Re: [TLS] [Cfrg] 3DES diediedie

Dave Garrett <> Wed, 07 September 2016 00:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43D2D12B3BD for <>; Tue, 6 Sep 2016 17:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iSeFLEpsEhUI for <>; Tue, 6 Sep 2016 17:17:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C71912B428 for <>; Tue, 6 Sep 2016 17:17:32 -0700 (PDT)
Received: by with SMTP id t7so236040446qkh.1 for <>; Tue, 06 Sep 2016 17:17:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=GTzQXewXtPXZQn2WKac0DRpew8Wj2b45RHbtb/jof7s=; b=Hu7k00+BCmVJFUCgyKH0fDJ+rHUnyCSr6+TUGoGFCqPFSauX9lIOg7Gih2EyWli5QJ xKXlCLv4qyoDsfRca+k+cZMkBsLokUw4EF+HguDEcbGdrvHu+bRowVlqmZHPOaU9hB0Z hp4X5epKOkg1iyTg+lhEQJqwSE1OUjxRq/u3I6xtSOB5FdFUAey0xqvu8Llz9mQfo90N mCyuOuK7H9X8qhTAFcB8pZ3Xi/6WTpEJW+4s+rP8xqupaquMaDlCGVWQrXEx6tv2kLGj 1Dx3X44IQMFNWjRb+hheyocDJKkpxx8gCPEj4MZb9ZrxT4sIr9rhB+/ZFWgxp3chPClm B/FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=GTzQXewXtPXZQn2WKac0DRpew8Wj2b45RHbtb/jof7s=; b=SXZkUlJZVtE641UKd7+4ZtY/HHrcNn2atyZSJk7uD4eQj8ndsI/KkRMFA8FktvsRdP 90l39txiAD05vrkSuLjPyk4nzfDl3gLZQxROavebbJKX4UthO5KJhlFBRcZxQL1Nq5Se dElPw6gn+meLCTkqL9GAspErVJkQQ1KYlQSbleJcgXfcmnHf7v/agRwG9l6tifxOfpl5 NNRI3c5El6cJftmvdtbWcXCs8M3uR69KxX2fG4mfhkV+OvboHrriOxvQP/3DA+V+Vkbk OGpUYi7PxSrzuPKYtfRru3nFo4aeF11uy152u0SfBygxrelFmDnqBGTu6Nj5ThFTsINb TqWQ==
X-Gm-Message-State: AE9vXwPBIJGgBckS7JTMO63IDj3I34WbwBGmgOVA+ROVtBnOYiviEXQhcvSuR11gQO1qww==
X-Received: by with SMTP id a10mr32577857qkc.123.1473207451638; Tue, 06 Sep 2016 17:17:31 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id t29sm7911770qtb.10.2016. (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 06 Sep 2016 17:17:30 -0700 (PDT)
From: Dave Garrett <>
Date: Tue, 6 Sep 2016 20:17:29 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Cc:, Derek Atkins <>, Hilarie Orman <>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Sep 2016 00:17:34 -0000

On Tuesday, September 06, 2016 04:40:30 pm Derek Atkins wrote:
> Ben Laurie <> writes:
> >     An ARM is far too much hardware to throw at "read sensor/munge data/send
> >     data".
> >
> > The question is not "how much hardware?" but "price?" - with  ARMs including h
> > /w AES coming in at $2 for a single unit, its hard to explain why you\d want
> > to use a less powerful CPU...
> Because this is a light bulb that sells for $6-10.  Adding $2 to the price
> is just completely unreasonable.  The price point needs to be pennies.
> Note that this is just one example, but yes, these level of products are
> getting "smarter" and we, as security professionals, should encourage
> "as strong security as possble" without getting the manufacturers to
> just say "sorry, too expensive, I'll go without."  (which is,
> unfortunately, exactly what's been happening)

Personally, I'd just say "stop putting chips in light bulbs", instead. Companies making these things are unfortunately just not going to be making good security decisions. Bad or no security is cheaper than competent security, and selling light bulbs with bad security is not illegal. We'll be more successful focusing our effort on dealing with light bulb botnets than trying to get people to make secure "smart" light bulbs. There is no good solution on our end, and debating the price of chips for light bulbs is not a good way to make security decisions in TLS.