Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 29 March 2014 01:33 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D882E1A0755 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 18:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMMybQq547yE for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 18:33:42 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CFF641A040F for <tls@ietf.org>; Fri, 28 Mar 2014 18:33:42 -0700 (PDT)
Received: from [192.168.13.159] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 9A177F984; Fri, 28 Mar 2014 21:33:39 -0400 (EDT)
Message-ID: <533622F3.2090406@fifthhorseman.net>
Date: Fri, 28 Mar 2014 21:33:39 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de>
In-Reply-To: <20140327095527.5335c7fa@hboeck.de>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="e9VCccSRitrtswUCU3aupKQ1xH2EsRKGS"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LzxmcBSbgKrz0KQMbiQGThI2Pn0
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2014 01:33:44 -0000

On 03/27/2014 04:55 AM, Hanno Böck wrote:
> Appart from the other issues, I think it would make a lot of sense to
> change DHE handling in TLS 1.3 away from "server can have arbitrary
> parameters".

I agree with this.

> The authors of the triple handshake attack have proposed having a set
> of "known good" parameters and I think this is the way to go for TLS
> 1.3 and DHE. It's probably enough to say "we define a 2048 and a 4096
> DH parameter set with tested and known primes" and allow the option to
> easily define more if there ever is a need to say "we need 8192 bit DHE
> now".

I've submitted an initial stab at a proposal for negotiated discrete log
diffie-hellman ciphersuites:

 http://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe-00

Please send criticism and suggestions.  I've selected the primes using
roughly the same idea as RFC 3526, but rather than using pi as the
"nothing up my sleeve" number, i've used zero (another well-known
infinite sequence).  If people see problems with this or think we should
select the named groups in a different way, i'm happy to hear other
proposals.

regards,

	--dkg