Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt

Tony Arcieri <bascule@gmail.com> Wed, 03 June 2015 20:51 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 857D41B2B48 for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 13:51:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.5
X-Spam-Level:
X-Spam-Status: No, score=0.5 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-0iFqz8bPZI for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 13:51:00 -0700 (PDT)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1101F1B2B45 for <tls@ietf.org>; Wed, 3 Jun 2015 13:51:00 -0700 (PDT)
Received: by objn8 with SMTP id n8so17944728obj.3 for <tls@ietf.org>; Wed, 03 Jun 2015 13:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VG0FfVU6sA6dOL4DdFKKtNJr5Au3tzODNF7R/O1xzd0=; b=ww4Q4XpjC2LnOqJUDhu2nbtf+I7la6V7br/o0GYe8CK5a9MgAz5u3YH5kKjcB/D7vt yRGkCDA12ozbW09dEJQUPt7vHoEUf1jKN01G0OPWCgeOonrL25oW7XHK+xcAwSf45Sju lmYLC4Fwbpq12HtLgice74UpqfL5SF4mb2l4aj9RmIRVhHNdpr6/gy2Hu7YHwjVPZ93m AJQveKZ6JX0Ps3FvZ8+AfmfxJToAOqJ7Uv/FLnvR7UMz5NEHVjnv+lE4enoxJN7h0GTe 6Xv3IIukZPQLoAXxbItAHZKtOnXR6yCBY+oYWlMOuQj5z+KaXdSPPx5jnJMlIKBs5jf5 GzvA==
MIME-Version: 1.0
X-Received: by 10.60.79.193 with SMTP id l1mr21511373oex.60.1433364659503; Wed, 03 Jun 2015 13:50:59 -0700 (PDT)
Received: by 10.76.110.241 with HTTP; Wed, 3 Jun 2015 13:50:59 -0700 (PDT)
In-Reply-To: <201506031613.13571.davemgarrett@gmail.com>
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <201506031323.37163.davemgarrett@gmail.com> <877frk7keg.fsf@alice.fifthhorseman.net> <201506031613.13571.davemgarrett@gmail.com>
Date: Wed, 3 Jun 2015 13:50:59 -0700
Message-ID: <CAHOTMV+PUtkkC3Hy5BRQ+of+13F+2Jp+kSpqhFcm9Av984hLnA@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary=089e011773735d0bcf0517a3379c
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bUd08zJwi0YOHLmIYSf9JTvxnNM>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Geoffrey Keating <geoffk@geoffk.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 20:51:01 -0000

On Wednesday, June 3, 2015, Dave Garrett <davemgarrett@gmail.com> wrote:

> The topic brought up by Tony Arcieri was the apparent plague of old Java
> clients using TLS currently. A replacement set of cipher suites would
> transparently fix this in a simpler way. It adds more suites, yes, but it
> would ensure that this is only ever even _attempted_ to be negotiated
> between clients and servers that both support them properly.


That's "half the battle", IMO, and I think the other half of my argument
was lost in a swarm of "LOL Java, there's your problem" responses. I also
called out the "what about a catastrophic ECC failure?" in advance and yet
that is somehow the main "pedantic" response I've been receiving to my
complaints.

I get it. I get it so much I predicted people would say it in my very first
post to this thread. Then they confirmed my hypothesis. But if we're
switching to ECC for certificates too, what hypothetical attack breaks ECDH
but not ECDSA/EdDSA/etc, and is it really worth convoluting TLS with extra
baggage in preparation of a hypothetical attack? Should everyone continue
to obtain RSA certs i. the event of an ECCpocalypse?  I'm pretty firmly
convinced people aren't really fully thinking through. The pat-on-the-head
"you don't understand we need this if ECC breaks" responses are myopic,
insulting, and an indicator that people aren't actually
reading/comprehending my arguments here (the same goes for "that's just a
Java problem" reaponses)

The main thing I'ge observed as an SSL/TLS practicioner is extra bells and
whistles that aren't commonly used leading to practial attacks, and people
making haphazard changes to defend against these attacks breaking clients
in the process. I care a lot more about the attacks and breakages happening
in the real world *right now* than extremely speculative future attacks for
which we're pre-emptively adding additional baggage/attack surface.

That said, I think everyone is convincing me FFDHE *might* be a good idea.
Particularly persuasive is Ilari's argument that with some tiny changes,
ECDHE and FFDHE can be unified.


-- 
Tony Arcieri