Re: [TLS] A la carte handshake negotiation

Dave Garrett <> Tue, 16 June 2015 19:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 23F5A1B2B48 for <>; Tue, 16 Jun 2015 12:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XYNISAifGWRa for <>; Tue, 16 Jun 2015 12:59:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5DE931B2BEF for <>; Tue, 16 Jun 2015 12:59:47 -0700 (PDT)
Received: by qkfe185 with SMTP id e185so14902017qkf.3 for <>; Tue, 16 Jun 2015 12:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:mime-version:content-type :content-transfer-encoding:message-id; bh=k2Z15lrkI5LyRQhFJTDDpX6JewcDd4pzDLkMDdemMas=; b=BcHI8pOdiRTeMp03nFfZ04jVuWqOA87AYJO/GmzLw9ZAXDjTdPfVDo6MWC3wQ5JuTU voeM/v4FyqD2vUsuwxsPDigZ+mbSEstTLRUefX5EKTv3XTc1dp3Vz7bYVIU/FNnt0ter 4B9vj3J1+PpCsuGu2BnjvvmmPD7xEAaqhyzDOnlgsV2Qy8D076NpX+CP81Ju7DBe5kpf 69eAiZvhfTlMKXYGs6W1o6ezJ0w/w3NSgD5S0CjFWgmVK4dq8BUAE9vFFxBaLMyzjiGR lAaiwzgCNm4IgKplhekwcc01cg588lx5gIEYPhiJq6dk/QhNWVgg+RL6OpMO83lzkSZC 4zvg==
X-Received: by with SMTP id e205mr3310202qhc.68.1434484786642; Tue, 16 Jun 2015 12:59:46 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id 202sm970859qhy.1.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 16 Jun 2015 12:59:45 -0700 (PDT)
From: Dave Garrett <>
Date: Tue, 16 Jun 2015 15:59:44 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Jun 2015 19:59:51 -0000

There's enough arguments in this thread and the ChaChaPoly thread that anon suites are not the best way to do things. I've cut it from the draft proposal and relegated it to its own section. This would have (EC)DH_anon suites deprecated for TLS 1.3 in favor of raw keys (RFC7250; trust on first use) or (EC)DHE PSK with the identity "anonymous" universally reserved to have a NULL PSK key. (PSK spec wants printable characters for identities) Getting rid of the separate anon suites simplifies things significantly and should be better for its use-cases. New ECDH_anon suites aren't needed anymore, as ECDHE_PSK will suffice. (though, I think ChaChaPoly should probably specify an ECDH_anon suite for TLS 1.2 in the meantime)

There's a little hand-waving in the new anon bit as the PSK side of TLS 1.3 is currently a WIP as-is. (the new method of offering a PSK id is not yet specified, but in WIP)

This draft keeps certificate authenticated suites and PSK suites separate. Attempting to merge everything into one prefix does not appear to be worth the trouble.