Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Martin Thomson <martin.thomson@gmail.com> Tue, 19 May 2015 22:14 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2FED1B345D for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQSao3XKm9-k for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:14:47 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7BBF1B345A for <tls@ietf.org>; Tue, 19 May 2015 15:14:45 -0700 (PDT)
Received: by yhom41 with SMTP id m41so8343872yho.1 for <tls@ietf.org>; Tue, 19 May 2015 15:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=P7hCEGrGBU8GcFvdrsmz7F/z7bYdkcoVO+T8exITrC8=; b=cy86OqTiS0QE34D1AOUo1mIWKCyT+nfu8Ilmzrm0YjJIyUZKigg4CIlK5acEiQt/g+ K3nAY/Q0ECIPC2WA+oW3gS9k4I1JdwRUaxfBwdVheL3XIrFNG++V/NcOXkBWkS1PSWvV ndV9A1rGgyWzcahtiFMe6wT+eQUz9RuUXbPlPz+OMEbd6x5GTEd6Sbeat3Ow+OIRXP+b jPqi/uBk/8w2rOPs7GZHeFndMs2u8KU7WNABXDesveA19YIBgy5JUT5aXUPjKSFL4SQm izari7cJbi6OGoqr0dXsehvglz+/5aS4YFuptfIjyZ6T6BubZfzCx+X0jppVWcAshvxT ThdQ==
MIME-Version: 1.0
X-Received: by 10.236.47.169 with SMTP id t29mr28458935yhb.69.1432073683997; Tue, 19 May 2015 15:14:43 -0700 (PDT)
Received: by 10.13.247.71 with HTTP; Tue, 19 May 2015 15:14:43 -0700 (PDT)
In-Reply-To: <3FCBCBD5-9295-4A8D-BD27-71377B6B8E7C@gmail.com>
References: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com> <3FCBCBD5-9295-4A8D-BD27-71377B6B8E7C@gmail.com>
Date: Tue, 19 May 2015 15:14:43 -0700
Message-ID: <CABkgnnUYZFb5zAVUgQ4LHBBt0cECHoQS4dEofmmH1M5Bn8HZDQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/F06scYX-oKX6cnLaKbP3dVJHY7E>
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 22:14:49 -0000

On 19 May 2015 at 14:51, Yoav Nir <ynir.ietf@gmail.com>; wrote:
> 2) I question the need for TLS_DHE_ ciphersuites, and I seriously doubt anybody’s going to use those with ChaCha20 “in the wild”. Other than that, I’m all for early assignment as it would allow us to get the algorithms into code-bases and test interoperability quicker.

I tend to agree.  Can someone reply with a brief explanation of why
each of the following is needed?  Hopefully better than what I was
able to devise:

TLS_RSA_WITH_CHACHA20_POLY1305
Because we're scared of ephemeral key exchange for some reason ?

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
Because ECDHE is good, and RSA is widespread.

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
Because this is what we actually want.

TLS_DHE_RSA_WITH_CHACHA20_POLY1305
Because we need a backup for EC.

TLS_DHE_PSK_WITH_CHACHA20_POLY1305
Because ECDHE is nice, but we need a backup, even for little things ?

TLS_PSK_WITH_CHACHA20_POLY1305
Because little things don't like paying for asymmetric crypto.

TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305
Because little things need nice things too.

TLS_RSA_PSK_WITH_CHACHA20_POLY1305
Because little things like doing bignum exponentiation without any PFS
payoff, but RSA alone isn't "secure enough" ?


The thing that concerns me most is that we aren't saying that PFS is
required outside of PSK.  I understand the carve-out we've made for
the little things, but I don't understand why we are defining
RSA-based suites without PFS.

Of comparable concern is the RSA_PSK stuff.  I wasn't around for the
definition of these originally, but they make basically no sense to
me.

I get the DHE_PSK thing if you justify it using the same basis as
DHE_RSA, but it might be that the little things can just take a pass
on PFS without ECDHE.

Would it be unreasonable to cut the list to ... ?
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_DHE_RSA_WITH_CHACHA20_POLY1305
TLS_PSK_WITH_CHACHA20_POLY1305
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305

Also, I'm not against DHE in general, and I think that it's worth
keeping around for a little longer. However.  If we consider DHE_RSA
worth doing, then the only logic I can concoct would provide almost
equal justification for DHE_ECDSA.