[TLS] A la carte handshake negotiation

Dave Garrett <davemgarrett@gmail.com> Thu, 11 June 2015 19:58 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 437B81B3118 for <tls@ietfa.amsl.com>; Thu, 11 Jun 2015 12:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_35=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id o_iHFXhnmQ6W for <tls@ietfa.amsl.com>; Thu, 11 Jun 2015 12:58:24 -0700 (PDT)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040A51B311A for <tls@ietf.org>; Thu, 11 Jun 2015 12:58:24 -0700 (PDT)
Received: by qcej9 with SMTP id j9so5125851qce.1 for <tls@ietf.org>; Thu, 11 Jun 2015 12:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:mime-version:content-type :content-transfer-encoding:message-id; bh=CQ4dw6vFZnHPnXmVkUrRJpX5NZXJYNdCw7y96ReHDXE=; b=AUIn4KPNOlZgPe8R1FuHR+Vdo0ccVbqSvJ5qghOoZVY0JzclJPoE0mq9+vuU5nyYay PmFpt4SyLX9MSM04qtcD7DQuSWMSG5w19B/gM/3r2JzL7OzJQ4zKh4eaI31W3da+flRc n13rybhFw+/aP/UeVOFFYJ5otbYovJ3qFdc6ZqcJ7J4WllgVQq/P5MZze0bTKOrTm/G4 0ixD2q4s5cCI7mRf/chmQNDPuiIwLgqzfXKZYGdU0YMurNaTnT88zkganrIWvpO5u+Tt m6ivmt8KPt1Ds6MtGMVD2knLIhwFjesnNtwXMEXV+yeFWx7/oVMw3DREbJoSFT2g2MVk E0Hw==
X-Received: by with SMTP id j90mr13881582qgj.6.1434052703341; Thu, 11 Jun 2015 12:58:23 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. []) by mx.google.com with ESMTPSA id c38sm695145qgd.33.2015. for <tls@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 11 Jun 2015 12:58:22 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Date: Thu, 11 Jun 2015 15:58:21 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201506111558.21577.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QpSvYBJUf7OsZnmjNEwZGSzwErs>
Subject: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2015 19:58:25 -0000

Here is a branch with a rough draft of an a la carte handshake algorithm negotiation scheme for TLS 1.3, based on discussions on this list.


* Deprecate all suites with any of: DH, DHE, ECDH, RSA, DSS
* Deployments may continue to offer deprecated suites for TLS 1.0-1.2 negotiation.
* TLS 1.3 would only negotiate suites prefixed with ECDHE_ECDSA or ECDHE_PSK.
* TLS 1.3 implementations negotiate ECDHE/DHE & RSA/DSS/ECDSA solely via the "supported_groups" & "signature_algorithms" extensions.
* No change to bulk cipher negotiation.

To be clear, this would mean a connection could negotiate usage of a ECDHE_ECDSA suite and negotiate ECDHE+RSA. It doesn't say anything about DHE+ECDSA yet, but I think that combination is fine if negotiated.

1) Old DH(E) suites are replaced by a system which only negotiates strong FFDHE groups.
2) The combinatorial explosion of suites that need to be offered in a ClientHello is reduced.
3) Accidental interop failure due to a missing combination is avoided.
4) All TLS 1.3 implementations are expected to be able to handle ECC, but are not required to offer or negotiate it. (at least, here)
5) EdDSA can easily be added to the list as a variation of ECDSA without new suites.
6) No more confusing double negotiation of signature algorithms. Just extensions, instead of many suites and extensions.
7) The default usage of SHA1 for the "signature_algorithms" extension can be removed, as all TLS 1.3 clients would be required to send it.

The branch is a WIP to resume discussion on this topic. Probably needs some significant additional changes.