IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Martin Thomson <martin.thomson@gmail.com> Wed, 16 September 2015 17:44 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074C71A6FFE for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 10:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.019
X-Spam-Level:
X-Spam-Status: No, score=-0.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_PROFILE2=1.981, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p17NuIR64B0A for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 10:44:57 -0700 (PDT)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19C381A6FE7 for <tls@ietf.org>; Wed, 16 Sep 2015 10:44:57 -0700 (PDT)
Received: by ykdu9 with SMTP id u9so227596979ykd.2 for <tls@ietf.org>; Wed, 16 Sep 2015 10:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IUweYjT6gkYrddriBSSdq2LgC4ts6Z5ByvZrw4nTuwo=; b=Lwn+/X0tHA2OelRj1GWUlcPSJb+cxFhihRKNSOWt6oUhNitMTfiwEqziPdtvNhIlqY esLtx9mlpYGok8hzDzNpj4VvydWMWTETYxJwUUOEgS1HKHqSoXTjGlguIpYT0O9mNd4G 2BiKPS41H2VIx/cAh6mgUECxL4exoM9PGIyJMmBL0yNku5qwe2fPKONttYQsUkwDTiL5 /h9SChDoXYv4zQaUB4Jp4BeqbvxBejqnDQFxXYtv5dgdP5PIiKy4QxxgS9DHHPFmsJVF sDQ26HycNF+EzDxX1fz9bIEzHuo5Aj0jOXOaLqu1NypThs9TSP8UbYCP1L5WeNOWGWA+ Yv2w==
MIME-Version: 1.0
X-Received: by 10.170.110.210 with SMTP id c201mr30197314ykb.1.1442425496460; Wed, 16 Sep 2015 10:44:56 -0700 (PDT)
Received: by 10.129.133.130 with HTTP; Wed, 16 Sep 2015 10:44:56 -0700 (PDT)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B08850@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4B070E6@uxcn10-tdc05.UoA.auckland.ac.nz> <55F92C1A.9060703@cs.tcd.ie> <9A043F3CF02CD34C8E74AC1594475C73F4B0723C@uxcn10-tdc05.UoA.auckland.ac.nz> <e41c0880f9b541d59372edfd230b20c1@ustx2ex-dag1mb3.msg.corp.akamai.com> <9A043F3CF02CD34C8E74AC1594475C73F4B08850@uxcn10-tdc05.UoA.auckland.ac.nz>
Date: Wed, 16 Sep 2015 10:44:56 -0700
Message-ID: <CABkgnnWkbrvqMkkH1Yqj0Psb8=pDPqaQJ7A=6ZUT-DabWWAMHQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FarbaAT3LGfoE7G58oybRWPPEkc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 17:44:58 -0000

On 16 September 2015 at 08:02, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>HTTP-2 did this kind of thing, and IIRC are the first to do so.
>
> Some PKI standards have done it too, but mostly because the base standard was
> such a mess that you needed a profile just to sort out what needed to be
> implemented for anything to work (for some level of "work").  They're such a
> design counterexample that I didn't want to mention them in my original
> message :-).


Yes.  I wouldn't recommend following this path to others; it's not
easy and the return on that investment isn't all good.  The mess we
were attempting to clean up with HTTP/2 was the state of TLS
deployment on the web, not so much the spec itself.

v2.23.0 | Report a Bug | By Email