IETF Logo Mail Archive

Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)

Nico Williams <nico@cryptonector.com> Wed, 16 September 2015 23:00 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7ADF1A8BC3 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 16:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.385
X-Spam-Level:
X-Spam-Status: No, score=-0.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FRT_PROFILE2=1.981, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGNSPhKf3yph for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 16:00:27 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id F164D1A8BB5 for <tls@ietf.org>; Wed, 16 Sep 2015 16:00:26 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id 7D606678071; Wed, 16 Sep 2015 16:00:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5FlyDn/7o3XgjR rG9/mcqu6S+xI=; b=bmUNM0w0x7RGLGTKCnGkeIG0y9+Xx8M/YfanahlJUIeA22 iARZt4w+6dmGH+nI/AbJfrzGtw1zVz7oqXCe+EbvYOEyltFELq4N4KGDbBSpyEFd xDJkNnQ3sYjIZBtrVhKYQ0VL/H2iNK0psWm8nmoJb5iWTv7C+jRWT/2n3hW1U=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPA id E4547678063; Wed, 16 Sep 2015 16:00:25 -0700 (PDT)
Date: Wed, 16 Sep 2015 18:00:25 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dave Garrett <davemgarrett@gmail.com>
Message-ID: <20150916230024.GS13294@localhost>
References: <CAH8yC8=eHzQPL6cROVK4Pm0V2FSYTL7C7csLG7p49W5LEmfo=Q@mail.gmail.com> <201509161503.54756.davemgarrett@gmail.com> <20150916213827.GC21942@mournblade.imrryr.org> <201509161837.21743.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201509161837.21743.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QwI0DrE0j6b3feprrGK3jMsatgA>
Cc: tls@ietf.org
Subject: Re: [TLS] TLS Provfiles (Was: Call for consensus to remove anonymous DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 23:00:28 -0000

On Wed, Sep 16, 2015 at 06:37:21PM -0400, Dave Garrett wrote:
> On Wednesday, September 16, 2015 05:38:27 pm Viktor Dukhovni wrote:
> > On Wed, Sep 16, 2015 at 03:03:54PM -0400, Dave Garrett wrote:
> > > The suggestion that started this thread was to have a "Standard TLS Profile"
> > > that actually allowed EXPORT ciphers & SSL3. So yeah, this proposal feels
> > > like a suggestion to keep allowance of obsolete junk as the norm with
> > > "defensive" as a separate option, because that's what it specifically
> > > says.
> > 
> > Object to such a profile, and rather than the idea of profiles.
> > There is no need for the TLS WG to define any profiles that include
> > SSL3 or EXPORT ciphers.
> 
> That's a fair point, but I don't see the need for a profile once that
> stuff is not allowed anywhere. I could accept the notion of a TLS

<mentally splice in long and never-ending debate about opportunistic use
of weaker ciphers, so that we don't have physically splice it in here>

> strict mode, where it's TLS 1.2 + PFS + AEAD + no
> SHA1/DSA/SSL2HELLO/etc. only, but that's not really a "profile" so
> much as one paragraph that could be added. Application profiles are
> already a thing, so I don't see why we also need a new mechanism here.

It's a profile.  Call it what you will.  The rest of us call this a
profile.  All the more so when profiles are named in an IANA registry.
Applications can then very trivially select an appropriate TLS profile
using standard profile naming.

> Let me put it this way, I see no way for the WG to reasonably agree on
> this without a proposed _set_ of profiles to go with it that we all
> could also live with. Just the vague notion of more profiles in
> abstract isn't sounding great on its own.

We've certainly had a few proposed profiles over time.  Your estimation
of what the WG would or would not agree to is not as interesting as, you
know, actually attempting to get consensus.

Nico
--

v2.23.0 | Report a Bug | By Email