Re: [TLS] Updated TLS 1.2 I-D
Bodo Moeller <bmoeller@acm.org> Mon, 26 June 2006 15:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fut6Q-0001ER-Oa; Mon, 26 Jun 2006 11:34:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fut6P-0001EB-3h for tls@ietf.org; Mon, 26 Jun 2006 11:34:17 -0400
Received: from moutng.kundenserver.de ([212.227.126.183]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fut6N-0001m2-Mi for tls@ietf.org; Mon, 26 Jun 2006 11:34:17 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1Fut6K1fAY-0008W6; Mon, 26 Jun 2006 17:34:12 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 90CFC19530; Mon, 26 Jun 2006 17:34:11 +0200 (CEST)
Date: Mon, 26 Jun 2006 17:34:11 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Pasi.Eronen@nokia.com
Subject: Re: [TLS] Updated TLS 1.2 I-D
Message-ID: <20060626153411.GA2821@iota.site>
References: <20060625170241.E4704222425@laser.networkresonance.com> <B356D8F434D20B40A8CEDAEC305A1F2402D636E9@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F2402D636E9@esebe105.NOE.Nokia.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Mon, Jun 26, 2006 at 05:20:27PM +0300, Pasi.Eronen@nokia.com wrote: >> My proposal is as follows: >> >> - All PRFs must have the same "API" as the existing TLS >> PRFs. >> - New cipher suites MAY have as part of their specification >> a new PRF. >> - There is no way to separately negotiate a new PRF for >> an existing cipher suite. > I like this approach; it's simple, and I'm not convinced that anything > more complicated is needed. As was already pointed out some time ago, > even the current PRF looks quite secure: if someone really needs a > special PRF due to e.g. regulatory requirements, they'll probably > need a new ciphersuite anyway. > > However, I would take the approach even further towards simplicity: > use the current TLS PRF for all existing ciphersuites (instead of > tying it to the ciphersuite's MAC algorithm). Or in other words: > consider PRF as a property of the ciphersuite's key exchange > algorithm (instead of the TLS protocol version or a property > that can be negotiated independent of key exchange algorithm). If you take into account SSL 3.0, then the PRF already *is* a property of the TLS protocol version, though. And the current TLS PRF, with its input-splitting dual-hash construction, is somewhat bizarre, so a reasonable simple new PRF, based on a wider hash, wouldn't be bad -- providing the advantage that those who want to avoid the current TLS PRF in their favorite ciphersuites won't have to define additional ciphersuites just to get another PRF, as long as they are reasonably happy with the new default if we decide on one. > (The document would then need a couple of new ciphersuites for > the new PRF, but probably not very many combinations; after all, > if someone's worried that the current PRF is insecure, they're > not likely to use RC4 or IDEA. Maybe these new ciphersuites > could be the combined-mode ones.). This wouldn't be too many new ciphersuites if you consider just those that are in the main TLS specification. But then there are other ciphersuites in other RFCs, so we have to expect to see updates of these for the new PRF too if the PRF is not tied to the protocol version. Unless a single RFC does this for the ciphersuites from different existing RFCs (which do not even share a common status), this wouldn't really provide simplicity -- we'd have to expect a multitude of RFCs defining new ciphersuites, possibly most of them using the same PRF, possibly with some hand-tailored PRFs that are slightly optimized for the specific ciphersuites. Even if a single RFC does this for ciphersuites originally coming from different RFCs, the complete ciphersuite table would grow in length and entropy. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Kyle Hamilton
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Mohamad Badra
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Rob Dugal
- Re: [TLS] Updated TLS 1.2 I-D Gregory Chudov
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller