[TLS] Clarifications and questions: TLS1.3 - Static RSA and AEAD

[Michael StJohns <msj@nthpermutation.com>]

I went back and read the minutes of the London meeting about removing 
static RSA and wanted to clarify what that really meant. The minutes had 
EKR mentioning this in conjunction with DH which seems different that 
what I kept hearing at the interim meeting. Could someone confirm 
"removing static RSA" results in removing the use of  RSA as a key 
transport mechanism from 1.3 (e.g. as defined in section 7.4.7.1 of 
TLS1.2 - basically removing this section and prohibiting "rsa" and 
"rsa_psk"  as key exchange algorithms)?

To go further and take this up from specific cryptography - will/should 
TLS 1.3 prohibit *any* Key Transport mechanism and retain only Key 
Agreement mechanisms for key exchange?


Also in the London meeting it was agreed limit ciphertext to AEAD style 
processing - e.g. in the TLSCipherText record to remove "stream" and 
"block" as valid choices.  Does that result in the removal of sections 
6.2.3.1 and 6.2.3.2 or rather their equivalent in TLS1.3?  Does it also 
result in changing the output of the "key expansion" phase as only 
"client_write_key" and "server_write_key"s will be needed for AEAD?

Is there any desire to specify a AEAD general block cipher mode/mac 
construct with an integral key expansion function?  E.g. could something 
like http://www.ietf.org/id/draft-mcgrew-aead-aes-cbc-hmac-sha2-04.txt 
be adapted to be a general model for TLS or is this out of scope for the 
TLS1.3 main document?

Mike