Re: [TLS] Consensus Call on MTI Algorithms
Dave Garrett <davemgarrett@gmail.com> Fri, 03 April 2015 15:10 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5A41A90E9 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 08:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTk8oNJzFLzG for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 08:10:43 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE891A9090 for <tls@ietf.org>; Fri, 3 Apr 2015 08:10:43 -0700 (PDT)
Received: by qcgx3 with SMTP id x3so90924882qcg.3 for <tls@ietf.org>; Fri, 03 Apr 2015 08:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=x+xnArCxcQWgqUMAFPN48kAZ4JFMIHuvw6BSMUZTK38=; b=xmdVJ2234kYkkUFq8xoHDn2V/y+G2yRLYl6Q70tZRJIuE8rIubKuIwN0L7+lkD1b00 85xj4rKD9RTTey3HY9wsy5zRBKF18Rneif5ZcrL2noAxIwQyVPGMFVfHQaoesdoSa3Q9 DRwcSsZlBD76VxLRpzeC5lCnC3bq5nQlnqF2WiZSlAjeLX3P4y+vf1gAHq+XIKcS7I7m Znr+GRzxRvql5lL2sAapHT6TKD/0CFmyUbcvuFD0/rL14guMswDoikDQvxm33cbqcWDd X5nnmO0VRg6x+6Ish9yQ0Jagh7SmmgG1Ss+MCbBgvMmAM7N+qJMPn3WG0RQWgE95iRP1 MigA==
X-Received: by 10.55.55.7 with SMTP id e7mr5128141qka.52.1428073842981; Fri, 03 Apr 2015 08:10:42 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id b73sm2042912qge.5.2015.04.03.08.10.42 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 03 Apr 2015 08:10:42 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 03 Apr 2015 11:10:40 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-73-generic-pae; KDE/4.4.5; i686; ; )
References: <CAOgPGoBk+E=cNV1ufBaQ0n7=CJQ34zukPixKCEdpmMLBX=Kg_w@mail.gmail.com> <20150402184849.GF10960@localhost> <CACsn0ckhsx4ZqpknoMwS6OmYhy-Q0AQdD6SmmF0krAp9s2ngyQ@mail.gmail.com>
In-Reply-To: <CACsn0ckhsx4ZqpknoMwS6OmYhy-Q0AQdD6SmmF0krAp9s2ngyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201504031110.41062.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/d9NhgKZbmyVHGdiBTcong7Fl5ng>
Subject: Re: [TLS] Consensus Call on MTI Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 15:10:45 -0000
On Friday, April 03, 2015 09:55:32 am Watson Ladd wrote:
> On Apr 2, 2015 11:49 AM, "Nico Williams" <nico@cryptonector.com> wrote:
> > On Wed, Apr 01, 2015 at 11:12:19AM -0700, Joseph Salowey wrote:
> > > o Symmetric:
> > > MUST AES-GCM 128
> > > SHOULD ChaCha20-Poly1305
> >
> > I would like at least two modes for AES to be required: one AEAD
> > (probably GCM) and one AEAD-by-generic-construction (e.g., using HMAC).
>
> OCB is a better fit constrained devices. CCM requires two passes.
So, at this point in the discussion, this is sounding like what might get closer to agreement:
o Symmetric:
MUST AES-OCB 128 (or 256?)
MUST ChaCha20-Poly1305
OPTIONAL AES-GCM 128, but MUST if supporting TLS 1.2
This is essentially 2 MTI for TLS 1.3, with a required amendment to the TLS 1.2 spec to add an AEAD MTI. Without this, when falling back a version there'd be a higher likelihood of having to downgrade to CBC. (current draft has a SHOULD for using AEAD with TLS 1.2, if available)
The question is, however: is the WG willing to specify two new MTI? Not having one that's currently in widespread use might slow adoption. Then again, ChaChaPoly is getting out there from Google's pushing of it. Or, all 3 could just be MUSTs.
Dave
- [TLS] Consensus Call on MTI Algorithms Joseph Salowey
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Dan Harkins
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Kurt Roeckx
- Re: [TLS] Consensus Call on MTI Algorithms Brian Smith
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Checkoway
- Re: [TLS] Consensus Call on MTI Algorithms Sean Turner
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Martin Thomson
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Rob Stradling
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Stephen Farrell
- Re: [TLS] Consensus Call on MTI Algorithms Yaron Sheffer
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Hubert Kario
- Re: [TLS] Consensus Call on MTI Algorithms Hanno Böck
- Re: [TLS] Consensus Call on MTI Algorithms Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Rick Andrews
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Salz, Rich
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Christian Huitema
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Yoav Nir
- Re: [TLS] Consensus Call on MTI Algorithms Nico Williams
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms James Cloos
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Peter Gutmann
- Re: [TLS] Consensus Call on MTI Algorithms Aaron Zauner
- Re: [TLS] Consensus Call on MTI Algorithms Watson Ladd
- Re: [TLS] Consensus Call on MTI Algorithms Dave Garrett
- Re: [TLS] Consensus Call on MTI Algorithms Eric Rescorla
- Re: [TLS] Consensus Call on MTI Algorithms Russ Housley
- Re: [TLS] Consensus Call on MTI Algorithms Daniel Kahn Gillmor