Re: [TLS] Ala Carte Cipher suites - was: DSA should die

Geoffrey Keating <geoffk@geoffk.org> Mon, 13 April 2015 21:09 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9EA1A8733 for <tls@ietfa.amsl.com>; Mon, 13 Apr 2015 14:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.895
X-Spam-Level:
X-Spam-Status: No, score=0.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dH9lMLNHLz-l for <tls@ietfa.amsl.com>; Mon, 13 Apr 2015 14:09:14 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (unknown [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4945A1A874B for <tls@ietf.org>; Mon, 13 Apr 2015 14:09:06 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 7CFDC33D223; Mon, 13 Apr 2015 21:09:05 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Martin Thomson <martin.thomson@gmail.com>
References: <20150401201221.163745c2@pc1.fritz.box> <CAK9dnSyKf7AY11h1i1h+SudRc-NmTZE5wC682YKhNsxnfV5ShQ@mail.gmail.com> <CAK3OfOgPbADQ1CvOs=8T7ee6f_T+bi3F6GCdBtxufQpznzYbQA@mail.gmail.com> <201504021257.09955.davemgarrett@gmail.com> <CAOgPGoDJTcLn4j90wNu=mhCZJnb2WUuAvM5TN6KOO7RdC==qHQ@mail.gmail.com> <551DE914.4010804@nthpermutation.com> <CAFewVt6jKaQh9Z-ySQJr_9PWsBvn41RNk6PNXMdouLwywn8-wA@mail.gmail.com> <CABkgnnXoBmSfoK5Ht5x7jqf3zGB-mDntcVRMVzKgr2wfsixgNg@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 13 Apr 2015 14:09:05 -0700
In-Reply-To: <CABkgnnXoBmSfoK5Ht5x7jqf3zGB-mDntcVRMVzKgr2wfsixgNg@mail.gmail.com>
Message-ID: <m2r3rnzqfi.fsf@localhost.localdomain>
Lines: 21
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OJN5TZvg841omw_wkyU-ur0RfR4>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Ala Carte Cipher suites - was: DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 21:09:16 -0000

Martin Thomson <martin.thomson@gmail.com> writes:

> On 3 April 2015 at 17:05, Brian Smith <brian@briansmith.org> wrote:
> > I don't think the current mechanism is problematic
> > enough (at all, really) to justify that effort.
> 
> I think that I've the same view.
> 
> Then you have to consider interaction problems where some
> implementations have hardware for certain things, and software for
> others.  Not only does that produce strong preferences for some things
> over others, it also can lead to holes in support tables, making a la
> carte selection tricky.
> 
> That was always the clincher for me.

I agree.  In particular I don't think we've simplified anything if
implementations have to have a list of invalid combinations, or have
to know that certain ciphers are to be used only with matching key
exchange algorithms (for example, use the GOST key exchange with the
GOST symmetric cipher).