Re: [TLS] A la carte handshake negotiation

Dave Garrett <davemgarrett@gmail.com> Fri, 12 June 2015 15:45 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602A71A1A6D for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 08:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V90guJfLUXpa for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 08:45:52 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A2821A1A6E for <tls@ietf.org>; Fri, 12 Jun 2015 08:45:41 -0700 (PDT)
Received: by qcjl8 with SMTP id l8so11729801qcj.3 for <tls@ietf.org>; Fri, 12 Jun 2015 08:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=ICldv/y7tP0mKKFXrBbobsLV9WkL0EPd2WdjlNSgysU=; b=McUzSRlaO6jwSZ22+Upg0oTg3GRmWxCXq9ndY/aCSZ2bJdpBCFb8U4GfTAW8L/N6Mz NJR2W3tQmtSFgjboADENruOKvt+vwPWKYgQxmSYHevWx1zeGDxMTmuVO2m269AeicChF cqcyw7jK0IAAelYgwBMkMsyqc55QCHhi2mnvmwtCrtM+ItQJ/bFH7M4dIYrMqrZw2rZj YZ0MvfxCuPxUyFS8931NS2c/n7RYTKD37Ay2DZ2yl2UQkeg6rHQckXfZLQYtJv0jFmrg ewfLrsA0b/ly43ZDoOVdsuYPPuhCf9UokhdHhacG9qPrlXcXbbcRpzxgKc5Upvqf2PZh Ow2Q==
X-Received: by 10.140.235.71 with SMTP id g68mr19742565qhc.41.1434123940882; Fri, 12 Jun 2015 08:45:40 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id b29sm1815403qkb.33.2015.06.12.08.45.40 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 12 Jun 2015 08:45:40 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 12 Jun 2015 11:45:38 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201506111558.21577.davemgarrett@gmail.com> <201506121114.47527.davemgarrett@gmail.com> <20150612153805.GS2050@mournblade.imrryr.org>
In-Reply-To: <20150612153805.GS2050@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201506121145.39429.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EYenJcZcAZIGPpPaRcXKAq2WC_w>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 15:45:53 -0000

On Friday, June 12, 2015 11:38:05 am Viktor Dukhovni wrote:
> On Fri, Jun 12, 2015 at 11:14:47AM -0400, Dave Garrett wrote:
> > > > * TLS 1.3 would only negotiate suites prefixed with ECDHE_ECDSA or ECDHE_PSK.
> > > 
> > > Where are anonymous (ADH and AECDH) suites?
> > 
> > Still in the spec. I currently have usage of ECDHE_ECDSA or ECDHE_PSK as
> > a "SHOULD", with "MUST NOT" for the explicitly deprecated bits. Anon is
> > effectively a "SHOULD NOT". I don't think we can have an absolute mandate
> > for only certain prefixes with a "MUST", as that would exclude new ones
> > in the future. (e.g. a post-quantum key exchange will likely want to be
> > negotiated with a separate cipher suite)
> 
> Just to confirm, it will be possible to negotiate AECDH and ADH
> key exchange ala carte, separately from the bulk cipher, right?

Sure, no reason why it couldn't be negotiated via the extension for anon. It's not addressed in my draft for this proposal, but that seems like it should be the case. Applying the same logic, only ECDH_anon would be valid as a suite for TLS 1.3+, but EC/FF would be negotiated via the extension.


Dave