Re: [TLS] TLS Charter Revision

Trevor Perrin <trevp@trevp.net> Wed, 04 December 2013 05:56 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7A71AE1D3 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 21:56:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xr7ESdZz7yLe for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 21:56:31 -0800 (PST)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id 55B091AE1CC for <tls@ietf.org>; Tue, 3 Dec 2013 21:56:31 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id a1so6517384wgh.5 for <tls@ietf.org>; Tue, 03 Dec 2013 21:56:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QJUMe1cexidMyWccb5yw0elO2VXmjHD0NBTl+Wn++Gc=; b=iVAMT3l7un/R4iZQV7pSGmwn9kZT6dG7esSsae0r/3SLvcLIMyU2l9ta8c4LI5Wsul qcUUBKhmVd86E/SUcEsTnyQPk+/ohIOSfnmL1n9lITPbzVjMbebHIwKW0k1wvGy3Cyrs /JTgjyUe2VwxCdsZHsKx7Sth6GdxQJlxfsLk9kjro7ZmGpYd5epPPiU5o8GDWetyGYyo EN59Hx/UL6U7NgkHWDA9nt3Fr9UAcgJMQMJJ7YaSwPLKgkJHnIMaBwMsWedrVvKO+yog xm3JF/06wpjDOVYcl57x1PObR6C00qna0yAZiiPUKczvlP6J9kYfQro75voncXahDznq XM8w==
X-Gm-Message-State: ALoCoQn5NRyaUiEoHf9bnH2WBGBX6QbzRuDvlEs4OVWqZQWcaSgFzcSBYDJOw8JWE9Ht+1S9nCt6
MIME-Version: 1.0
X-Received: by 10.180.11.169 with SMTP id r9mr5612494wib.26.1386136587870; Tue, 03 Dec 2013 21:56:27 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Tue, 3 Dec 2013 21:56:27 -0800 (PST)
X-Originating-IP: [64.134.226.64]
In-Reply-To: <CACsn0ck1-H7ChD+2vKRUjiCiC-U3Gq0AKy2EdoPkdFBxG-xqXg@mail.gmail.com>
References: <2F2286E3-7717-4E8F-B1EA-B2E4155F7C17@cisco.com> <CACsn0ckzA9hd3+zTH5FNNBbPAQqUqaXD8_Z35a8vKEG6WjXbTg@mail.gmail.com> <53edda7bf2804289817f54a8c2ecce33@BY2PR03MB074.namprd03.prod.outlook.com> <CACsn0ck1-H7ChD+2vKRUjiCiC-U3Gq0AKy2EdoPkdFBxG-xqXg@mail.gmail.com>
Date: Tue, 3 Dec 2013 21:56:27 -0800
Message-ID: <CAGZ8ZG2S8Fcfy=6rkd+=SJWEvdqzNazZVXjTGsjJEj6-+FrunQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS Charter Revision
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 05:56:33 -0000

On Tue, Dec 3, 2013 at 8:08 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Tue, Dec 3, 2013 at 7:13 PM, Marsh Ray <maray@microsoft.com> wrote:
>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Watson Ladd
>>
>>> I propose the following charter instead.
>>> "To create a protocol establishing a secure encrypted and authenticated channel in the
>>> standard model between parties A and B, supporting the following authentication methods:
>>> -One-way authentication with the PKI
>>> -Two-way authentication with the PKI
>>> -Two-way authentication with a shared low-entropy secret -One side authenticated with the PKI, and the other with a shared low-entropy secret.
>>> Said protocol will function over UDP and TCP with a minimum of handshakes, complexity, and options, and will have a formal security proof."
>>
>> Gee you make it sound so easy.
> What part do you think is hard? We've known how to do all of this
> since basically forever in cryptography terms, except the formal proof
> part, but
> that's automatic now. CurveCP has all of this working

It doesn't, actually.  CurveCP has some security flaws [1], no formal
proof, no PKI support, and lacks the low-round-trip properties that
are TLS 1.3 goals.

Key agreement remains a complex topic even in academia.  Trying to
balance low round-trips, computational efficiency,
handshake-data-hiding, implementation complexity,
backwards-compatibility, extensibility, IPR, etc. involves difficult
tradeoffs.

Anyways, I prefer Joseph's charter, as it identifies specific focuses
for improvement (round-trips, handshake-data-hiding), whereas yours is
quite vague ("minimum of handshakes, complexity, and options").


Trevor

[1] http://codesinchaos.wordpress.com/2012/09/09/curvecp-1/