IETF Logo Mail Archive

Re: [TLS] Singular or multiple NamedGroup(s) in the "HelloRetryRequest"

"Dang, Quynh" <quynh.dang@nist.gov> Fri, 16 January 2015 15:51 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A481ACD3A for <tls@ietfa.amsl.com>; Fri, 16 Jan 2015 07:51:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rf1LT1Sa-x94 for <tls@ietfa.amsl.com>; Fri, 16 Jan 2015 07:51:23 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0102.outbound.protection.outlook.com [207.46.100.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4073A1ACD46 for <tls@ietf.org>; Fri, 16 Jan 2015 07:51:23 -0800 (PST)
Received: from BN1PR09MB0258.namprd09.prod.outlook.com (25.160.80.19) by BN1PR09MB0257.namprd09.prod.outlook.com (25.160.80.18) with Microsoft SMTP Server (TLS) id 15.1.59.20; Fri, 16 Jan 2015 15:51:21 +0000
Received: from BN1PR09MB0258.namprd09.prod.outlook.com ([25.160.80.19]) by BN1PR09MB0258.namprd09.prod.outlook.com ([25.160.80.19]) with mapi id 15.01.0059.007; Fri, 16 Jan 2015 15:51:21 +0000
From: "Dang, Quynh" <quynh.dang@nist.gov>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: Singular or multiple NamedGroup(s) in the "HelloRetryRequest"
Thread-Index: AQHQMaN2uE7AF8cZjk6SMXFDlBGPL5zC5FIB
Date: Fri, 16 Jan 2015 15:51:21 +0000
Message-ID: <1421423478675.87032@nist.gov>
References: <1421422017019.67267@nist.gov>, <CABcZeBNOERvqWcxj2G1FBC5UL5fH_T+dJ53N0RYEgxKepnVJ6w@mail.gmail.com>
In-Reply-To: <CABcZeBNOERvqWcxj2G1FBC5UL5fH_T+dJ53N0RYEgxKepnVJ6w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [132.163.219.31]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-dmarcaction-test: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005004);SRVR:BN1PR09MB0257;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0257;
x-forefront-prvs: 04583CED1A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(53754006)(199003)(24454002)(189002)(19580405001)(101416001)(122556002)(19625215002)(19580395003)(92566002)(117636001)(76176999)(19627405001)(99286002)(54356999)(50986999)(106356001)(105586002)(106116001)(64706001)(2950100001)(2900100001)(62966003)(66066001)(77156002)(68736005)(110136001)(40100003)(86362001)(46102003)(102836002)(97736003)(36756003)(87936001)(16236675004)(2656002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0257; H:BN1PR09MB0258.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_142142347867587032nistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2015 15:51:21.6517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0257
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/U4cNg555lGNeMKuz4UAbzjCq-sE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Singular or multiple NamedGroup(s) in the "HelloRetryRequest"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2015 15:51:25 -0000

?If a client offers all of the options it supports and a server sends back one group out of these options, it would guarantee a failure.


Quynh.

________________________________
From: Eric Rescorla <ekr@rtfm.com>
Sent: Friday, January 16, 2015 10:44 AM
To: Dang, Quynh
Cc: tls@ietf.org
Subject: Re: Singular or multiple NamedGroup(s) in the "HelloRetryRequest"

Note that the client advertises all the groups it can support, so the server
can just pick the "best" one on the clients list.

-Ekr


On Fri, Jan 16, 2015 at 7:26 AM, Dang, Quynh <quynh.dang@nist.gov<mailto:quynh.dang@nist.gov>> wrote:

Hi all,


It seems to be fine to improve inter-operability (or efficiency: less back and forth) by allowing multiple groups (multiple "NamedGroup"s) in the "HelloRetryRequest" message since a server might be willing to accept 2 (or more) groups for a particular key exchange method. For example,  a client might offer only one FFDH group in its Client Key Share message and the server is willing to offer two higher level security groups for the client to choose from.


The situation would be similar if we had 3 or more curves.


Quynh.

v2.23.0 | Report a Bug | By Email