Re: [TLS] security levels for TLS
Eric Rescorla <ekr@networkresonance.com> Wed, 10 October 2007 18:07 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IffyR-0000Pu-DR; Wed, 10 Oct 2007 14:07:59 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IffyP-0000Jt-F6 for tls-confirm+ok@megatron.ietf.org; Wed, 10 Oct 2007 14:07:57 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IffyO-0000IQ-Pl for tls@lists.ietf.org; Wed, 10 Oct 2007 14:07:56 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IffyD-00031R-3E for tls@lists.ietf.org; Wed, 10 Oct 2007 14:07:56 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 7ABC533C21; Wed, 10 Oct 2007 11:03:24 -0700 (PDT)
Date: Wed, 10 Oct 2007 11:03:23 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <470D0243.3050009@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071010180324.7ABC533C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Wed, 10 Oct 2007 09:48:03 -0700, Mike wrote: > > There are two aspects to this that I see: > > 1) a TLS client should be configurable such > that it will reject negotiated sessions > that don't satisfy its requirements. The > configurable parameters would include the > minimum acceptable size for RSA and DSA > keys, and DH parameters (p). This can be > done now without any changes to TLS, but > has the problem that several attempts may > be necessary to establish an acceptable > connection. This seems like a perfectly reasonable capability for a developer to provide, I'm not convinced that a developer *should* provide it. In any case, it's not an IETF issue. > 2) a TLS client might want to tell the server > that if TLS_DHE_RSA_WITH_AES_128_CBC_SHA1 > is the negotiated cipher, it will accept > a minimum RSA key size of X and a minimum > DH parameter size of Y. If the server > has several sets of DH parameters (such as > those in RFC 3526), it would select one > that meets the minimum and is smallest for > best performance. If the server doesn't > have the ability to satisfy the minimums, > it could return an insufficient_security > fatal alert. This adds significant complexity for what's in my experience, a non-problem. The vast majority of servers I am familiar with have one and only one set of asymmetric keying material, so selecting it isn't a problem. Moreover, it's simply not the case that one can express the security of an algorithm purely in terms of the number of bits of claimed keying material. Examples include 3DES (112 or 168?, depends on the attack), EC (it's not clear that all groups of the same size are equally secure). Absent some significant evidence that this is a problem in practice, I'm against the TLS WG doing anything along these lines. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman