Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt

Nikos Mavrogiannopoulos <> Tue, 08 November 2016 09:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D64321295DA for <>; Tue, 8 Nov 2016 01:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.419
X-Spam-Status: No, score=-8.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MkuxBOIFDpJG for <>; Tue, 8 Nov 2016 01:49:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2793F1295D7 for <>; Tue, 8 Nov 2016 01:49:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DAC478F275; Tue, 8 Nov 2016 09:49:09 +0000 (UTC)
Received: from ([]) by (8.14.4/8.14.4) with ESMTP id uA89n7JG023446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 8 Nov 2016 04:49:09 -0500
Message-ID: <>
From: Nikos Mavrogiannopoulos <>
To: Daniel Migault <>
Date: Tue, 08 Nov 2016 10:49:07 +0100
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 ( []); Tue, 08 Nov 2016 09:49:09 +0000 (UTC)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Nov 2016 09:49:11 -0000

On Tue, 2016-11-08 at 03:50 -0500, Daniel Migault wrote:

> Regarding Niko, my understanding is that the WG preferred not to have
> the definition of profiles in this document. I am not sure you wanted
> the text to be removed as MUST NOT was to normative or if you would
> like no recommendation at all. The reason I would rather advocate for
> recommendation is that ECDHE does not specify an algorithm with a
> specific security. As a result, I would rather provide some guide
> lines to avoid weak authentication being used with high long AES
> keys.  

That's a valid concern, but TLS doesn't have the notion of a security
level, and I am not sure that you can easily introduce it with a
ciphersuite point assignment rfc. With TLS you can easily use AES-256
with DHE-RSA with DH parameters of 4096-bits, signed with an RSA
certificate of 32-bits. One can use your draft with a 8-bit PSK, and
still be insecure despite the fact that you force a 256-bit curve or
better. When trying to ensure a consistent level you may likely need to
adjust the finished message size as well.

Nevertheless, I think to cover your goal, a security considerations
addition that makes apparent that in addition to the ciphersuite
parameters, the TLS protocol finished message size, the elliptic curves
used, and the size of the selected key define the security level of the