negotiation

Dave Garrett <davemgarrett@gmail.com> Wed, 17 June 2015 04:42 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66131B3BC6 for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 21:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-ob15wPoYyc for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 21:42:09 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B141B3BC8 for <tls@ietf.org>; Tue, 16 Jun 2015 21:41:33 -0700 (PDT)
Received: by qkeo142 with SMTP id o142so3259389qke.1 for <tls@ietf.org>; Tue, 16 Jun 2015 21:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=CNwyfWYgqDYwtKZhhYimyFGMQLf7JWQvcvsBca8g4M4=; b=Jcx/VLVSYq3ZhWQLc1L9v9HFPmrT5AZiaooNoAzHsoLzZCL/O98o3Th5H12fr1LpNl H8Ti7I+wOegqI/sC96P0LYX+IjeMm617cEEEft2xjBpjC4AraJyT7oyh3nsArT0kJwMn hfQZmV4jwcCkuGGS8p+xP5wBrcKz/QHXKs2m6HLjxsYwpggR2k5djiOtZp7PMABuf614 +OHvmMm7xNOJgfYzysZucTSmqO6OJyEIPPyAureV6vA3L/pZyMC0iaj7sPf9njM1bbPO dc3KD+jtI8wmsbUhCVeKggf5/eLkQfETNW0zAAFVlm1ZyHWH+HTyjYsXOWB5BzIWdQ5t aMrA==
X-Received: by 10.140.49.11 with SMTP id p11mr5390278qga.60.1434516092202; Tue, 16 Jun 2015 21:41:32 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id t77sm1614317qgt.42.2015.06.16.21.41.31 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 16 Jun 2015 21:41:31 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Date: Wed, 17 Jun 2015 00:41:30 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201506111558.21577.davemgarrett@gmail.com> <201506162029.18277.davemgarrett@gmail.com> <20150617035951.GF6117@localhost>
In-Reply-To: <20150617035951.GF6117@localhost>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201506170041.30538.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AaApnY54EA-1j-VxucSz_2YGhKU>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 04:42:11 -0000

On Tuesday, June 16, 2015 11:59:52 pm Nico Williams wrote:
> PSK with a fixed key is a pointless complexity.  We already have an
> unauthenticated mode; there's no need to replace it with another more
> complicated one.
> 
> > deprecate these suites is that this feature is under-maintained in the
> > spec. There are currently no ECDHE AEAD anon suites. [...]
> 
> We've noted this and asked for them to be registered.  The missing
> assignments does not mean that the feature is unmaintained as
> implemented (it's in use), as as to the spec: we're maintaining it now,
> and a la carte negotiation effectively fixes the missing cipher suite
> assignment issue.

I'm trying to reduce the number of valid prefixes. The anon options are essentially:

1) Merge (EC)DH_anon into ECDHE_PSK & drop all (EC)DH_anon
2) Define all ECDHE_anon & drop all DH_anon

I moved towards #1 in the last revision of the draft because some seemed interested in dropping the feature to reduce overall spec complexity. There's notable disagreement on this list over whether or not the anon suites are worthwhile, so I wrote up what would be needed for it. (e.g. wasn't sure if ChaChaPoly would get an anon assignment)

> Why do even that?

The idea was to get rid of an entire class of suites as a simplification. There seemed to be a desire on list for dropping them. (was brought up by a few)

I think I'll set the anon deprecation part aside and go back to #2, if defining the new suites isn't an issue. I still think they should be actively discouraged in favor of trust on first use.

I'll change the WIP in a bit.


Dave