Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 11 February 2021 02:40 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4573A0F47 for <tls@ietfa.amsl.com>; Wed, 10 Feb 2021 18:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JB3HNoLj-PZS for <tls@ietfa.amsl.com>; Wed, 10 Feb 2021 18:40:54 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DD803A0E06 for <tls@ietf.org>; Wed, 10 Feb 2021 18:40:53 -0800 (PST)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 1CC0C1A5D10 for <tls@ietf.org>; Wed, 10 Feb 2021 21:40:52 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <DM5PR2201MB1643298487B0234F0FE7820A998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
Date: Thu, 11 Feb 2021 00:40:51 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <D71EB884-51C0-4A10-AAE1-903037D92CA4@dukhovni.org>
References: <378F0459-19FB-4A38-83E0-85024AF42237@ericsson.com> <9926f2a8-bcd8-b478-adfe-c800eb7d745d@cs.tcd.ie> <DM5PR2201MB1643A7717E7E9EA39EE71AA0998D9@DM5PR2201MB1643.namprd22.prod.outlook.com> <57d243b8-ccf3-80e2-eb0a-4692609b4eb6@cs.tcd.ie> <DM5PR2201MB1643298487B0234F0FE7820A998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bSFIfi5BLWF2CUjlRD4etM3tqTo>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 02:40:56 -0000
> On Feb 10, 2021, at 11:57 PM, Jack Visoky <jmvisoky=40ra.rockwell.com@dmarc.ietf.org> wrote: > > I would just like to recognize that there are some situations where it isn't needed. One classic case where Postfix supports TLS 1.[0-2] NULL ciphers is loopback TLS (process to process communication via [127.0.0.1] or a unix-domain socket). Here, one would generally not use TLS at all, but it can be useful for client authentication. The use-case is far from common, and encrypting anyway is typically a viable alternative, but there is a sound case that encryption adds little value, if you can capture the traffic on [127.0.0.1] you can also capture the same content prior to encryption (just trace the sending process reading cleartext data from disk, or the receiving process writing it to disk). I am not saying there is or is not a compelling case for NULL ciphers, but just noting a use-case where encryption does not add much value. Performance-wise, indeed on many a CPU AESGCM is cheaper than SHA2. So turning off encryption is not always a performance win. It rather depends... If client and server conditionally support NULL ciphers in a debugging configuration, one might also be able to debug some TLS-related problems that are otherwise difficult to debug. This too is a rare situation, and comes with a risk of accidental misuse. There is merit in keeping the combinatorial complexity of TLS 1.3 as small as possible, reducing implementation attack surface, ... The key question, that is difficult to answer is whether the right balance is adequately accomplished with "N" in the recommended column, with most implementations then either not supporting said ciphersuites at all, or disabling them by default. If so, perhaps some specialised implementations could use them appropriately. On the other hand the "specialised" applications might get used outside their originally intended use-cases, in ways the designers never anticipated. Do we leave the choice to use TLS wisely to the developers and users, or we judge that misuse is inevitable, and the use-case not sufficiently compelling? I am somewhat inclined to do the latter. Despite the fact that'd I'd otherwise be inclined to argue for anonDH ciphers, which have reasonable applications in unauthenticated opportunistic TLS, where any presented certificates are just ignored bloat that increase the attack surface. I would have liked to see support for these retained in TLS 1.3, but accept their omission as a legitimate tradeoff. If NULL ciphers are added (which IMHO are the greater risk), then perhaps I'd have a good case to make to have anonDH/anonECDH ciphers re-introduced... -- Viktor.
- [TLS] TLS 1.3 Authentication and Integrity only C… Ben Smyth
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Peter Gutmann
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Rob Sayre
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Viktor Dukhovni
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Benjamin Kaduk
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Bill Frantz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ira McDonald
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson