Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again)
Juho Vähä-Herttua <juhovh@iki.fi> Thu, 06 January 2011 15:46 UTC
Return-Path: <juhovh@iki.fi>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13BA43A6E31 for <tls@core3.amsl.com>; Thu, 6 Jan 2011 07:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, SARE_HELO_EQ_DSL_3=1.022]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7IJkDhye3fIj for <tls@core3.amsl.com>; Thu, 6 Jan 2011 07:46:55 -0800 (PST)
Received: from jenni1.inet.fi (mta-out.inet.fi [195.156.147.13]) by core3.amsl.com (Postfix) with ESMTP id 913263A6E1A for <tls@ietf.org>; Thu, 6 Jan 2011 07:46:54 -0800 (PST)
Received: from smtp.vaha-herttua.fi (88.192.241.223) by jenni1.inet.fi (8.5.133) id 4D060B9400C7A8AB; Thu, 6 Jan 2011 17:48:59 +0200
Received: from dsl-hkibrasgw3-ffffc000-19.dhcp.inet.fi (dsl-hkibrasgw3-ffffc000-19.dhcp.inet.fi [88.192.255.19]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.vaha-herttua.fi (Postfix) with ESMTPSA id 82E161FCFE; Thu, 6 Jan 2011 17:49:01 +0200 (EET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: multipart/signed; boundary="Apple-Mail-2-341640278"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Juho Vähä-Herttua <juhovh@iki.fi>
In-Reply-To: <00aa01cbadb3$b7c95f50$275c1df0$@sturek@att.net>
Date: Thu, 06 Jan 2011 17:48:56 +0200
Message-Id: <E74184BA-06D8-4C2E-AE51-D3D9CCF633AB@iki.fi>
References: <008d01cbadaf$2de31550$89a93ff0$@sturek@att.net> <BBB467C5-5FF5-4B73-84CF-3831281D08A4@iki.fi> <00aa01cbadb3$b7c95f50$275c1df0$@sturek@att.net>
To: d.sturek@att.net
X-Mailer: Apple Mail (2.1082)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 15:46:56 -0000
On 6.1.2011, at 17.09, Don Sturek wrote: > Hi Juho, > > On your very last sentence, could you elaborate on why you think the draft > is not interoperable with other cipher suites? I think topics like those > discussed in this part of the thread > (http://www.ietf.org/mail-archive/web/tls/current/msg06718.html) are all > very easy to resolve. I think the issues are pretty easy to solve as well. The first thing that came into my mind about not being interoperable was the extension part: The client MUST NOT offer the elliptic_curves extension nor the ec_point_formats extension. The server MUST NOT expect to receive those extensions. The client offering AES-CCM cipher suites should be allowed to offer other cipher suites as well. Those other cipher suites may need to define elliptic_curves or ec_point_formats extensions, but AES-CCM draft forbids offering them. That's a clear conflict. Another smaller issue was the certificate part: The server's certificate MUST contain an ECDSA-capable public key, and it MUST be signed with ECDSA. If a client certificate is used, the same conditions apply to it. I don't see a reason why a cipher should restrict the type of certificates, although requiring the ECDSA-capable public key in ECDSA cipher suite is kind of obvious. This is not really conflicting, but it would be much nicer if the AES-CCM would be defined as a generic cipher that can be used with any kind of certificate and the additional IEEE 802.15.4 related restrictions would be in a separate document. It works for all the other ciphers and RSA, DHE_DSA or DHE_RSA or certificates signed with some other signing algorithm are not really less secure than ECDSA. I guess the reason for this is again to simplify the hardware implementation by only using ECDSA for everything. Juho
- [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Don Sturek
- Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Adam Langley
- Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Russ Housley
- Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Juho Vähä-Herttua
- Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Don Sturek
- Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again) Juho Vähä-Herttua