Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

"Dang, Quynh (Fed)" <> Thu, 02 March 2017 11:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE5661297BE for <>; Thu, 2 Mar 2017 03:01:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mHQzQ9FYSSv9 for <>; Thu, 2 Mar 2017 03:01:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DC5B1296F5 for <>; Thu, 2 Mar 2017 03:01:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hsnxmx9cMie9T1+Te4F1Qw1zNV5eUuPaN9hRfBtPUCA=; b=W+/xqfraHXEeNpqtXfsd/EZBE3X/K1hglVjdwXZjwjnCj1yno8n1DwY3lGAVYBVCUcn/1ewAYaYxfDmRU1A6TQJ6qQvHjK95LwTGQWrVuwTikXvRPn7ahBEUoNdA9I4pRRVd/oXdWNq4GCRO9m/vZ/vDD++Fss51A3zRKejQZYM=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Thu, 2 Mar 2017 11:00:59 +0000
Received: from ([]) by ([]) with mapi id 15.01.0933.016; Thu, 2 Mar 2017 11:00:59 +0000
From: "Dang, Quynh (Fed)" <>
To: Martin Thomson <>, "Dang, Quynh (Fed)" <>
Thread-Topic: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
Thread-Index: AQHSj3N1z8IXvDyfJEuMUkRo/k0w1KF/+8GA//+uQQCAAGYzgP//rheAgABVqwD//68bAAASdHaA//+uLQCAAH7rgIAAkgOA
Date: Thu, 2 Mar 2017 11:00:59 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1462; 7:3wBgkCXzCTsK9Yco7/Pecnp+hnHMKYEMg9QjfGd0/24piOW8Qw6/4c5ngm5ge97eLxXRc9gVVW3/r4F/u8K8UZ4KT+AEo0PPV3WSJ2KaR/xjMVu/olAxXGMIhYFEoZBly++6YfOy3n/nySrNOrwhkyC3fYmV7MG7etTu1Racy9CSFJa70jVSt7RaphruNPXbyZz2ZneTwv4qyF5PT8Xcp3+cYt4ECUK2DJLWspK4bns6olvY6e36f6bYcAP+pkaywwTbv/JwwkEirTtjrNm07TlxCaZ3m9QLPCKOSH+GN119GR0iJ2eKAU0UQsrU9EaJQmVDuZsDPbtIkWyCyEPEeQ==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(7916002)(39410400002)(39450400003)(39840400002)(39850400002)(39860400002)(24454002)(377454003)(99286003)(6512007)(83506001)(236005)(2900100001)(54896002)(2906002)(39060400002)(4001350100001)(345774005)(189998001)(122556002)(8936002)(77096006)(7736002)(76176999)(54906002)(6486002)(25786008)(3660700001)(229853002)(3280700002)(50986999)(6436002)(36756003)(102836003)(38730400002)(5660300001)(6506006)(86362001)(53546006)(66066001)(106116001)(92566002)(81166006)(54356999)(2950100002)(68736007)(6246003)(8676002)(3846002)(53936002)(6116002)(93886004)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1462;; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
x-ms-office365-filtering-correlation-id: 69fbdab1-3946-40f4-15da-08d4615b68c3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR09MB1462;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(65766998875637)(155532106045638)(12901024606220)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123560025)(20161123558025)(20161123562025)(20161123564025)(6072148); SRVR:CY4PR09MB1462; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1462;
x-forefront-prvs: 023495660C
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D4DD63AF31268qdangnistgov_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 11:00:59.1484 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1462
Archived-At: <>
Cc: "" <>, "" <>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Mar 2017 11:01:04 -0000

From: Martin Thomson <<>>
Date: Wednesday, March 1, 2017 at 4:18 PM
To: 'Quynh' <<>>
Cc: Watson Ladd <<>>, "<>" <<>>, "<>" <<>>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

On 2 March 2017 at 05:44, Dang, Quynh (Fed) <<>> wrote:
OK. What is the percentage ? Even all records were small, providing a
correct number would be a good thing. If someone wants to rekey a lot often,
I am not suggesting against that.

It will vary greatly depending on circumstance.  Most of the time the
record size matches the MTU.  Other times it matches the write size,
which can be only a small number of octets.  For bulk transfers it can
approach the record maximum.  All on the same connection sometimes.

I really don't know what you are suggesting here.  The point is the
accounting in terms of records doesn't really give you any insight
into the number of blocks.

Hi Martin,

Thank you for the information.

In the PRs’ discussions, I saw that Brian and Rich wanted blocks. You, Eric and other people were comfortably discussing the issue in term of blocks. Implementing and running TLS were your career, so I made suggestions based on blocks.

Aaron wanted records, so I gave him the equation to figure that out. I did not mean to suggest to use records.