Re: [TLS] Fixing TLS
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 14 January 2016 00:14 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D8B01A9067 for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 16:14:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGzXK8frsenA for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 16:14:52 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E833D1A906A for <tls@ietf.org>; Wed, 13 Jan 2016 16:14:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1452730492; x=1484266492; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=jzrx/ka5l2+ZrJY9A2PbPYDWtw9LFNZMd9ekd4XsfWU=; b=WvXUhwUlOPMZQnNxzQHAS1UMkm3ieoeeivvVRfDINDlUCkp3H8Qegh/t +mG0jGqzE7evVSo69mEtw7E3uWgEYml82apPLX4w1PQTlsA18mE1gWDmt 1P8zO9Z6ohqC77aaa/4vDdMWogI5XiIwAiyAH28R4bjWe4++hYrwSzke1 gVbVRUaAEHZDkY9qjWzAOFZ8L4lTjdn/hkuD9kp3xu+S0nfr031DzRXTU edqw2P4PK+P2+HKrKg2rw2yX0F403saVN6hZtSx4PNQgzF/LQeDIAij45 YePWjM0ev9mgcdU1GWdJ3gMEKuqppiEOpd0158Z2ec2N64LiiA2LFIZGH g==;
X-IronPort-AV: E=Sophos;i="5.22,291,1449486000"; d="scan'208";a="63021515"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe4.UoA.auckland.ac.nz) ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Jan 2016 13:14:50 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0266.001; Thu, 14 Jan 2016 13:14:49 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Salz, Rich" <rsalz@akamai.com>, Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Fixing TLS
Thread-Index: AdFNQhHrFy3mVBx6TGiPN32I/iztzf//Ww+AgAFZaKb//zG9AIAArXmAgADjpcP//zPZAIABkT2/
Date: Thu, 14 Jan 2016 00:14:48 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BC815F@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73F4BC6849@uxcn10-5.UoA.auckland.ac.nz> <9A043F3CF02CD34C8E74AC1594475C73F4BC727B@uxcn10-5.UoA.auckland.ac.nz> <CACsn0ckao2wyptscLq1feQUWyPkkHm6mmarF=7roWv8vGAZkxA@mail.gmail.com>, <1697088.4ma2uCFsM4@pintsize.usersys.redhat.com> <9A043F3CF02CD34C8E74AC1594475C73F4BC7853@uxcn10-5.UoA.auckland.ac.nz>, <94395a3c029c493eb491eb3db90e3ed1@usma1ex-dag1mb1.msg.corp.akamai.com>
In-Reply-To: <94395a3c029c493eb491eb3db90e3ed1@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Lr7VwcPCjzDJelUTRTIUJf_8-ww>
Subject: Re: [TLS] Fixing TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 00:14:56 -0000
Salz, Rich <rsalz@akamai.com> writes: >> TLS needs an LTS version that you can just push out and leave to its own >> devices > >So don't you have that with TLS 1.1 and appropriate cipher and option >choices? That's the approach suggested previously by Peter Bowen, assemble it yourself from a huge list of extensions. The problem there is that you're after a fixed, known-good config drawn from the maybe 10 extension-RFCs you'd need to cover (from Peter's post + a few extra to cover new things), I don't want to go through all of those and count up the possible options but I'm pretty sure I'd need to resort to special notation to express the magnitude of combinations once you plug them into the nCk formula. Based on the feedback I've had, I'm kinda tempted to do a TLS 1.2 LTS draft that specifices just a single boolean flag, "use this known-good configuration and not the 6.023e23 other ones and you should be good for the next decade or so". That can then be baked into long-term systems and devices and left alone while people get on with other things. (Speaking of feedback, still got a bucketload of private email to respond to, including stuff from people I didn't know where on the list any more, turns out there's a lot more reading than writing, I'm working through it...). Peter.
- [TLS] Fixing TLS Peter Gutmann
- Re: [TLS] Fixing TLS Dave Garrett
- Re: [TLS] Fixing TLS Yoav Nir
- Re: [TLS] Fixing TLS Ilari Liusvaara
- Re: [TLS] Fixing TLS Peter Bowen
- Re: [TLS] Fixing TLS Watson Ladd
- Re: [TLS] Fixing TLS Eric Rescorla
- Re: [TLS] Fixing TLS Dave Garrett
- Re: [TLS] Fixing TLS Peter Bowen
- Re: [TLS] Fixing TLS Eric Rescorla
- Re: [TLS] Fixing TLS Ilari Liusvaara
- Re: [TLS] Fixing TLS David Benjamin
- Re: [TLS] Fixing TLS Bill Cox
- Re: [TLS] Fixing TLS Dave Garrett
- Re: [TLS] Fixing TLS Andrei Popov
- Re: [TLS] Fixing TLS Bill Cox
- Re: [TLS] Fixing TLS Dave Garrett
- Re: [TLS] Fixing TLS Tony Arcieri
- Re: [TLS] Fixing TLS Eric Rescorla
- Re: [TLS] Fixing TLS Kurt Roeckx
- Re: [TLS] Fixing TLS Eric Rescorla
- Re: [TLS] Fixing TLS Dave Garrett
- Re: [TLS] Fixing TLS Eric Rescorla
- Re: [TLS] Fixing TLS Peter Gutmann
- Re: [TLS] Fixing TLS Watson Ladd
- Re: [TLS] Fixing TLS Martin Rex
- Re: [TLS] Fixing TLS Nikos Mavrogiannopoulos
- Re: [TLS] Fixing TLS SCHWARZ, Albrecht (Albrecht)
- Re: [TLS] Fixing TLS Hubert Kario
- Re: [TLS] Fixing TLS Hubert Kario
- Re: [TLS] Fixing TLS Dmitry Belyavsky
- Re: [TLS] Fixing TLS Hubert Kario
- Re: [TLS] Fixing TLS Hubert Kario
- Re: [TLS] Fixing TLS Peter Gutmann
- Re: [TLS] Fixing TLS Salz, Rich
- Re: [TLS] Fixing TLS Martin Rex
- Re: [TLS] Fixing TLS Peter Gutmann
- Re: [TLS] Fixing TLS Peter Gutmann
- Re: [TLS] Fixing TLS Ilari Liusvaara
- Re: [TLS] Fixing TLS Ilari Liusvaara
- Re: [TLS] Fixing TLS Martin Rex
- Re: [TLS] Fixing TLS Ilari Liusvaara
- Re: [TLS] Fixing TLS Martin Rex