Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
Eric Rescorla <ekr@rtfm.com> Thu, 31 December 2015 20:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76C81A8ACA for <tls@ietfa.amsl.com>; Thu, 31 Dec 2015 12:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 231NgofkhZtQ for <tls@ietfa.amsl.com>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9044C1A8AC8 for <tls@ietf.org>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
Received: by mail-yk0-x231.google.com with SMTP id a85so109949288ykb.1 for <tls@ietf.org>; Thu, 31 Dec 2015 12:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=da6PGYPq0OF2OKBeoDHc0ERNoEiBuCZtYRoaOU1YmGE=; b=gwCwvBK23loZM+YRy+blYKqAH9Wls8GSKGi1+lrvTqqyGY3gm2AI93F8/cEUjfUmng vyvcHlQ7XUJYJQIIBwF6yadm7+xaN2H0dJVkl8F9pAjovcR4BQiR8quwk/Sf4WBiKz2y IMDlLDyldy8miANdfzhOd3iQeR4fwEkBI08kFygZeHnTk93EIJ19QBPmmZ7escByQRag I0YIE/RUbquTFvMsCMEMMSqjOAyEAPQ7hANLoaCp1OQQHMM3WrZNtyPvusgBnYaUgzr0 scW8riCgSSR8T1pQmWZEYGK0ekwwzjfBHWij2TTcvtmVCrSXkyxRTV1fCPiW5HNrQ4/s yf4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=da6PGYPq0OF2OKBeoDHc0ERNoEiBuCZtYRoaOU1YmGE=; b=EG5SUNw7tIinJl+nGXBrzwxwDl3yZ+JjuGMja6O8MOSMKiDCrG6jGXMKpTKUCIrQSU DhhXYwnDSFZPF0t854buQT6wktcYImI/iqXYkSoi0dKbjtvWS47vXEG0a3YvyMFuYUHD h/5HdzW6bPNGbBbW7nIX3EivDZCcUP0HAnxv/9TDfVRvtvDyIJMsjlC66bU7sxpu3mOH lRFwOhNDXjBr4hEehVm61m0pF77j4lJeWlHKBmDut0K4l2pHPg5/IPBfgElPsERfVwWo /BuDovIjJsH3wdaQDsyeGOziSHswlt9guYKW3drvxslP1iGUA+PWH/WnLcC/daP0lArK jfqw==
X-Gm-Message-State: ALoCoQmbxp2voEbApP4JWpGrjwaar8TLc/6GfQeOC0Bq1fwTpwLlffivlRknvGqOo7SAt2P3qWE2y67Zht6Phf2skjr7CDqJvg==
X-Received: by 10.129.153.3 with SMTP id q3mr60233808ywg.231.1451593469756; Thu, 31 Dec 2015 12:24:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Thu, 31 Dec 2015 12:23:50 -0800 (PST)
In-Reply-To: <20151231202043.GA24791@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnUq0_28U6VqE=ZPpwutOBUkTGwhxqHQOEvQve5JYfSVRA@mail.gmail.com> <CAFewVt6fyqbOZfQkWY=9SM20WcrP0UhfH+3wvXjiYoTjPm2pgA@mail.gmail.com> <CAFewVt5U9awAg4FbdWtXiCATd-kWttdsAwe3eWwcD5SXsKvyWQ@mail.gmail.com> <6F6EDAA8-15F2-4949-B927-4D0BD0E8FFE3@inria.fr> <20151230105207.GB6140@roeckx.be> <CAFewVt4+eysHvxnP=q-Gn-0DgQWLkoTs5OSc8v_t6qRtsk7TWg@mail.gmail.com> <CAMfhd9VYAaioMJqsk1M=sEQ-tJ_GJpDk5LsYcydK0Dwv-jQG1g@mail.gmail.com> <5684C9CC.2080703@akr.io> <20151231065451.GA24161@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnV3FKvP46urvvdUA35boNiy944wjg0R_kHmjWW=pZo+sA@mail.gmail.com> <20151231202043.GA24791@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 31 Dec 2015 12:23:50 -0800
Message-ID: <CABcZeBPbPw9V2ZDEOmWcOrcUMvb+jFbJ6f54Dbei7f7nwXcBFQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c0bbfae1fce5e05283771d0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Nl2NdQ8cgU0hJ_w86J2g4IsnAgs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01: Is public key validation necessary or helpful?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 20:24:32 -0000
On Thu, Dec 31, 2015 at 12:20 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Fri, Jan 01, 2016 at 06:22:00AM +1100, Martin Thomson wrote: > > On 31 December 2015 at 17:54, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > Zero checks can already be unit-tested/interop-tested just as well. > > > > > > What ekr said applies, but also this: > > I thought the ekr's point was that if you need THS resistance, you > require EMS. If you don't, not much point worrying what properties > individual key exchanges have. > I think I was trying to say *almost* this: Namely that given that we have existing mechanisms that rely on EMS for THS resistance, and most stacks will continue to use them, then it's easier to just require EMS. > Yes, you can test that a given implementation does the right checks, > > but you won't be checking during normal operation. If you require > > session-hash, then every handshake includes that check and if someone > > messes up, the handshake just fails. That far more visible. > > I don't think the parts that actually matter are tested in normal > use. Unless you mean deimplementing entiere old TLS master secret > derivation... What I was suggesting was that: 1. Implementations which support old algorithms need to have EMS for THS resistance already. 2. Implementations which only do new algorithms can mandate EMS and not implement old derivation at all, provided we make that a rule here. -Ekr
- [TLS] draft-ietf-tls-curve25519-01: Is public key… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Viktor Dukhovni
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Kurt Roeckx
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Brian Smith
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Alyssa Rowan
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Jeffrey Walton
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Adam Langley
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Martin Thomson
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Eric Rescorla
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- [TLS] TCP Keep Alive Question: draft-ietf-tls-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Watson Ladd
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… Roland Zink
- Re: [TLS] TCP Keep Alive Question: draft-ietf-tls… nalini.elkins
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-curve25519-01: Is public… Watson Ladd