[TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Tue, 23 May 2017 02:11 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B12C3128656; Mon, 22 May 2017 19:11:59 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-ecdhe-psk-aead@ietf.org, Joseph Salowey <joe@salowey.net>, tls-chairs@ietf.org, joe@salowey.net, tls@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.51.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149550551972.4974.3201248950751611020.idtracker@ietfa.amsl.com>
Date: Mon, 22 May 2017 19:11:59 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FQNgMw3GHfMxzKGE9qSo1iSa9F8>
Subject: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 02:12:00 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-tls-ecdhe-psk-aead-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- The following text appears to have been added in -04 A server receiving a ClientHello and a client_version indicating (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from this document in ClientHello.cipher_suites can safely assume that the client supports TLS 1.2 and is willing to use it. The server MUST NOT negotiate these cipher suites with TLS protocol versions earlier than TLS 1.2. Not requiring clients to indicate their support for TLS 1.2 cipher suites exclusively through ClientHello.client_hello improves the interoperability in the installed base and use of TLS 1.2 AEAD cipher suites without upsetting the installed base of version-intolerant TLS servers, results in more TLS handshakes succeeding and obviates fallback mechanisms. This is a major technical change from -03, which, AFAIK, prohibited the server from negotiating these algorithms with TLS 1.1 and below and maintained the usual TLS version 1.2 negotiation rules. This is a very material technical change. I don't consider it wise, but in any case it would absolutely need WG consensus, which I don't believe that it has given the recent introduction. The discussion of dictionary attacks here seems inferior to that in 4279. In particular, you only need to actively attack one connection to capture the data you need for a brute force attack despite the text there referring to trying "different keys". Please correct that. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The citations to TLS 1.3 still seem pretty muddled. I think you should just stop referencing and discussing 1.3. S 2. I'm not sure that the discussion of the PRF is helpful here in mandating the non-use of these cipher suites with TLS 1.1 and below.
- [TLS] Eric Rescorla's Discuss on draft-ietf-tls-e… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Eric Rescorla
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Joseph Salowey
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Joseph Salowey
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Thomson
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Daniel Migault
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Watson Ladd
- Re: [TLS] Eric Rescorla's Discuss on draft-ietf-t… Martin Rex