IETF Logo Mail Archive

Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Sean Turner <sean@sn3rd.com> Wed, 30 March 2016 18:03 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A09C512D826 for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 11:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cVkf6vjCAbhS for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 11:03:43 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1E7112D844 for <tls@ietf.org>; Wed, 30 Mar 2016 11:03:42 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id i4so22977252qkc.3 for <tls@ietf.org>; Wed, 30 Mar 2016 11:03:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=M4AIvapvuGeaX1oG2M5g97Gkvav0tdIvC1AaLP9pEzk=; b=eEFN21BWGdgnKvhVR54KjMaQdLYR9wy3XXwn8FzSBTqcDQQnnqkW2Ib9ph93k4t8l4 liVYb8jE1hI9Oz29+4tpJqmF1s/Ex/eQ8eEDBCYe/PryADZUVoWjeH+ux9mA2giyytqq yW/+xF7UobfUZykccHSfHZOhERL6R9TQxKXU4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=M4AIvapvuGeaX1oG2M5g97Gkvav0tdIvC1AaLP9pEzk=; b=QRRKr7GCvIaq9tPmPmKAACd7rZE0NMAyqzNGyjYVrKe8evqzi0yShUpiKIOV8AiBxk 004IliGNW2MWDb6qUaaGAnNbDo8Ztu+gYtQ3UbZiaLr8UEAZBcsk8wSfBcJR51zVswwL UoqK0wpYEfyEZTaRKk5WPd+zdmt6YdrvmcsuPDzA1Iy0omrf1wqrvOAYpwEI3pDcow3k y7e79tmFpvIZ5LFj0FyQnEx+kLvVNuEsZ07jzURN8maxHAPD/lNTNslHVg0EbI5d/tYv LvxPowj+ROe9ygGinVLKayCGxXYbPCciFB2QrgWRSkpB4V/pUrit7i2ayb7PMBvxlSuh wx2g==
X-Gm-Message-State: AD7BkJKHuCbtURW2W4BykwUdgLqO57QaCxxWlBrsFPkRBmiZChhlofuu4zZCVo5kEQwkXg==
X-Received: by 10.55.41.16 with SMTP id p16mr11507811qkh.86.1459361021918; Wed, 30 Mar 2016 11:03:41 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.217.211]) by smtp.gmail.com with ESMTPSA id b69sm2310281qka.2.2016.03.30.11.03.40 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 30 Mar 2016 11:03:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <3F32A6CE-DE7F-4230-8077-AE2CC1161235@gmail.com>
Date: Wed, 30 Mar 2016 14:03:39 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F9E7A34E-DFA0-4830-AE03-6F4CE48480BA@sn3rd.com>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com> <3F32A6CE-DE7F-4230-8077-AE2CC1161235@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/X6NG9i0li9Kodxbf-R7PnrOeDbk>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2016 18:03:45 -0000

I apologize in advance; this is about process so it’s long.

On Mar 30, 2016, at 01:29, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
> Hi Sean
> 
> I also strongly support this.  I’m just wondering how we plan to enforce the "stable, publicly available, peer reviewed reference” part. As your examples below show, the reference tends to be an I-D. That’s stable and publicly available, but we have no idea if it’s peer reviewed or who the author’s peers are.

Note that I think both the cipher suite assignment specification and the algorithm specification need to be "stable, publicly available, peer reviewed reference.” Normally, the former informatively refers to the latter. [0]  The algorithm specification is not always an RFC, but the cipher suite assignment specifications have been; this plan changes that under certain circumstances (see below).

As far as stable and publicly available are concerned, these are part of the process now, as specified in [1] (and if the update ever gets done in [2]):

  Values and their meanings must be
  documented in a permanent and readily available public
  specification, in sufficient detail so that interoperability
  between independent implementations is possible.  When used,
  Specification Required also implies use of a Designated
  Expert, who will review the public specification and
  evaluate whether it is sufficiently clear to allow
  interoperable implementations.  The intention behind
  "permanent and readily available" is that a document can
  reasonably be expected to be findable and retrievable long
  after IANA assignment of the requested value.  Publication
  of an RFC is an ideal means of achieving this requirement,
  but Specification Required is intended to also cover the
  case of a document published outside of the RFC path.

This definition gives power/discretion to the designated expert (it’s ekr btw).  We can:

a) defer to the expert's judgement (some of what they are to do is in [1][2]), or
b) write some rules for the IANA considerations section that they’ll follow.

I think that a) has worked in the past and would continue to work in the future, but b) couldn’t hurt. If we go for a) then if the expert is ever unsure, they can just ask the AD/WG chair/community for guidance [3][4].  Beware that the text for b) will be like a bright light for process moths [5].

As far as peer review, this is where the silent “c” in team comes to play (c is for community).  If the expert is not sure, then they'd ask the AD/WG chair/community for guidance.  We could also use b) to provide some rules, which could include references to BCP 61 [6] (and for MTI algs [7]).

> One other thing, in some of the links you pasted below you give a specific draft version (like https://www.ietf.org/archive/id/draft-zauner-tls-aes-ocb-03.txt) while for the others you give the generic version (like https://datatracker.ietf.org/doc/draft-ietf-tls-pwd/). The former is stable but the latter is not. Are the authors free to keep modifying the specification after getting the code point?

Sorry I wasn’t clear.  The references I listed were not supposed to imply stability they were just the list of cipher suites Joe and I have received requests from over the past year.   I don’t think that authors are free to keep modifying their specification after getting a code point, because of the Specification Required definition [8].


Some other things we should be clear on:

1. All of the drafts referenced and the future drafts requesting code points do *not* need to come through the WG.  But, I do think drafts that want a “Y” need to come through, and we shouldn’t kid ourselves most folks will want the “Y”.  How does this sound (here I assume the algorithms are already published elsewhere i.e., this is just for the assignments):

a) For MTI and “Y” requests,
a.1) requester’s publish individual draft,
a.2) requester’s ask for wg adoption,
a.3) wg chairs do adoption call,
a.4) wg does its thing on wg draft,
a.5) ietf does its thing, and
a.6) iana (assigns #s) & rfc editor (publishes) do their things.

b) For all others: 
b.1) request is submitted to IANA, WG, WG chair, AD,
b.2) request is redirected to designated expert,
b.3) designated experts reviews request:
-- if good-to-go designated expert tells IANA to assign code point (goto b.4)
-- if not-good-to-go for an obvious reasons the designated expert rejects the request with some rationale (and probably lets the sec ADs know about it)
-- if not-good-to-go for all other reasons the designated expert asks (expert's choice depending on the situation) AD/WG chairs/community for guidance
b.4) iana makes assignment and includes the cipher suite assignment specification reference in the registry (and possibly the rfc editor does their thing if an RFC is being published)

Early assignment rules can still apply to a) and b).

2. As far as draft-ietf-tls-pwd, we need to decide whether it should continue as a WG draft or free Dan to pursue other publication avenues.

3. We should avoid a long list of “updates” to TLS1.3 RFC#-to-be when new cipher suites get added.  Drafts should only include an “updates” header if we’re modifying the MTIs or we’re adding a new “Y” cipher suite because we only expect all implementations to support these cases.

4. WRT language -  I’m assuming we’d continue to have English versions of the algorithm specification.

spt

[0] One reason is that the CFRG doesn’t publish standards track RFC so the references to algorithm specifications that come through the CFRG need to be informative.

[1] https://datatracker.ietf.org/doc/rfc5226/

[2] https://datatracker.ietf.org/doc/draft-leiba-cotton-iana-5226bis/

[3] No worries - there is of course process to replace rouge experts, for experts to appeal said decision [3a], etc.

[3a] Section 6.5.1 of https://datatracker.ietf.org/doc/rfc2026/

[4] If history is any guide, I doubt the TLS mailing list is going to go away even if the WG closes (e.g., mailing lists for stalwarts like PKIX, SMIME, SSH are still around).

[5] Note that I very much want to avoid the following very deep and very dark rat hole: establishing an IANA registry of approved reference organizations/sites/etc. that the expert can refer to for a “free pass” org/sites/etc. {rant: [~5~]}

[~5~] { rant: If we do go down this rat hole, I’ve got some specific organizations in mind that we should ban from ever being included in this list until they publicly state that they’ll allow normative references to IETF RFCs in their documents/standards/etc. And, now that I think about it maybe we’d include some country’s too. (I warned you it was a rant) }

[6] https://datatracker.ietf.org/doc/rfc3365/

[7] https://datatracker.ietf.org/doc/draft-rsalz-drbg-speck-wap-wep/

[8] I’m sure this rule has been broken at some point in the past, but it’s not one I’m advocating that we break it on a regular basis.

> Yoav
> 
>> On 30 Mar 2016, at 4:53 AM, Sean Turner <sean@sn3rd.com> wrote:
>> 
>> Hi!
>> 
>> In Yokohama, we discussed changing the IANA registry assignment rules for cipher suites to allow anyone with a stable, publicly available, peer reviewed reference document to request and get a code point and to add an “IETF Recommended” column to the registry.  This change is motivated by the large # of requests received for code points [0], the need to alter the incorrect perception that getting a code point somehow legitimizes the suite/algorithm, and to help implementers out.  We need to determine whether we have consensus on this plan, which follows:
>> 
>> 1. The IANA registry rules for the TLS cipher suite registry [1] will be changed to specification required.
>> 
>> 2. A new “IETF Recommended” column will be added with two values: “Y” or “N”.  Y and N have the following meaning:
>> 
>> Cipher suites marked with a “Y” the IETF has consensus on
>> and are reasonably expected to be supported by widely
>> used implementations such as open-source libraries.  The
>> IETF takes no position on the cipher suites marked with an
>> “N”.  Not IETF recommended does not necessarily (but can)
>> mean that the ciphers are not cryptographically sound (i.e.,
>> are bad).  Cipher suites can be recategorized from N to Y
>> (e.g., Curve448) and vice versa.
>> 
>> 3. We will add a “Note" to the IANA registry itself (i.e., on [0]) that matches the above so that the same information is available to those who don’t read the IANA considerations section of the RFC.
>> 
>> Please indicate whether or not you could support this plan.
>> 
>> Thanks,
>> 
>> J&S
>> 
>> [0] In the last year, the chairs have received requests for:
>> 
>> PSK: https://datatracker.ietf.org/doc/draft-mattsson-tls-ecdhe-psk-aead/
>> AES-OCB: https://www.ietf.org/archive/id/draft-zauner-tls-aes-ocb-03.txt
>> Kcipher2: https://datatracker.ietf.org/doc/draft-kiyomoto-kcipher2-tls/
>> dragonfly: https://datatracker.ietf.org/doc/draft-ietf-tls-pwd/
>> NTRU:  http://www.ietf.org/id/draft-whyte-qsh-tls12-01.txt
>> JPAKE: not sure they got around to publishing a draft.
>> 
>> [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email