Re: [TLS] Consensus Call on MTI Algorithms
Watson Ladd <watsonbladd@gmail.com> Fri, 03 April 2015 13:55 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 920941A92FA for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 06:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irKeFxIcfSiK for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 06:55:33 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B9371A8A94 for <tls@ietf.org>; Fri, 3 Apr 2015 06:55:33 -0700 (PDT)
Received: by wgin8 with SMTP id n8so22265644wgi.0 for <tls@ietf.org>; Fri, 03 Apr 2015 06:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sVAzN9YGrgPJtxGyN300TIsiNmMWJrgcVCDpq9wnCHU=; b=xN9XX9XjFT97+ils01hbIO+8E2vhJaKlCOcB7A44qQHhxJdM+7sUhsFKjyp3sYmIXH 9rzOoJA0bq1KOl4PkY8e499Mj2w2mplY6oGOGC5zoVAI9ZsS3QRoDZGyyiA2Recq/65s cl389Fsq+9EnqCdG2WeXvpANL3JkeaDlS9B2FvZTUTLGYQlUjG8JtvauzHhRwXzbunnT /uLfGA6TrEZYdLrMUOSe0hZnX+k1Z8Nge7yQ6QKBwd+yJBtcGCexwu9oB/TQfNijw9hp dgg4HHObyxHs3Pkkt5ej/5EjekICHP8fbq1feJEiMfgFqZ6TARihMYuGexeXyzBUUNQ7 OsZw==
MIME-Version: 1.0
X-Received: by 10.180.206.13 with SMTP id lk13mr5681486wic.35.1428069332236; Fri, 03 Apr 2015 06:55:32 -0700 (PDT)
Received: by 10.194.136.233 with HTTP; Fri, 3 Apr 2015 06:55:32 -0700 (PDT)
In-Reply-To: <20150402184849.GF10960@localhost>
References: <CAOgPGoBk+E=cNV1ufBaQ0n7=CJQ34zukPixKCEdpmMLBX=Kg_w@mail.gmail.com> <20150402184849.GF10960@localhost>
Date: Fri, 03 Apr 2015 06:55:32 -0700
Message-ID: <CACsn0ckhsx4ZqpknoMwS6OmYhy-Q0AQdD6SmmF0krAp9s2ngyQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/N5GxVz5N6gSBAuK3MVyrCqFUvxA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus Call on MTI Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 13:55:35 -0000
On Apr 2, 2015 11:49 AM, "Nico Williams" <nico@cryptonector.com> wrote: > > On Wed, Apr 01, 2015 at 11:12:19AM -0700, Joseph Salowey wrote: > > [...] > > I'd like to have at least two required algorithms for each class, at > least for the 128-bit security level. The rationale is: to make it easy > to switch one off if it becomes a problem. > > We've already had to disable broken algorithms in a hurry in several > Internet protocols including TLS. We should learn the lesson: we should > aim to have at least one left. Is that really what happened with RC4 and the MAC construction? Or was it nearly a decade of ignoring widely reported weaknesses? > > In all cases recall that required-to-implement != required-to-enable. All sites with RC4 enabled and preferred implement and offer AES128-SHA in the handshake. The absence of alternatives in implementations isn't what is keeping RC4 alive. > > > o Symmetric: > > MUST AES-GCM 128 > > SHOULD ChaCha20-Poly1305 > > I would like at least two modes for AES to be required: one AEAD > (probably GCM) and one AEAD-by-generic-construction (e.g., using HMAC). OCB is a better fit constrained devices. CCM requires two passes. > > I would like one non-AES cipher to be required. ChaCha20-Poly1305 works > for me. What does this requirement translate to in practice? It doesn't necessarily mean that we can switch, as there is no requirement to use the other ciphers, or even offer them. We seem to have quietly admitted to opening up a zoo of ciphers, where every profile picks a different one. How do these proposals actually improve security? What we need to do is ensure that bad ciphers aren't used. The exercise of ensuring that we have alternatives only matters if we have an answer to the question of how migration works. Sincerely, Watson Ladd > > Total: three required algorithms. Here I want three because I'm not > sure that GCM is easy enough to implement and use safely in all > environments (see Watson L.'s comments on this), and because I'd like > two ciphers just in case. > > > o Hash: > > MUST SHA-256 > > I would like two hash functions to be required. I don't have a strong > preference as to the second hash function, but I like SHA-3. > > > o Key Agreement: ECDH > > MUST P-256 > > SHOULD 25519 > > By the rationale above I would like both of these to be required. > > > o Signature: > > MUST ECDSA P-256 > > MUST RSA > > Ditto. We won't have the luxury of waiting until CFRG blesses an ECC > signature scheme other than ECDSA, but when they do... we should add > that to the list. > > Nico > -- > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Consensus Call on MTI Algorithms Joseph Salowey
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Dan Harkins
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Kurt Roeckx
- Re: [TLS] Consensus Call on MTI Algorithms Brian Smith
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Checkoway
- Re: [TLS] Consensus Call on MTI Algorithms Sean Turner
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Martin Thomson
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Rob Stradling
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Farrell
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Hubert Kario
- Re: [TLS] Consensus Call on MTI Algorithms Hanno Böck
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Rick Andrews
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Christian Huitema
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms James Cloos
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Daniel Kahn Gillmor