IETF Logo Mail Archive

Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt

Hubert Kario <hkario@redhat.com> Mon, 03 September 2018 15:20 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E19B71274D0 for <tls@ietfa.amsl.com>; Mon, 3 Sep 2018 08:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6s3LzF_GPyh for <tls@ietfa.amsl.com>; Mon, 3 Sep 2018 08:20:40 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D68A12008A for <tls@ietf.org>; Mon, 3 Sep 2018 08:20:40 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 505F7406E974; Mon, 3 Sep 2018 15:20:39 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.250]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6FA3B2166BA1; Mon, 3 Sep 2018 15:20:38 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Date: Mon, 03 Sep 2018 17:20:37 +0200
Message-ID: <4271830.1rrzgRcsFr@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBNYGujXNYggham456ex0OWtqN0JP1x38wFpMt2qbUGRsA@mail.gmail.com>
References: <153569768626.3253.16680905114240291331.idtracker@ietfa.amsl.com> <12005079.7UJsg1mpg9@pintsize.usersys.redhat.com> <CABcZeBNYGujXNYggham456ex0OWtqN0JP1x38wFpMt2qbUGRsA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2738271.EZ2fY3o72j"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 03 Sep 2018 15:20:39 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 03 Sep 2018 15:20:39 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TbBDNFcxgY3jETQu913fshr9W90>
Subject: Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Sep 2018 15:20:42 -0000

On Monday, 3 September 2018 17:15:24 CEST Eric Rescorla wrote:
> On Mon, Sep 3, 2018 at 7:28 AM, Hubert Kario <hkario@redhat.com> wrote:
> > On Monday, 3 September 2018 16:01:22 CEST Eric Rescorla wrote:
> > > On Mon, Sep 3, 2018 at 4:18 AM, Hubert Kario <hkario@redhat.com> wrote:
> > > > On Sunday, 2 September 2018 15:30:45 CEST Bruckert, Leonie wrote:
> > > > > Htmlized:
> > > > > https://tools.ietf.org/html/draft-bruckert-brainpool-for-tls13-00
> > > > > 
> > > > > Abstract:
> > > > >    This document specifies the use of several ECC Brainpool curves
> > 
> > for
> > 
> > > > >    authentication and key exchange in the Transport Layer Security
> > 
> > (TLS)
> > 
> > > > >    protocol version 1.3.
> > > > 
> > > > So I understand why you need SignatureScheme registrations, but I'm
> > > > completely
> > > > missing the need for NamedGroup registrations – are the 26, 27 and 28
> > > > tainted
> > > > somehow?
> > > 
> > > Yes. They are explicitly prohibited by the TLS 1.3 spec. See the
> > > previous
> > > discussion on-list.
> > 
> > well, implementations that receive them in TLS 1.3 still MUST ignore them,
> 
> What text do you believe requires that?

every one that deals with forward and backward compatibility... the whole 
GREASE I-D...
 
> > not
> > abort connection, so I still think it will create less confusion to
> > re-allow
> > them than to re-assign new codepoints
> 
> The issue is that it's not possible to distinguish a non-compliant TLS 1.3
> implementation which is inappropriately sending these code points from
> one which actually supports Brainpool with TLS 1.3. Using new code
> points makes this clear.

and why having that distinction is that important?

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email