Re: [TLS] A la carte handshake negotiation

Eric Rescorla <ekr@rtfm.com> Sun, 14 June 2015 02:05 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7591A017C for <tls@ietfa.amsl.com>; Sat, 13 Jun 2015 19:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKTaA0qYEFqo for <tls@ietfa.amsl.com>; Sat, 13 Jun 2015 19:05:28 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 422641A0155 for <tls@ietf.org>; Sat, 13 Jun 2015 19:05:28 -0700 (PDT)
Received: by wibut5 with SMTP id ut5so46506621wib.1 for <tls@ietf.org>; Sat, 13 Jun 2015 19:05:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SiROt1maVh6l5b+nD/lOiL62uNLLvCtidUwsTtXRol0=; b=X0Jy2vEoRY6hDK6q7eRWi1cic14KHKj4hRLvo1EImHjoCRepI3Pl7DhrfFKLTzi8Us WnGw1oqYyZnbQWrVADXnE9voPm8ArH83Vz30jd0RiqjrzW7Y7bsxH8wgnKO04c4uQueI QuGXcl/KrGvq2JHhuyo8cHSt0P9ac5pZYHaSg8CJOd7VK0R6HIt9CJhb6EBDufppR77x ra4EjKVQyOVcWxQMpigQZquVUwb4K45ulzbtOxx4Ye4I+SEG41xFmGZDurkU47vnDSXn GDvL0U1AjtsxsrE3Y9IAA7Lt8eJvN0QgRzFOOTf9Djvpoz+MCC/FEMf2/viKglIJKIjH 0lvQ==
X-Gm-Message-State: ALoCoQmnpiDDkFNm51V5rof/gB+QHKsc0KJsfGuj+M3Fpdw9ZAx/vK+xMPl1u8ANzGu5ZGfZjvcV
X-Received: by 10.180.75.8 with SMTP id y8mr19531875wiv.31.1434247526917; Sat, 13 Jun 2015 19:05:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.225.14 with HTTP; Sat, 13 Jun 2015 19:04:46 -0700 (PDT)
In-Reply-To: <201506132115.36615.davemgarrett@gmail.com>
References: <201506111558.21577.davemgarrett@gmail.com> <201506132044.48381.davemgarrett@gmail.com> <CABcZeBO2h20DyrnmSOVFyO=sHRD2UEczziCdjRJxXx_yZmTG+w@mail.gmail.com> <201506132115.36615.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 13 Jun 2015 22:04:46 -0400
Message-ID: <CABcZeBMdFj=dpm0hzR3waHyrtPJxL=zfFDpgRzqzMw121ayL8A@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary=f46d043c7b9c5cbd26051870c627
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZjsTGti5Vi99K2lbVUer17Zl86k>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2015 02:05:30 -0000

On Sat, Jun 13, 2015 at 9:15 PM, Dave Garrett <davemgarrett@gmail.com>;
wrote:

> On Saturday, June 13, 2015 08:54:10 pm Eric Rescorla wrote:
> > On Sat, Jun 13, 2015 at 8:44 PM, Dave Garrett <davemgarrett@gmail.com>;
> > wrote:
> > > PSK suites could be replaced with a PSK SignatureAlgorithm codepoint in
> > > “signature_algorithms” extension. (this was suggested by someone at
> some
> > > point on this list, but I don't remember where that discussion was,
> offhand
> >
> > I don't see how this is going to work. All of the PSK cipher suites use
> the
> > PSK as a source of keying material
>
> A client proposing the PSK SignatureAlgorithm codepoint and a PSK identity
> would be offering to negotiate PSK using that key.
>

But again, PSKs in TLS use it as a source of keying material, not just
authentication. So, using that as a SignatureAlgorithm seems... weird.

-Ekr

Anon would be proposed the same way, just with a null PSK identity. All
> security comes from the FS from (EC)DHE. (just like (EC)DH_anon)
>
> The server could simply state acceptance of negotiation by echoing back
> the same PSK extension.
>
> > > With the above, ECDHE_ECDSA becomes the one-true-prefix.
> >
> > Maybe I'm misunderstanding what you're saying here, but I don't
> understand
> > this point. Certainly I don't see any significant support whatsoever for
> > deprecating RSA signatures, and given that we just standardized FFDHE, I
> don't see much
> > evidence of consensus for deprecating DHE either.
>
> This is all in the context of the proposal discussed in this thread. RSA
> signatures would be negotiated using the "signatures_algorithms" extension.
> DHE would be negotiated via the "named_groups" extension. (pick an FFDH
> group for FFDHE or an ECDH curve for ECDHE) The point is to negotiate any
> of the following via those two extensions and the ECDHE_ECDSA prefix:
> DHE, ECDHE, RSA, DSS/DSA, ECDSA (or EdDSA), PSK (or anon)
>
> This would give us fewer suites with no new extensions beyond those
> already proposed. Just need to use the already proposed extension additions
> and add a codepoint for PSK/anon.
>
>
> Dave
>