Re: [TLS] Mail regarding draft-ietf-tls-tls13

Ben Personick <ben.personick@iongroup.com> Tue, 19 June 2018 15:17 UTC

Return-Path: <ben.personick@iongroup.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1870131147 for <tls@ietfa.amsl.com>; Tue, 19 Jun 2018 08:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iontradingcom.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koKQdJvg3iqs for <tls@ietfa.amsl.com>; Tue, 19 Jun 2018 08:17:27 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710088.outbound.protection.outlook.com [40.107.71.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B19F2130E3C for <tls@ietf.org>; Tue, 19 Jun 2018 08:17:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iontradingcom.onmicrosoft.com; s=selector1-iongroup-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s8MVy0v2pUeXKpeL/D328ZvXPqAAqN1BpwTNK7zmhOs=; b=hGA5jsBe3pluOpQFCqc/ViG+hHqKPQcyiXzq5H7qIYM5QyUROGclHZbmkvqdstad3JsGlRBbJ6MLOxWRFCuJFVcKABNcHZKK9pEBB6jF6zs2j0hCtLp9dIvsCOM7J+hsSRxCb8aVtHMEvvYarMM4gU2Vj63G/7wuLNIq8iyi2Vw=
Received: from BN7PR14MB2356.namprd14.prod.outlook.com (20.176.22.33) by BN7PR14MB2114.namprd14.prod.outlook.com (20.176.21.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.16; Tue, 19 Jun 2018 15:17:26 +0000
Received: from BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7]) by BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7%3]) with mapi id 15.20.0863.016; Tue, 19 Jun 2018 15:17:26 +0000
From: Ben Personick <ben.personick@iongroup.com>
To: "Salz, Rich" <rsalz@akamai.com>, TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Mail regarding draft-ietf-tls-tls13
Thread-Index: AdQCh415dfE0g1svTxONss1UmLapVwDZCf0AAEaFOTYABw3aAAAFfUx5ACnK6wAAAAMfcA==
Date: Tue, 19 Jun 2018 15:17:26 +0000
Message-ID: <BN7PR14MB2356778AD43FDB1ED5F229D591700@BN7PR14MB2356.namprd14.prod.outlook.com>
References: <BN7PR14MB23560D791932A8CB164C592D917F0@BN7PR14MB2356.namprd14.prod.outlook.com> <897AC345-0832-4252-9D96-5A030CBEAD25@dukhovni.org> <cc5fe1d8-b065-4f30-8b76-57714aea1949@iongroup.com> <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org> <5fdded19-da5c-4d23-a0e3-e4e9e905f7aa@iongroup.com> <085E5CF6-0879-48DE-A8C5-A3C8F5C48F86@akamai.com>
In-Reply-To: <085E5CF6-0879-48DE-A8C5-A3C8F5C48F86@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ben.personick@iongroup.com;
x-originating-ip: [38.108.249.203]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2114; 7:iksaL0bDGDSKh5wq67M8+mNHUKhTkiegS0brFjF1vF/Wu04VeNf+bG+xebQPCSa7u374GYcEut6h1+6aTFkoUYr1S7gFDWf9gZSwri4h/XrG9TDcXHOTyZhBqryoXWnCRr/NQ5JoZiWuVfw1RhABPM7DzWKQTjnWKrP6iHfaZRu7gYHHnvXXUsVNNhKB4uyV2b4bxh9fHy1fEk11/Ahz3lwr55Z+lgr/yZaAWqs1mp/GEP4Lt5a94Ke5M1gSyvO3
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5947481d-8789-427e-9735-08d5d5f7c403
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2114;
x-ms-traffictypediagnostic: BN7PR14MB2114:
x-microsoft-antispam-prvs: <BN7PR14MB2114BC89D4C1D14E8B6730DA91700@BN7PR14MB2114.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BN7PR14MB2114; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2114;
x-forefront-prvs: 07083FF734
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(39380400002)(376002)(346002)(366004)(396003)(199004)(189003)(5250100002)(81156014)(8936002)(81166006)(5660300001)(76176011)(6436002)(6246003)(110136005)(7696005)(316002)(25786009)(93886005)(2900100001)(54896002)(6116002)(68736007)(790700001)(9686003)(9326002)(6306002)(2906002)(86362001)(3846002)(186003)(53936002)(6506007)(74316002)(229853002)(106356001)(99286004)(14454004)(26005)(97736004)(44832011)(53546011)(3660700001)(476003)(59450400001)(8676002)(55016002)(486006)(105586002)(446003)(11346002)(3280700002)(478600001)(66066001)(7736002)(102836004)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR14MB2114; H:BN7PR14MB2356.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: iongroup.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: TMVpqdaiQ19+uLTKD/yI1yHgbvwT+kcNUr753GTh0XQgEWHppriHm9FgGQQ8h64iGMWC1rmpNLoPz4XI+QND9YTp0tK4NcwKheekno2pQgQFoMDL/uWph+XtJM6ZhzLSj8qMh7n7XAoEdaYjF1GJYUzL498wU2dk43VsdNekqnOpsJZVDeQNOLZBAS/hOTc5Y9UgdSG3BXfhovO4cjjZ5jjWOXYN2VKM+Fr6ctJa681ldO/uwe/WjnH2bWiks5qD36lwKuaB3ZZh7qnXRoSD+93DzF7x+EO+inZ6hU6zcTy0C0N7OMwy+IOnr/j18wzK4ZmH/iIZrCDI8pVyhih84Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN7PR14MB2356778AD43FDB1ED5F229D591700BN7PR14MB2356namp_"
MIME-Version: 1.0
X-OriginatorOrg: iongroup.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5947481d-8789-427e-9735-08d5d5f7c403
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2018 15:17:26.3751 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 768fe7d4-ebee-41a7-9851-d5825ecdd396
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2114
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LC_M-acZ_lgOuK_LXqTRkVZrXLU>
X-Mailman-Approved-At: Tue, 19 Jun 2018 10:00:53 -0700
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 15:17:40 -0000

Hi Rich,
  Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d been lead to believe that all RSA based ciphers were not supported.

 Having seem some further responses, it appears it is only the NON ECDHE RSA Based ciphers which are having support dropped in TLS 1.3

  Ie all Non-Elliptic Curve Diffie Hellman ciphers ( eg AES-256 w/o DH, with DH or EDH/DHE, but not ECDHE_RSA)

  And yeah, it’s been my experience everywhere, but I was pretty pumped up to have a better reason to push to start implementing ECDHE_ECDSA Ciphers in addition to our existing Ciphers.
Ben
From: Salz, Rich [mailto:rsalz@akamai.com]
Sent: Tuesday, June 19, 2018 11:07 AM
To: Ben Personick <ben.personick@iongroup.com>;; TLS WG <tls@ietf.org>;
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13

>  Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no push to move towards offering them, because of various 'reasons'.
I think you mean ECDH with RSA.  But yes, that’s a common situation, few organizations pay to add security until they’re “forced” to do so.  You’re not alone.