Re: [TLS] A la carte handshake negotiation

Dave Garrett <> Wed, 17 June 2015 05:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8BB2E1B3C62 for <>; Tue, 16 Jun 2015 22:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mdbbsFCWGnFB for <>; Tue, 16 Jun 2015 22:31:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 938581B3C60 for <>; Tue, 16 Jun 2015 22:31:19 -0700 (PDT)
Received: by qkeo142 with SMTP id o142so3701603qke.1 for <>; Tue, 16 Jun 2015 22:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=ja0SLE9bm1FTK88ptorbcgVrbR9WSnXV4TZZo/7381w=; b=vrLZaJ6M7Urwt8lht2/pia0CW0HMYJCDU95GX768YwV0UchfPAp+lLeYrb/3HYJhjn OGzyDnajLY+JFAWaysofb6s2oQRfy1lC3oHFFyW3DeGbJ+8h4tQWMqGbehb2a9l56YOM Qx5eXSblaOX89vE2vOJxfP9vuDkGq5/gF+jvxBDJVdiAzI3sq+Kbvj/L5vta9EWaSykY YWhZMsN82EJ7mYEZVX6GRH4l6O2pLM1eViMk1uLLBmyCgXRQQG+xk8fjLSfOrosI1/EU MCF+yHNzzmAbSSn8jkzjUlcYObJN5eSjgM3X51MOI+XvPuIbxUT5Vgfg/5GZnUVNaOrW G0Ng==
X-Received: by with SMTP id p80mr9207545qkp.32.1434519078936; Tue, 16 Jun 2015 22:31:18 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id 67sm1644151qhw.43.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 16 Jun 2015 22:31:18 -0700 (PDT)
From: Dave Garrett <>
To: Nico Williams <>
Date: Wed, 17 Jun 2015 01:31:16 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <20150616233111.GD6117@localhost>
In-Reply-To: <20150616233111.GD6117@localhost>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jun 2015 05:31:21 -0000

On Tuesday, June 16, 2015 07:31:12 pm Nico Williams wrote:
> On Thu, Jun 11, 2015 at 03:58:21PM -0400, Dave Garrett wrote:
> > Here is a branch with a rough draft of an a la carte handshake
> > algorithm negotiation scheme for TLS 1.3, based on discussions on this
> > list.
> Commenting on the latest update of that:
> >
>  - Yes!  This.
>  - Anon ciphersuites...
>    I'd much rather that the WG did NOT deprecate these!

Ok, I revised the drafts and forked the anon deprecation changeset.

Main draft proposal:

Version with deprecated anon suites:

Note that both totally deprecate all DH(E) suites, as that's one of the goals here. (due to weak DH params, old Java choking, & etc.) Thus, all suites must be ECDHE prefixed for TLS 1.3 support under these proposals (with the exception of plain PSK). All ECDHE suites would be capable of negotiating either ECDHE or DHE using string groups via the extension.

PSK & anon will need a litany of new ECDHE suites to be defined. There is currently no ECDHE AEAD anon suite, thus none supporting TLS 1.3 (among the reasons I pursued the idea of merging it into PSK).

I'm fine with relegating the anon deprecation idea to the bin if we agree to define all the new suites we need to maintain support. Getting ECDHE_anon into the ChaChaPoly draft would be a start.