Re: [TLS] FFDHE and SHOULDs on usage

Martin Thomson <martin.thomson@gmail.com> Wed, 15 April 2015 19:05 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BD91A883A for <tls@ietfa.amsl.com>; Wed, 15 Apr 2015 12:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqqbLvxKexhX for <tls@ietfa.amsl.com>; Wed, 15 Apr 2015 12:05:27 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3CA1A87C0 for <tls@ietf.org>; Wed, 15 Apr 2015 12:05:27 -0700 (PDT)
Received: by oica37 with SMTP id a37so32814845oic.0 for <tls@ietf.org>; Wed, 15 Apr 2015 12:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fapPiouiKIjJwFZo8Jn4e4bkfBchlrdRmi7z/5KLkMs=; b=fof4+ouxLdFQMS5Ec/MiGvdgoUiH1FKRnrK6/RhwRUBSnWgYg8zkhrP8pPrAs8881W BoKlrVbxl+dJYej7rfmuK/gGWNYKep5DovaD1Ays9YqfWdPldoXpbwClFaRyWlvTrfV9 L9cXNgHfDTN0ysTSrkuzisKB3APDFRMLv+SMeuvO2GyGSi1qr0fu/DwJcoVdY92OWMN2 fFG4vCK5l0ptyXQ2YlRpaM2W379mBzVMB0HLIuQfEGOvWnX/UuzFWbjE1Z+VAPwVW4Zt EWvJH4U627Iadal9Eg5Yvx9ZgOMSrO29H1Uel4u2PpB4pmxjS/L3dybrmDnDgn0otyR4 9Y+A==
MIME-Version: 1.0
X-Received: by 10.202.196.131 with SMTP id u125mr17140139oif.44.1429124726828; Wed, 15 Apr 2015 12:05:26 -0700 (PDT)
Received: by 10.202.212.212 with HTTP; Wed, 15 Apr 2015 12:05:26 -0700 (PDT)
In-Reply-To: <874mohqmk2.fsf@alice.fifthhorseman.net>
References: <CABkgnnVxLJhpm+vjUsaQTBGOQ7n=MDBiR3Pk+f7J0m_0rRGT+A@mail.gmail.com> <874mohqmk2.fsf@alice.fifthhorseman.net>
Date: Wed, 15 Apr 2015 12:05:26 -0700
Message-ID: <CABkgnnXJWv_-NQBJD_hT5p8V7gpBeQTOatirShSpi8wQ5=HB4A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Vxhwkv742o_5oDJ-tVtd8Zt7dY0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] FFDHE and SHOULDs on usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 19:05:29 -0000

On 15 April 2015 at 11:22, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> -      <t>A client that offers any of these values in the elliptic_curves
> -      extension SHOULD ALSO include at least one FFDHE ciphersuite in
> -      the Client Hello.</t>
> +      <t>A client that offers a "Supported Groups" extension
> +      containing an FFDHE group should also include at least one FFDHE
> +      ciphersuite in the Client Hello.</t>

I apologize for not completing the

It's been a while, so I went back and re-read this little bit,
prompted largely by your choice to move to a lowercase should:

   The compatible client that wants to be able to negotiate strong FFDHE
   SHOULD send a "Supported Groups" extension (identified by type
   elliptic_curves(10) in [RFC4492]) in the ClientHello, and include a
   list of known FFDHE groups in the extension data, ordered from most
   preferred to least preferred.  If the client also supports and wants
   to offer ECDHE key exchange, it MUST use a single "Supported Groups"
   extension to include all supported groups (both ECDHE and FFDHE
   groups).  The ordering SHOULD be based on client preference, but see
   Section 6.1 for more nuance.

   A client that offers any of these values in the elliptic_curves
   extension SHOULD ALSO include at least one FFDHE ciphersuite in the
   Client Hello.

This is a little over-2119-y for me.  How about:

"""
A client that wants to negotiatiate strong FFDHE sends a ClientHello
containing a cipher suite that uses DHE key exchange and a "Supported
Groups" extension (identified by ...).  The "Supported Groups"
extension contains the FFDHE groups the client will accept.  If the
client also intends to accept ECDHE key exchange, the same "Supported
Groups" extension is used for both FFDHE and ECDHE groups.

Groups are ordered based on client preference, noting the additional
ordering considerations in Section 6.1.
"""