Re: [TLS] FFDHE and SHOULDs on usage
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 15 April 2015 18:22 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02651A0233 for <tls@ietfa.amsl.com>; Wed, 15 Apr 2015 11:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, GB_I_INVITATION=-2] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdfLOB_it0wh for <tls@ietfa.amsl.com>; Wed, 15 Apr 2015 11:22:20 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 368A51A0318 for <tls@ietf.org>; Wed, 15 Apr 2015 11:22:20 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 5F8D7F985; Wed, 15 Apr 2015 14:22:17 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 06F121FFC8; Wed, 15 Apr 2015 13:22:06 -0500 (CDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <CABkgnnVxLJhpm+vjUsaQTBGOQ7n=MDBiR3Pk+f7J0m_0rRGT+A@mail.gmail.com>
References: <CABkgnnVxLJhpm+vjUsaQTBGOQ7n=MDBiR3Pk+f7J0m_0rRGT+A@mail.gmail.com>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Wed, 15 Apr 2015 14:22:05 -0400
Message-ID: <874mohqmk2.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/TlY8RXrVfytYS1Q6T-WRA7KE-uo>
Subject: Re: [TLS] FFDHE and SHOULDs on usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 18:22:22 -0000
Hi Martin--
Thanks for the review!
On Thu 2014-11-13 15:05:02 -0500, Martin Thomson wrote:
> The thesis here is that strong groups (and 2048 isn't that strong) are
> extremely expensive to verify, and folks are unlikely to do that
> verification. Therefore, the pick-your-own-group method is not just a
> bad idea, but an invitation to attack.
agreed.
> Clients who want to do PYOG can simply not support (or pretend to not
> support) this draft.
this also makes sense.
> ## Details:
>
> The draft says that, for servers:
>
> If a compatible TLS server receives a Supported Groups extension from
> a client that includes any FFDHE group (i.e. any codepoint between
> 256 and 511 inclusive, even if unknown to the server), and if none of
> the client-proposed FFDHE groups are known and acceptable to the
> server, then the server SHOULD NOT select an FFDHE ciphersuite.
>
> I think that this needs to be a MUST. If the client is willing to
> take the servers choice of group, then it would not be including the
> fixed groups.
>
>
> Similarly, all the SHOULDs in the client behaviour section needs to be hardened.
>
> OLD:
> The compatible client that wants to be able to negotiate strong FFDHE
> SHOULD send a "Supported Groups" extension
> NEW:
> The compatible client that wants to be able to negotiate strong FFDHE
> sends a "Supported Groups" extension
> Rationale:
> This is purely axiomatic.
The above two edits make sense to me, and i propose to reflect them with
the following diff:
diff --git a/tls-negotiated-ff-dhe.xml b/tls-negotiated-ff-dhe.xml
index ef73355..3af4c30 100644
--- a/tls-negotiated-ff-dhe.xml
+++ b/tls-negotiated-ff-dhe.xml
@@ -242,7 +242,7 @@
mechanism.</t>
<t>The compatible client that wants to be able to negotiate
- strong FFDHE SHOULD send a "Supported Groups" extension
+ strong FFDHE sends a "Supported Groups" extension
(identified by type elliptic_curves(10) in <xref target="RFC4492"/>) in the
ClientHello, and include a list of known FFDHE groups in the
extension data, ordered from most preferred to least preferred.
@@ -295,13 +295,13 @@
extension from a client that includes any FFDHE group (i.e. any
codepoint between 256 and 511 inclusive, even if unknown to the server), and if none of the
client-proposed FFDHE groups are known and acceptable to the
- server, then the server SHOULD NOT select an FFDHE ciphersuite.
+ server, then the server MUST NOT select an FFDHE ciphersuite.
In this case, the server SHOULD select an acceptable non-FFDHE
ciphersuite from the client's offered list. If the extension is
present with FFDHE groups, none of the client's offered groups
are acceptable by the server, and none of the client's proposed
non-FFDHE ciphersuites are acceptable to the server, the server
- SHOULD end the connection with a fatal TLS alert of type
+ MUST end the connection with a fatal TLS alert of type
insufficient_security(71).
</t>
<t>
The "In this case, the server SHOULD select..." part remains a SHOULD
because of the possibility of the peer-incompatibility case outlined in
the last sentence. I welcome concrete suggestions for other ways to
word this decision process if anyone has a clearer proposal.
> OLD:
> A client that offers any of these values in the elliptic_curves
> extension SHOULD ALSO include at least one FFDHE ciphersuite in the
> Client Hello.
> NEW:
> A client that offers a NamedCurve extension containing a FFDHE group
> cannot use
> Rationale:
> No need for normative language here, this is purely a (relevant)
> observation. And "SHOULD ALSO" doesn't appear in RFC 2119 ;)
The edit as phrased explicitly above makes no sense. At least the "OLD"
had a complete sentence ;)
I propose to address the identified normative language with the
following change:
diff --git a/tls-negotiated-ff-dhe.xml b/tls-negotiated-ff-dhe.xml
index 3af4c30..e9202a3 100644
--- a/tls-negotiated-ff-dhe.xml
+++ b/tls-negotiated-ff-dhe.xml
@@ -252,9 +252,9 @@
ordering SHOULD be based on client preference, but see <xref
target="preference_ordering"/> for more nuance.</t>
- <t>A client that offers any of these values in the elliptic_curves
- extension SHOULD ALSO include at least one FFDHE ciphersuite in
- the Client Hello.</t>
+ <t>A client that offers a "Supported Groups" extension
+ containing an FFDHE group should also include at least one FFDHE
+ ciphersuite in the Client Hello.</t>
<t>A client who offers a group MUST be able and willing to
perform a DH key exchange using that group.</t>
WDYT?
--dkg
- [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Bodo Moeller
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Daniel Kahn Gillmor
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- [TLS] please review (was: Re: FFDHE and SHOULDs o… Sean Turner
- Re: [TLS] FFDHE and SHOULDs on usage Daniel Kahn Gillmor
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Martin Rex
- Re: [TLS] FFDHE and SHOULDs on usage Andrey Jivsov
- Re: [TLS] FFDHE and SHOULDs on usage Thijs van Dijk
- Re: [TLS] FFDHE and SHOULDs on usage Hubert Kario