Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Tue, 19 May 2015 22:28 UTC

Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12AC01B3474 for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:28:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.56
X-Spam-Level:
X-Spam-Status: No, score=-6.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYK7V4naAtbV for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:28:00 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F8D81B346D for <tls@ietf.org>; Tue, 19 May 2015 15:28:00 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.13,460,1427752800"; d="scan'208";a="125038269"
Received: from ra178-1-88-163-20-214.fbx.proxad.net (HELO [192.168.0.24]) ([88.163.20.214]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 20 May 2015 00:27:58 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
In-Reply-To: <CABkgnnUYZFb5zAVUgQ4LHBBt0cECHoQS4dEofmmH1M5Bn8HZDQ@mail.gmail.com>
Date: Wed, 20 May 2015 00:27:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <69A42A6B-0F36-4F54-BD0D-52F0BFE7AA2F@inria.fr>
References: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com> <3FCBCBD5-9295-4A8D-BD27-71377B6B8E7C@gmail.com> <CABkgnnUYZFb5zAVUgQ4LHBBt0cECHoQS4dEofmmH1M5Bn8HZDQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cRD50YQaZXYZaqg4c1NI4-wW2dU>
Cc: ML IETF TLS <tls@ietf.org>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 22:28:03 -0000

> On 20 May 2015, at 00:14, Martin Thomson <martin.thomson@gmail.com>; wrote:
> 
> On 19 May 2015 at 14:51, Yoav Nir <ynir.ietf@gmail.com>; wrote:
>> 2) I question the need for TLS_DHE_ ciphersuites, and I seriously doubt anybody’s going to use those with ChaCha20 “in the wild”. Other than that, I’m all for early assignment as it would allow us to get the algorithms into code-bases and test interoperability quicker.
> 
> I tend to agree.  Can someone reply with a brief explanation of why
> each of the following is needed?  Hopefully better than what I was
> able to devise:
> 
> TLS_RSA_WITH_CHACHA20_POLY1305
> Because we’re scared of ephemeral key exchange for some reason ?

I am not, so you shouldn’t =P

> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
> Because ECDHE is good, and RSA is widespread.

Yes

> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
> Because this is what we actually want.

Yes

> TLS_DHE_RSA_WITH_CHACHA20_POLY1305
> Because we need a backup for EC.

Better safe than sorry.

> TLS_DHE_PSK_WITH_CHACHA20_POLY1305
> Because ECDHE is nice, but we need a backup, even for little things ?

Is this sentence hiding something ? ;)
I am really not sure about this one, why since there is EC…

> TLS_PSK_WITH_CHACHA20_POLY1305
> Because little things don’t like paying for asymmetric crypto.

Fair enough

> TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305
> Because little things need nice things too.

Yes

> TLS_RSA_PSK_WITH_CHACHA20_POLY1305
> Because little things like doing bignum exponentiation without any PFS
> payoff, but RSA alone isn’t "secure enough" ?

Arf ! chop off it’s RSA ! 

> The thing that concerns me most is that we aren't saying that PFS is
> required outside of PSK.  I understand the carve-out we've made for
> the little things, but I don't understand why we are defining
> RSA-based suites without PFS.
> 
> Of comparable concern is the RSA_PSK stuff.  I wasn't around for the
> definition of these originally, but they make basically no sense to
> me.

Agreed

> I get the DHE_PSK thing if you justify it using the same basis as
> DHE_RSA, but it might be that the little things can just take a pass
> on PFS without ECDHE.
> 
> Would it be unreasonable to cut the list to ... ?
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305
> TLS_PSK_WITH_CHACHA20_POLY1305
> TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305

I completely agree with Martin on this list, we probably do not need more ciphersuites than those.

> Also, I'm not against DHE in general, and I think that it's worth
> keeping around for a little longer. However.  If we consider DHE_RSA
> worth doing, then the only logic I can concoct would provide almost
> equal justification for DHE_ECDSA.

I really don’t think DHE_ECDSA will ever by massively used …
It would be like having RSA_ECDSA =s..

Cheers,
B.

> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls