[TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Joseph Salowey <joe@salowey.net> Tue, 21 February 2017 18:22 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A98B51294B4 for <tls@ietfa.amsl.com>; Tue, 21 Feb 2017 10:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcQtCZQNrpZe for <tls@ietfa.amsl.com>; Tue, 21 Feb 2017 10:22:38 -0800 (PST)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71821129543 for <tls@ietf.org>; Tue, 21 Feb 2017 10:22:38 -0800 (PST)
Received: by mail-oi0-x232.google.com with SMTP id 2so32814587oif.0 for <tls@ietf.org>; Tue, 21 Feb 2017 10:22:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=XiuuT8c6FLe46Ff5/O8693P1hqDjYMX27SjnwHXDnJU=; b=CUr13evtTiLx3ytHHbCBNf4ASBep8PxC35gcgKmMMkioynHDmWnoOkVqZhui/0Z7Ie kHDczXnWGi+p+h7LquXcJwSyRhesJT+JeQmXYVSvEWbDxXcRSDLD+Ki9ZHmPCqA/Txor M6WkrI3wLrGxX32qmD17huRvMGsoaPzmPwyZLrDPV1qlg3h4zbailYGnAQTkFElZcmFf QaEF1qpGHN1qJtgabhFscoZdYFMrc7g2swtvGLfI4dEHocQpqnwS2yzR7DgJxFJCVZ3j fcdcut9siJeLDms5/74nHH+CfqR4ZlymdSledukeFWeM9mRv3HDU8ic8AQzvvkGqKfw7 soqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=XiuuT8c6FLe46Ff5/O8693P1hqDjYMX27SjnwHXDnJU=; b=V1lvVNtN/1sPIcSD2D2JgDKpYSxymC7knHYweU5DTReJIw2KtkSsKIBzw90yQsuVBH D+T4BG628Es1Imqz6+Pn1S6Ql6tciz78GwMgs1Ft8fhjyQ/XzuzqBXIY+zmVVn+HzMkS F8AtTX6I0ICa8ZZvJsYYxZ+VH0rvcDw8DbknIlfJlO8SG7c0eC7yJMhdd/ESwI2D0s2z gW2wIEmxPPcc+ngMoniQnDbCWEA8tU8zrrB3g3JbSxb/BwS83+GGgsZkTm6ddiJ/mpvS KPnnnWEKG8Scc13mcXqGxVPKSwImps/TTGHO9P7uxAObAuY+ijRltpvpDQgrSGHsCUD1 Lh4Q==
X-Gm-Message-State: AMke39lbUqpP45WHfAGVHnF3iM+Bj8NDF45IXRn4170INCXMkWWPAgd3WNfATkeA4pKX0wJSI3PoNeYQB5cyvQ==
X-Received: by 10.202.242.8 with SMTP id q8mr15228164oih.129.1487701357407; Tue, 21 Feb 2017 10:22:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.51.201 with HTTP; Tue, 21 Feb 2017 10:22:17 -0800 (PST)
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 21 Feb 2017 10:22:17 -0800
Message-ID: <CAOgPGoA0tTmwkcC3CPdgUd=6QNTpTxRT8pkXLD-Yezzh05b+KA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c092820f0cbcd05490e76df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/M442CwmUMxrYJR8FjCh3h-a69o4>
Cc: draft-ietf-tls-ecdhe-psk-aead@tools.ietf.org
Subject: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 18:22:39 -0000

Here are the open issues for draft-ietf-tls-ecdhe-psk-aead

1.  Why does TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256 use SHA256 instead of
SHA384 like the other 256 bit cipher suites? (From Russ Housley)

2.  Since the security considerations mention passwords (human chosen
secrets) it should mention dictionary attacks. (From Russ Housley)

3.  Section 2 and 3 of the document contains more detail about TLS 1.3 than
necessary.

Section 2: This document only defines cipher suites for TLS 1.2, not TLS
1.2 or later.  A subset of equivalent cipher suites is defined in the TLS
1.3 specification.

Section 3 and 4: Maybe replace the last 2 paragraphs with an addition to
section 4 that states:

"TLS 1.3 and above name, negotiate and support a subset of these cipher
suites in a different way."  (TLS 1.3 does not support
TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384
and TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256)

4. Section 3 should contain a bit more detail about relationship to 4492
bis and RFC 4279:

Something like the following may be enough.

"This messages and pre-master secret construction in this document are
based on [RFC4279].  The elliptic curve parameters used in in the
Diffie-Hellman parameters are negotiated using extensions defined in
[4492-bis]."

Thanks,

Joe