Re: [TLS] A la carte handshake negotiation

Eric Rescorla <ekr@rtfm.com> Sun, 14 June 2015 00:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7151A8F33 for <tls@ietfa.amsl.com>; Sat, 13 Jun 2015 17:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeoPLwvhBlJc for <tls@ietfa.amsl.com>; Sat, 13 Jun 2015 17:54:52 -0700 (PDT)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CB5D1A86E6 for <tls@ietf.org>; Sat, 13 Jun 2015 17:54:52 -0700 (PDT)
Received: by wiga1 with SMTP id a1so45436399wig.0 for <tls@ietf.org>; Sat, 13 Jun 2015 17:54:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VD6qNm0J0MRCHfXYbeG9Al55TU4xsyDo5MFnN+qIRJ4=; b=JxWuSYMiSwE+MdjiagX83JHFzeQKeEcg4v/tMi4A8yoBBHygxnGfuJ0Dn2ERwhM7EE 8OOnk3kqb5t49FWA5NYt5ECLFlTq09S0AlpivfEoRhK1LfaBZvPMmW7c9sBgeGHW13Ux RxPRTReFF0wLmOa8+kV+tAXIR2HGwpbANp+LAwGobfyG5adKMJDZAbAcMpJdLIpOgHuz 5Z5/WLCH+EifhAqVpoiR78rRxhTv/Rz604cA5k7SrhWAcyEEXaiV2G/uyMn7Sv6ep91D /U0hFNgEq6gMNFu0e+s7vOtlM2u368DslvH4F0NFh8NAeYa3Hem0aHgxlLwN62jRBkLo qaSw==
X-Gm-Message-State: ALoCoQl4CuS0kKPvNfH0Wvs7ngMKfLOCbWFp26J7QnoneP/okydC9Ld0lKT69np0T39Ex9wVRvvP
X-Received: by 10.194.79.225 with SMTP id m1mr39749831wjx.8.1434243290856; Sat, 13 Jun 2015 17:54:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.225.14 with HTTP; Sat, 13 Jun 2015 17:54:10 -0700 (PDT)
In-Reply-To: <201506132044.48381.davemgarrett@gmail.com>
References: <201506111558.21577.davemgarrett@gmail.com> <201506131820.09262.davemgarrett@gmail.com> <CABcZeBPWHV6Cq_QxRFpcNybF6=7Zys3skVvd=GK+Q4gVWUizZQ@mail.gmail.com> <201506132044.48381.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 13 Jun 2015 20:54:10 -0400
Message-ID: <CABcZeBO2h20DyrnmSOVFyO=sHRD2UEczziCdjRJxXx_yZmTG+w@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b10c903df958405186fc984
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HER58Cct9WLP-f6FHaQ3uPVn1Yc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2015 00:54:54 -0000

On Sat, Jun 13, 2015 at 8:44 PM, Dave Garrett <davemgarrett@gmail.com>;
wrote:

> On Saturday, June 13, 2015 06:29:31 pm Eric Rescorla wrote:
> > On Sat, Jun 13, 2015 at 6:20 PM, Dave Garrett <davemgarrett@gmail.com>;
> wrote:
> > > On Saturday, June 13, 2015 04:43:18 pm Salz, Rich wrote:
> > > > > It wouldn't be quite as simple as you propose, though, because we'd
> > > > > definitely have to add a new way to declare anon or PSK support via
> > > > > extensions, but that's doable.
> > > >
> > > > Or we don't support those features in 1.3.  Something we should
> think about?
> > >
> > > Completely dropping support for PSK & anon is not likely to get
> consensus.
> >
> > Certainly not PSK.
>
> Anon could be replaced relatively easily, though: it's essentially just
> null PSK.
>
> Define the null PSK identity to use a null key, and then all (EC)DHE_PSK
> suites can be used similarly to (EC)DH_anon. You just need to have the
> client propose the PSK identity in the ClientHello via an extension, which
> is already on the table in ekr's current WIP branch.
>
> PSK suites could be replaced with a PSK SignatureAlgorithm codepoint in
> “signature_algorithms” extension. (this was suggested by someone at some
> point on this list, but I don't remember where that discussion was, offhand
>

I don't see how this is going to work. All of the PSK cipher suites use the
PSK
as a source of keying material



> With the above, ECDHE_ECDSA becomes the one-true-prefix.


Maybe I'm misunderstanding what you're saying here, but I don't understand
this point. Certainly I don't see any significant support whatsoever for
deprecating RSA
signatures, and given that we just standardized FFDHE, I don't see much
evidence
of consensus for deprecating DHE either.



> Frankly, anything so constrained that it can't use an ECDHE exchange with
> PSK probably has no incentive to upgrade to TLS 1.3, or possibly even to an
> AEAD cipher. I would prefer simply mandating (EC)DHE usage with PSK and
> anything that can't even use the fastest ECDHE curve can stick with TLS
> 1.0-1.2 forever.


I do not support this position. There are plenty of devices which want to
use PSK
only, and we want everyone to upgrade to TLS 1.3.

-Ekr