Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Mon, Jun 01, 2015 at 02:37:16PM +0200, Aaron Zauner wrote:
> Hi Ekr,
> 
> Eric Rescorla wrote:
> > On Mon, Jun 1, 2015 at 5:06 AM, Aaron Zauner <azet@azet.org
> > <mailto:azet@azet.org>> wrote:
> > 
> >      * I'd also like to get rid of ECDSA ciphersuites alltogether, ideally
> >        leaving a few real-world, high-performance ciphersuites to use
> > 
> > 
> > I don't understand this point: ECDSA cipher suites are the ones with the
> > best performance at present.
> > 
> 
> Firstly, as far as I know it's also quite difficult to get ECDSA
> certificates in the wild. Has this changed significantly over the past
> couple of months? Second - there's a current draft on EdDSA, which I'd
> prefer over ECDSA, if somehow possible. I'm more about minimizing the
> list of cipher-suites this draft introduces than to point out that I
> dislike a particular signature schemes.

Well, in TLS 1.2 (and editor's copy 1.3), one could maybe get away with
just specifiying (EC)DHE_CERT ciphersuites, leaving certificate
negotiation to extension.

I think the current plan with EdDSA and related certficates are to reuse
ECDSA codepoints, relying on extension (defined by RFC5246) to negotiate.


With DH and ECDH codepoints, merging those is not possible in TLS 1.2.
This is because DH would need parameters which don't exist for ECDH,
and ECDH length field is insufficient for DH.

Such merger could be possible for TLS 1.3, since DH has sufficient
length field and does not require parameters not present for ECDH.



-Ilari