IETF Logo Mail Archive

Re: [TLS] AD review of draft-ietf-tls-negotiated-ff-dhe-08

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 03 April 2015 20:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0EE71A0162 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 13:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-fxTFSAIdMb for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 13:48:30 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCE941A0158 for <tls@ietf.org>; Fri, 3 Apr 2015 13:48:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 95D60BECA; Fri, 3 Apr 2015 21:48:28 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gdh3wLEpf7fy; Fri, 3 Apr 2015 21:48:26 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.18.59]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6D6C3BE38; Fri, 3 Apr 2015 21:48:26 +0100 (IST)
Message-ID: <551EFC9A.8070804@cs.tcd.ie>
Date: Fri, 03 Apr 2015 21:48:26 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF TLS Working Group <tls@ietf.org>
References: <551B3415.5080105@cs.tcd.ie> <2D4BF0F9-E771-4E79-848F-11617E77A36C@ieca.com> <551ED3DD.8080409@cs.tcd.ie> <87wq1t9cnf.fsf@alice.fifthhorseman.net>
In-Reply-To: <87wq1t9cnf.fsf@alice.fifthhorseman.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FO0IvJikI6cnfe88VtcEgZ5FUTE>
Subject: Re: [TLS] AD review of draft-ietf-tls-negotiated-ff-dhe-08
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 20:48:31 -0000


On 03/04/15 21:31, Daniel Kahn Gillmor wrote:
> On Fri 2015-04-03 13:54:37 -0400, Stephen Farrell wrote:
>> On 03/04/15 15:22, Sean Turner wrote:
>>> On Mar 31, 2015, at 19:56, Stephen Farrell
>>> <stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>> #2 I've never quite gotten the reasoning behind not giving any
>>>> names to any of the RFC3526 curves and I think that question
>>>> deserves an answer (to be in the list archive). So - why not?
>>>
>>> Maybe I’m not following but are you asking that we retroactively name
>>> the "4096-bit MODP Group”?
>>
>> Right, that and any others we still like. The thought is that
>> we might get a minor security benefit if the client says that
>> they're ok with e.g. the 2048-bit MODP group thereby causing
>> some server to not try use a custom group or the old smaller
>> groups. (I mean that'd be a minor benefit compared to the
>> current situation, not compared to what the draft proposes.)
>>
>> It's not a major thing as the client can still just check for
>> the RFC3626 groups but I'm not sure how likely it is that'd
>> be done. OTOH, anyone who updates their code to handle this
>> can just as easily adopt the new groups, and I don't think
>> there's any particular benefit to sticking with the RFC3526
>> groups (e.g. there's no dedicated h/w for those I think).
>>
>> So if the answer is "yeah, we considered that and didn't like
>> it because <foo>" that's fine, I just don't recall having seen
>> it on the list.
> 
> There are two concrete (and related) answers in the draft as to why
> we're not importing several pre-existing named groups:
> 
>  https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-08#section-9.5
>  https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-08#section-10.1
> 
> Please let me know if there are any changes that could be made to make
> the situation more clear, or if you disagree with the rationales.

It's not that I disagree with 'em, but I don't find them
that compelling tbh. The best (to me) seems to be that
additional usage in multiple protocols makes for a more
attractive target. But the MODP groups are already used
in TLS, and naming them in this way might reduce the
liklihood that some implementation accepts groups without
checking 'em. (E.g. an updated client would have the code
to check that a known-named group has been selected by
the server, so might benefit even if the server hasn't
been updated).

However, let's proceed and please treat the above as just
another last call comment. In this case, you've responded
already so if nobody else wants to pursue the discussion
then we'll be all set.

S.


> 
>     --dkg
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email