Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 01 June 2015 12:53 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E3801AC529 for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 05:53:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdgzWdDhxV2E for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 05:53:05 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C286F1ACD35 for <tls@ietf.org>; Mon, 1 Jun 2015 05:53:04 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 4C617900DD; Mon, 1 Jun 2015 15:53:02 +0300 (EEST)
Date: Mon, 1 Jun 2015 15:53:02 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Aaron Zauner <azet@azet.org>
Message-ID: <20150601125302.GA19269@LK-Perkele-VII>
References: <556C4ACD.9040002@azet.org> <CABcZeBNsYmto4F-J0mFoxcq-qfL=NJrvDu67fyY9bpBmRp16mQ@mail.gmail.com> <556C51FC.807@azet.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <556C51FC.807@azet.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bQl75pLYbisOg0ub9EsRL7uPjf4>
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 12:53:07 -0000

On Mon, Jun 01, 2015 at 02:37:16PM +0200, Aaron Zauner wrote:
> Hi Ekr,
> 
> Eric Rescorla wrote:
> > On Mon, Jun 1, 2015 at 5:06 AM, Aaron Zauner <azet@azet.org
> > <mailto:azet@azet.org>> wrote:
> > 
> >      * I'd also like to get rid of ECDSA ciphersuites alltogether, ideally
> >        leaving a few real-world, high-performance ciphersuites to use
> > 
> > 
> > I don't understand this point: ECDSA cipher suites are the ones with the
> > best performance at present.
> > 
> 
> Firstly, as far as I know it's also quite difficult to get ECDSA
> certificates in the wild. Has this changed significantly over the past
> couple of months? Second - there's a current draft on EdDSA, which I'd
> prefer over ECDSA, if somehow possible. I'm more about minimizing the
> list of cipher-suites this draft introduces than to point out that I
> dislike a particular signature schemes.

Well, in TLS 1.2 (and editor's copy 1.3), one could maybe get away with
just specifiying (EC)DHE_CERT ciphersuites, leaving certificate
negotiation to extension.

I think the current plan with EdDSA and related certficates are to reuse
ECDSA codepoints, relying on extension (defined by RFC5246) to negotiate.


With DH and ECDH codepoints, merging those is not possible in TLS 1.2.
This is because DH would need parameters which don't exist for ECDH,
and ECDH length field is insufficient for DH.

Such merger could be possible for TLS 1.3, since DH has sufficient
length field and does not require parameters not present for ECDH.



-Ilari