Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Martin Thomson <> Tue, 19 May 2015 22:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D2FED1B345D for <>; Tue, 19 May 2015 15:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zQSao3XKm9-k for <>; Tue, 19 May 2015 15:14:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7BBF1B345A for <>; Tue, 19 May 2015 15:14:45 -0700 (PDT)
Received: by yhom41 with SMTP id m41so8343872yho.1 for <>; Tue, 19 May 2015 15:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=P7hCEGrGBU8GcFvdrsmz7F/z7bYdkcoVO+T8exITrC8=; b=cy86OqTiS0QE34D1AOUo1mIWKCyT+nfu8Ilmzrm0YjJIyUZKigg4CIlK5acEiQt/g+ K3nAY/Q0ECIPC2WA+oW3gS9k4I1JdwRUaxfBwdVheL3XIrFNG++V/NcOXkBWkS1PSWvV ndV9A1rGgyWzcahtiFMe6wT+eQUz9RuUXbPlPz+OMEbd6x5GTEd6Sbeat3Ow+OIRXP+b jPqi/uBk/8w2rOPs7GZHeFndMs2u8KU7WNABXDesveA19YIBgy5JUT5aXUPjKSFL4SQm izari7cJbi6OGoqr0dXsehvglz+/5aS4YFuptfIjyZ6T6BubZfzCx+X0jppVWcAshvxT ThdQ==
MIME-Version: 1.0
X-Received: by with SMTP id t29mr28458935yhb.69.1432073683997; Tue, 19 May 2015 15:14:43 -0700 (PDT)
Received: by with HTTP; Tue, 19 May 2015 15:14:43 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 19 May 2015 15:14:43 -0700
Message-ID: <>
From: Martin Thomson <>
To: Yoav Nir <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: IETF TLS Working Group <>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 May 2015 22:14:49 -0000

On 19 May 2015 at 14:51, Yoav Nir <> wrote:
> 2) I question the need for TLS_DHE_ ciphersuites, and I seriously doubt anybody’s going to use those with ChaCha20 “in the wild”. Other than that, I’m all for early assignment as it would allow us to get the algorithms into code-bases and test interoperability quicker.

I tend to agree.  Can someone reply with a brief explanation of why
each of the following is needed?  Hopefully better than what I was
able to devise:

Because we're scared of ephemeral key exchange for some reason ?

Because ECDHE is good, and RSA is widespread.

Because this is what we actually want.

Because we need a backup for EC.

Because ECDHE is nice, but we need a backup, even for little things ?

Because little things don't like paying for asymmetric crypto.

Because little things need nice things too.

Because little things like doing bignum exponentiation without any PFS
payoff, but RSA alone isn't "secure enough" ?

The thing that concerns me most is that we aren't saying that PFS is
required outside of PSK.  I understand the carve-out we've made for
the little things, but I don't understand why we are defining
RSA-based suites without PFS.

Of comparable concern is the RSA_PSK stuff.  I wasn't around for the
definition of these originally, but they make basically no sense to

I get the DHE_PSK thing if you justify it using the same basis as
DHE_RSA, but it might be that the little things can just take a pass
on PFS without ECDHE.

Would it be unreasonable to cut the list to ... ?

Also, I'm not against DHE in general, and I think that it's worth
keeping around for a little longer. However.  If we consider DHE_RSA
worth doing, then the only logic I can concoct would provide almost
equal justification for DHE_ECDSA.