IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 07:26 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgbOC-0006Pw-3o; Sat, 13 Oct 2007 03:26:24 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgbOA-0006Pr-Pz for tls-confirm+ok@megatron.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgbOA-0006Pj-GN for tls@lists.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgbO9-0000lD-9W for tls@lists.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 4343433C28; Sat, 13 Oct 2007 00:22:10 -0700 (PDT)
Date: Sat, 13 Oct 2007 00:22:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <47101BFE.6020300@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <200710122237.30517.nmav@gnutls.org> <20071012200032.70EEA33C23@delta.rtfm.com> <4710000A.7020006@pobox.com> <20071013000010.F21A233C21@delta.rtfm.com> <47101BFE.6020300@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013072210.4343433C28@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Fri, 12 Oct 2007 18:14:38 -0700,
Mike wrote:
> 
> >> I think there is some mis-communication going on.  I have never
> >> even mentioned the IETF standardizing an "indicator" of security
> >> level.  Someone else may have, but I reject that idea as well.
> > 
> > Well, two things seem to be being discussed simultaneously:
> > 
> > 1. Standardizing simplified "levels" of security which correspond to 
> >    cipher suites and key sizes.
> > 
> >     This is purely a documentation issue and doesn't require any
> >     on-the-wire changes to TLS. 
> > 
> > 2. Modifying TLS to allow the client to indicate the size of the
> >    keys/group it would like for each asymmetric algorithm. This
> >    is an on-the-wire protocol change. 
> > 
> > As I understand your messages, you've been endorsing both of these.
> 
> I said above that I reject the idea of standardizing levels.  Why
> don't you believe that? 

Maybe because your writing has been fairly unclear. I read the following
as such an endorsement:

    I think there is good reason to try to solve this problem
    in the TLS layer.  The alternative is to force every TLS-
    enabled application to solve it (and likely they won't
    solve it and be less secure).  Wouldn't it be ideal if an
    application could just say:

         TLS::SetSecurityLevel (3);

If you say it's not, I believe you.

> > I'm against both of these, for related, but distinct reasons.
> > 
> > I'm against the former because I think it's actually very hard to
> > produce any reasonable standardized account of which algorithms and
> > key sizes fit into which level. In any case, this is something that an
> > implementation can easily offer without any standard, it simply will
> > not necessarily have the same level->algorithm mapping as another
> > implementation.
> 
> I said in one of my first messages that this would be implementation
> dependent.

That wasn't clear to me, but fine.


> > I'm against the second because I believe it adds marginal benefit
> > at a significant cost to interoperability and complexity. An 
> > extension like this only makes sense if:
> > 
> > 1. Servers have a number of different kinds of keying material
> >    of different strengths.
> > 2. Clients are in a position to make intelligent choices about
> >    which asymmetric key strengths are appropriate.
> > 
> > In my experience, neither is true. Moreover, it's worth noting
> > that in the current environment any client which attempts to
> > request a key > 1024 bits will find that it can connect to
> > practically nobody. To a first order, this is just another
> > way to create interop problems. 
> 
> Well if you implement TLS 1.1 and expect to connect to anyone,
> you will be disappointed, and yet we're working even on TLS 1.2.

Yes, because it was felt that the attacks on MD5 and SHA-1 
created an important need. Prior to those attacks, I had
every intention of taking TLS 1.1 to draft standard without
change.

-Ekr


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email