Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
Alyssa Rowan <akr@akr.io> Thu, 27 March 2014 12:59 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9371A068D for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiAlLCXEnkVg for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:59:09 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 0886B1A00B4 for <tls@ietf.org>; Thu, 27 Mar 2014 05:59:08 -0700 (PDT)
Received: from [10.103.236.114] (94.197.120.139.threembb.co.uk [94.197.120.139]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id 57E88600FE for <tls@ietf.org>; Thu, 27 Mar 2014 12:59:06 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <02c101cf49b9$5d080da0$171828e0$@offspark.com>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de> <20140327115551.GA24503@randombit.net> <6f43d6c5-b70f-4a80-98e6-f653011317c7@email.android.com> <02c101cf49b9$5d080da0$171828e0$@offspark.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Mar 2014 12:59:02 +0000
To: tls@ietf.org
Message-ID: <3d2bb399-b932-4bc1-89d0-848260e0036d@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BVJTJz86TR4PiL4220QcHg1QviA
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 12:59:10 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 27 March 2014 12:37:43 GMT+00:00, Paul Bakker <p.j.bakker@offspark.com> wrote: >Other key exchanges, such as pure PSK have their value in very-low-resource >situations. Hmm. Where you're low resource enough to have to pre-share keys, you're specifying your own profile because you know exactly what's connecting (otherwise you couldn't pre-share keys with it). I don't think that's suitably applicable to the general profile for TLS on the internet. Maybe, if you're that constrained, you don't *really* want TLS and its x.509 luggage at all: AES-GCM or ChaCha20-Poly1305 and a monotonic counter nonce? And if you want forward security, and you probably should, then you probably want... curve25519. I certainly don't see how that's a good argument for keeping DHE around, which is the fattest of the key exchanges. Seems rather like the opposite, actually. >And I think it's never a good idea to depend on a single key exchange >scheme, for future security robustness. Agreed, which is part of why I suggested ECDHE over *two* curves: djb's fast curve25519, and NIST's already-deployed and 'Suite Beatified' secp256r1. They're fairly different. We can specify further ones in future if (and hopefully in advance of when) problems arise. Specifying several exchanges might potentially make us vulnerable to the difficulties of both, if the attacker gets to pick which. We *should* safely avoid that of course, but it should be kept in mind. - -- /akr -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI3BAEBCgAhBQJTNCCWGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE jtkWi2t6EzkQAKJJOpH7xSKAzcP+ENVAMtO3wD+u5z2Q8JLPTwGc4+x+vo8hsPk6 rFXqt2311ENAkGdft99eD7n8xSF03a/WVnSNv6pn20XLeJhXiWPyv6m2onL8+Kv0 wAQbkIp6WN1bb4BvlQ9EVYTWFmxIEZpCW7A1ebi95sdi/Z+ctwS6F5AYBn3DQx2Z 2UVGS0idrcXA1F1js31WfPEggYsAf9AH9jpBV6Ya3233KdGYqlptx4o9vLDY3lZn yojcYKPcRg6e1hCGkTUYr/cckj3qnal3oHjKQBrILRysxPKm4KavDzVRjvrMgwBU C4sQP+mQHm9+ynYcYySrur0uD5f8tFdCgYOHJa3gj9eppfufZxt303SOuLbbyW6k Qoryg/YNeZ6kvIyLRqxbVNACBYamNwVZxnNedZm10VfW6FSr7AE1m58PFyCK8Wu2 v7tacmnCVe+zl6KHKLDcnTaS2iRdM1QwUBOoTdcxvlRddzJTPi0cs5ghRbs5ZCpM fTIaNVGcVPx1GuNUpWu6rhA3U+E+oMojmyVMjJEHQWYXryJoi0MCS+TW0MInrGfW uD4qt2P7RltmZw+qsRKuv6yKs+904LpFqsyMZa+DFVMis5ntvBBMIpyp3eNDX8A/ SpqSypLovgVRKc3oA8TTwvTU+jucVDIUHwU2YQC+gr68rI5gg2wmWuL1 =IABy -----END PGP SIGNATURE-----
- [TLS] Confirming Consensus on removing RSA key Tr… Joseph Salowey (jsalowey)
- [TLS] On axing DHE (was: Re: Confirming Consensus… Rene Struik
- Re: [TLS] Confirming Consensus on removing RSA ke… Trevor Perrin
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Santosh Chokhani
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Hanno Böck
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Jack Lloyd
- Re: [TLS] Confirming Consensus on removing RSA ke… Alyssa Rowan
- Re: [TLS] Confirming Consensus on removing RSA ke… Paul Bakker
- Re: [TLS] Confirming Consensus on removing RSA ke… Alyssa Rowan
- Re: [TLS] Confirming Consensus on removing RSA ke… Hanno Böck
- Re: [TLS] Confirming Consensus on removing RSA ke… Johannes Merkle
- Re: [TLS] Confirming Consensus on removing RSA ke… Paul Bakker
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Salz, Rich
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Salz, Rich
- Re: [TLS] Confirming Consensus on removing RSA ke… Andy Lutomirski
- Re: [TLS] Confirming Consensus on removing RSA ke… Marsh Ray
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- [TLS] Negotiated Discrete Log DHE revision [was: … Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Michael D'Errico
- Re: [TLS] Negotiated Discrete Log DHE revision Michael D'Errico
- Re: [TLS] Negotiated Discrete Log DHE revision Henrick Hellström
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision Samuel Neves
- Re: [TLS] Negotiated Discrete Log DHE revision Watson Ladd
- Re: [TLS] Negotiated Discrete Log DHE revision Samuel Neves
- Re: [TLS] Negotiated Discrete Log DHE revision Liz meeks
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Fedor Brunner
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Fedor Brunner
- Re: [TLS] Confirming Consensus on removing RSA ke… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Kurt Roeckx
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Kurt Roeckx
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Viktor Dukhovni
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos