Re: [TLS] security levels for TLS

Mike <mike-list@pobox.com> Sat, 13 October 2007 00:41 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4H-0004bn-Bu; Fri, 12 Oct 2007 20:41:25 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgV4F-0004bM-TH for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 20:41:23 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4F-0004Yp-JQ for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:23 -0400
Received: from sceptre.pobox.com ([207.106.133.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgV48-0003vQ-Iy for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:18 -0400
Received: from sceptre (localhost.localdomain [127.0.0.1]) by sceptre.pobox.com (Postfix) with ESMTP id 4BD282F0 for <tls@lists.ietf.org>; Fri, 12 Oct 2007 20:40:58 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sceptre.sasl.smtp.pobox.com (Postfix) with ESMTP id 172D7898DB for <tls@lists.ietf.org>; Fri, 12 Oct 2007 20:40:57 -0400 (EDT)
Message-ID: <4710146E.4080909@pobox.com>
Date: Fri, 12 Oct 2007 17:42:22 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com> <470EF76B.5050102@pobox.com> <20071012045718.DE16033C21@delta.rtfm.com> <470FB525.7010308@pobox.com> <20071012180445.1D22D33C21@delta.rtfm.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <470FEA1F.7030500@pobox.com> <20071012220036.E3DFC33C21@delta.rtfm.com>
In-Reply-To: <20071012220036.E3DFC33C21@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

> Note that the server can already maintain multiple keys and choose one
> based on the cipher suite. It's merely that the client can't *directly*
> request specific asymmetric key sizes for DH and RSA.

I'm proposing an extremely simple way to let the client directly
request the desired key sizes.  Isn't that better than hoping that
the server replies with an acceptable key?

>> Negatives:
>>
>>    - effort is needed to write a specification and approve it
>>    - a server may not support the extension, so a client may
>>      have to implement an inefficient renegotiation scheme in
>>      addition anyway
> 
> - It encourages an inappropriate focus on key size. As I said already,
>   There's a lot more to security than key size.

But key size -is- a big part of it, and you should be able to tell
a server what key sizes you want, rather than leave it up to chance.

Let me express this in a different way:

Imagine if TLS already had the ability for a client to specify key
sizes to the server, and I was arguing to get rid of that.  Wouldn't
you think I was crazy for suggesting it?

> - It adds yet more unnecessary complexity to a spec which is already
>   quite complicated. 

I'm aware of how complicated it is.  I'm in the process of trying
to add support for some of the existing extensions such as the
trusted CA indication, and the complexity of that is so much more.

> - It's yet another way to have interop problems.

Isn't every addition?

> - Implementations which want DH key sizes significantly greater than
>   1024 would be better served to move to EC, which already has
>   explicit support for communicating which groups are supported.

And pay someone for the right to generate a self-signed certificate?
If you can do it with EC, why do you argue against doing it for DHE?

>>    - Eric doesn't like it ;-)
> 
> I don't see you getting a lot of support from others, either.

I find myself in this position occasionally, and accept that most
people will stay out of the line of fire.

Mike


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls