Re: [TLS] ban more old crap

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 25 July 2015 05:35 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13071B2B18 for <tls@ietfa.amsl.com>; Fri, 24 Jul 2015 22:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POA6qKV171IF for <tls@ietfa.amsl.com>; Fri, 24 Jul 2015 22:35:54 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C721B2B2B for <tls@ietf.org>; Fri, 24 Jul 2015 22:35:52 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 12179699AB; Sat, 25 Jul 2015 08:35:49 +0300 (EEST)
Date: Sat, 25 Jul 2015 08:35:49 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150725053549.GA24205@LK-Perkele-VII>
References: <201507221610.27729.davemgarrett@gmail.com> <1724827.ajpDBsKllU@pintsize.usersys.redhat.com> <201507231143.46288.davemgarrett@gmail.com> <55B11EFC.6070400@cs.tcd.ie> <CABcZeBMbuqKwK2T1e0jHOE6+SJRViBZAny_2Bo5x-eDTp_-b9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBMbuqKwK2T1e0jHOE6+SJRViBZAny_2Bo5x-eDTp_-b9g@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LL3cbqBStz96PJanQS_r2-J1P1U>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ban more old crap
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jul 2015 05:35:57 -0000

On Thu, Jul 23, 2015 at 07:10:30PM +0200, Eric Rescorla wrote:
> On Thu, Jul 23, 2015 at 7:06 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
> > A suggestion - could we remove mention of anything that
> > is not a MUST or SHOULD ciphersuite from the TLS1.3 document
> > and then have someone write a separate draft that adds a
> > column to the registry where we can mark old crap as
> > deprecated?
> >
> > Not sure if it'd work though.
> >
> 
> I'm starting to lean towards this. I don't generally think of TLS 1.3 as a
> vehicle
> for telling people how to configure use of TLS 1.2, and I think it might be
> better
> to move all that stuff out.

The MUST/SHOULD list is presumably:
{ECDHE_RSA,ECDHE_ECDSA,PSK}*{AES-128-GCM,AES-256-GCM,Chacha20-Poly1305}?

(9 ciphersuites)? Or are there some others there as well (of course, if
new signatures appear and get their own ciphersuites, then three of those
too)?


Then what to mark as deprecated? Everything that doesn't work with TLS
1.3 is pretty obvious candidate. Which would mean deprecating TLS 1.0 and
1.1, as all ciphersuites for those get deprecated.


Then I made this table of ciphersuites that work with TLS 1.3:

+---------------+-------+-------+-------+-------+
|		|AESGCM	|VANITY	|AESCCM	|CHACHA	|
+---------------+-------+-------+-------+-------+
|DHE_RSA	|Y	|Y	|Y	|P	|
|DHE_DSS	|Y	|Y	|Y	|-	|
|DHE_PSK	|Y	|Y	|-	|-	|
|DHE_anon	|Y	|Y	|Y	|-	|
|ECDHE_RSA	|Y	|Y	|-	|P	|
|ECDHE_ECDSA	|Y	|Y	|Y	|P	|
|ECDHE_PSK	|P	|-	|P	|P	|
|ECDHE_anon	|-	|-	|-	|-	|
|ECDHE_ECIDSA	|-	|-	|-	|-	|
|PSK		|Y	|Y	|Y	|P	|
+---------------+-------+-------+-------+-------+

Legend: - => No active proposal,
	P => active I-D proposes these,
	Y => In registry
	AES-GCM => AES-GCM ciphers
	VANITY => ARIA and CAMELLIA (GCM). SEED doesn't have AEAD.
	AES-CCM => AES-CCM ciphers
	CHACHA => Chacha20-Poly1305.


Comments on some methods:
- DHE_RSA: Uses FFDHE, problematic especially on 1.2 and older.
- DHE_DSS: Virtually nobody uses this or will use this (already removed
  from two major browsers.
- DHE_PSK: IoT type, but I don't think IoT appriciates FFDHE.
- DHE_anon: Anonymous.
- ECDHE_RSA: ECC certs are still much harder to get than RSA.
- ECDHE_anon: Should add if not deprecating anonymous.
- ECDHE_ECIDSA: New signature scheme. Or try merging this with
  ECDHE_ECDSA (requires bit of bending of 1.2 rules).
- PSK: Needed for resumption in TLS 1.3.


-Ilari