Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Aaron Zauner <azet@azet.org> Mon, 01 June 2015 20:12 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B5361B3379 for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 13:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C45Y9cVYs5My for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 13:12:51 -0700 (PDT)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F81E1A904B for <tls@ietf.org>; Mon, 1 Jun 2015 13:12:50 -0700 (PDT)
Received: by wizo1 with SMTP id o1so118943568wiz.1 for <tls@ietf.org>; Mon, 01 Jun 2015 13:12:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=gN5A8JKQhtZgrGyrGxTxa4AqN2vxTOnW0fuVuWjepgI=; b=H8oj508C0Q+EAajE3M7pwF41ZqfDy2SKzA6azhDO3Rd5LPs+67Fmfgr5qLhHrDl50O X81+eT2uT28T0qer7pFN+jAZxn6iGjpZGIKiWaOPZhLzSqKfwAr8txX2/eZZEgArOfXr GnZhmU3TrtxP96Xq1XKvYyD0TwOgOAlRXdLRAHVb9IdJNaIvlaGuKOTBNpQS3l33qPoe OPLXT39kesiKWnQTwCS2Icc0z4t7UqITImYX6+V8CP99Ow14i0dEer6ZiiY3IjEx8hgg oQE2NA9Xwky7WCGE4uZrZ+ezDi5VKp/ZuLlHAm6P6QtJjVguBlNVty3OTvjZjD16SEir u50g==
X-Gm-Message-State: ALoCoQmdj55CqYrYIGf3PUR2od89K04IPHwtjO68h4dnOnnypGjDxtgaeQxMfMd/oNPDTAmNakFa
X-Received: by 10.194.186.145 with SMTP id fk17mr44237267wjc.156.1433189569317; Mon, 01 Jun 2015 13:12:49 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id u9sm23440298wju.44.2015.06.01.13.12.45 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Jun 2015 13:12:48 -0700 (PDT)
Message-ID: <556CBCBA.2090109@azet.org>
Date: Mon, 01 Jun 2015 22:12:42 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <556C4ACD.9040002@azet.org> <CABcZeBNsYmto4F-J0mFoxcq-qfL=NJrvDu67fyY9bpBmRp16mQ@mail.gmail.com> <556C51FC.807@azet.org> <87pp5fe3t5.fsf@alice.fifthhorseman.net>
In-Reply-To: <87pp5fe3t5.fsf@alice.fifthhorseman.net>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigE53EC4576D0ECC31C1247F15"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DKl3TN1qz8QlCH6JYWi8UIzVeVA>
Cc: Phillip Rogaway <rogaway@cs.ucdavis.edu>, TLS Mailing List <tls@ietf.org>, Charanjit Jutla <csjutla@us.ibm.com>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 20:12:52 -0000

Hi dkg,

Daniel Kahn Gillmor wrote:
> On Mon 2015-06-01 08:37:16 -0400, Aaron Zauner wrote:
>> Firstly, as far as I know it's also quite difficult to get ECDSA
>> certificates in the wild. Has this changed significantly over the past
>> couple of months?
> 
> I've heard this claim in the past, but i'm not sure what it is based on.
> AFAICT, there are several public CAs who are happy to issue ECDSA
> certificates if you ask them for them.
> 
> In November 2014, i managed to get one from Comodo (or a Comodo
> reseller, i can't keep all the "imprints" and "branding" straight) and
> it took about 20 minutes from start to finish.
> 
> Can you describe how you have tried to get an ECDSA cert, and how those
> attempts failed?
> 

My last attempt must have been a year or more ago. That's absolutely
subjective and from what I've heard from other operators (similar
experiences to those described by mike hamburg). Since people were nice
enough to inform me in this thread that, indeed, ECDSA is getting
deployed (as seen in Kario's statistics) and will be used for let's
encrypt - I have no problem keeping it in the document!

Aaron