Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 20 May 2015 07:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25E61A6F27 for <tls@ietfa.amsl.com>; Wed, 20 May 2015 00:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J25Tu7cgjTyh for <tls@ietfa.amsl.com>; Wed, 20 May 2015 00:13:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24A11A88A9 for <tls@ietf.org>; Wed, 20 May 2015 00:13:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8D1EEBECF; Wed, 20 May 2015 08:13:01 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mMuAy6BGPUo; Wed, 20 May 2015 08:13:00 +0100 (IST)
Received: from [192.168.49.129] (unknown [119.145.14.6]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 89EBEBECA; Wed, 20 May 2015 08:12:58 +0100 (IST)
Message-ID: <555C33F6.4020402@cs.tcd.ie>
Date: Wed, 20 May 2015 08:12:54 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, Martin Thomson <martin.thomson@gmail.com>
References: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com> <3FCBCBD5-9295-4A8D-BD27-71377B6B8E7C@gmail.com> <CABkgnnUYZFb5zAVUgQ4LHBBt0cECHoQS4dEofmmH1M5Bn8HZDQ@mail.gmail.com> <567925460.1076064.1432105081320.JavaMail.zimbra@redhat.com>
In-Reply-To: <567925460.1076064.1432105081320.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_4MGBK3e8yXmILqbHPHyCYRVlkA>
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 07:13:24 -0000

Hi,

While I am generally against ciphersuite proliferation I
think its a good idea to register some of these now. I
would note however that you only need the temporary
registrations for things with which people want to work
now - any future proofing can be done as the draft
progresses so the WG do not need to decide all of this
now. And of course, there is always the potential for
non-interoperable changes to happen during the WG
process which is another good reason to not register
more than the absolute minimum of codepoints now.

So please restrict the early registration list to
those that are needed *right now*. Anything that can
wait months, should wait months.

Thanks,
S.


On 20/05/15 07:58, Nikos Mavrogiannopoulos wrote:
> ----- Original Message -----
>> I tend to agree.  Can someone reply with a brief explanation of why
>> each of the following is needed?  Hopefully better than what I was
>> able to devise:
> I don't think one would have to explain each and every usage
> of a ciphersuite. If applications don't need it they won't use it.
>
>> TLS_RSA_WITH_CHACHA20_POLY1305
>> Because we're scared of ephemeral key exchange for some reason ?
> I believe the main argument is that this draft is supposed to provide
> ciphersuites to used by existing protocols and applications which already
> use RSA. Yes, I agree that some of them would need to be updated to provide
> PFS, but this draft doesn't update those apps/protocols. A protocol that
> I know that relies on the RSA ciphersuites is the anyconnect vpn protocol
> (even though its usage doesn't affect PFS).
>
>> TLS_DHE_PSK_WITH_CHACHA20_POLY1305
>> Because ECDHE is nice, but we need a backup, even for little things ?
> That was my intention. To provide DHE as backup to ECDHE, since they
> are not susceptible to the same attacks.  It is now
> especially relevant since we will have fixed groups for DHE.
>
>> TLS_RSA_PSK_WITH_CHACHA20_POLY1305
>> Because little things like doing bignum exponentiation without any PFS
>> payoff, but RSA alone isn't "secure enough" ?
> I don't have much data for this ciphersuite. If someone has a strong argument
> on why it shouldn't be included I wouldn't object.
>
>> The thing that concerns me most is that we aren't saying that PFS is
>> required outside of PSK.  I understand the carve-out we've made for
>> the little things, but I don't understand why we are defining
>> RSA-based suites without PFS.
> I agree. However, note that this draft is not the place to argue for that,
> but rather the protocols that rely on non-PFS ciphersuites.
>
>> Of comparable concern is the RSA_PSK stuff.  I wasn't around for the
>> definition of these originally, but they make basically no sense to
>> me.
> The idea was to provide both certificate auth for the server and PSK
> auth for the client. The implementation was less than ideal.
>
>> Also, I'm not against DHE in general, and I think that it's worth
>> keeping around for a little longer. However.  If we consider DHE_RSA
>> worth doing, then the only logic I can concoct would provide almost
>> equal justification for DHE_ECDSA.
> There is no DHE_ECDSA key exchange defined for TLS. Otherwise there would
> be no reason for these ciphersuites to be there.
>   
> regards,
> Nikos
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls