Re: [TLS] security levels for TLS
Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 07:26 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgbOC-0006Pw-3o; Sat, 13 Oct 2007 03:26:24 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgbOA-0006Pr-Pz for tls-confirm+ok@megatron.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgbOA-0006Pj-GN for tls@lists.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgbO9-0000lD-9W for tls@lists.ietf.org; Sat, 13 Oct 2007 03:26:22 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 4343433C28; Sat, 13 Oct 2007 00:22:10 -0700 (PDT)
Date: Sat, 13 Oct 2007 00:22:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <47101BFE.6020300@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <200710122237.30517.nmav@gnutls.org> <20071012200032.70EEA33C23@delta.rtfm.com> <4710000A.7020006@pobox.com> <20071013000010.F21A233C21@delta.rtfm.com> <47101BFE.6020300@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013072210.4343433C28@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Fri, 12 Oct 2007 18:14:38 -0700, Mike wrote: > > >> I think there is some mis-communication going on. I have never > >> even mentioned the IETF standardizing an "indicator" of security > >> level. Someone else may have, but I reject that idea as well. > > > > Well, two things seem to be being discussed simultaneously: > > > > 1. Standardizing simplified "levels" of security which correspond to > > cipher suites and key sizes. > > > > This is purely a documentation issue and doesn't require any > > on-the-wire changes to TLS. > > > > 2. Modifying TLS to allow the client to indicate the size of the > > keys/group it would like for each asymmetric algorithm. This > > is an on-the-wire protocol change. > > > > As I understand your messages, you've been endorsing both of these. > > I said above that I reject the idea of standardizing levels. Why > don't you believe that? Maybe because your writing has been fairly unclear. I read the following as such an endorsement: I think there is good reason to try to solve this problem in the TLS layer. The alternative is to force every TLS- enabled application to solve it (and likely they won't solve it and be less secure). Wouldn't it be ideal if an application could just say: TLS::SetSecurityLevel (3); If you say it's not, I believe you. > > I'm against both of these, for related, but distinct reasons. > > > > I'm against the former because I think it's actually very hard to > > produce any reasonable standardized account of which algorithms and > > key sizes fit into which level. In any case, this is something that an > > implementation can easily offer without any standard, it simply will > > not necessarily have the same level->algorithm mapping as another > > implementation. > > I said in one of my first messages that this would be implementation > dependent. That wasn't clear to me, but fine. > > I'm against the second because I believe it adds marginal benefit > > at a significant cost to interoperability and complexity. An > > extension like this only makes sense if: > > > > 1. Servers have a number of different kinds of keying material > > of different strengths. > > 2. Clients are in a position to make intelligent choices about > > which asymmetric key strengths are appropriate. > > > > In my experience, neither is true. Moreover, it's worth noting > > that in the current environment any client which attempts to > > request a key > 1024 bits will find that it can connect to > > practically nobody. To a first order, this is just another > > way to create interop problems. > > Well if you implement TLS 1.1 and expect to connect to anyone, > you will be disappointed, and yet we're working even on TLS 1.2. Yes, because it was felt that the attacks on MD5 and SHA-1 created an important need. Prior to those attacks, I had every intention of taking TLS 1.1 to draft standard without change. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman