Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 01 March 2017 13:18 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15CB1295D9 for <tls@ietfa.amsl.com>; Wed, 1 Mar 2017 05:18:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzPLRB36lc06 for <tls@ietfa.amsl.com>; Wed, 1 Mar 2017 05:18:56 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0109.outbound.protection.outlook.com [23.103.200.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8F7129541 for <tls@ietf.org>; Wed, 1 Mar 2017 05:18:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KGV9SLW6OObsRsNCkK0ACHi3o5nFnrbiAvaVNZSoLMk=; b=iIERUT6FyaSpT9eX84U8CqpRFeTrtOQK+3JlaT4e83uEnXUzkxos6Ng2xMC3w86/DdNbn9drULC14/YQqW8ScPKbBInQWe4G80X1gBLKrsgCfBtGQgBrXOeGwCQpP8t9Gq5T0hvEFZ7jo8rckCSS/eqDblwZVEFlVq/w0c/CVQE=
Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1461.namprd09.prod.outlook.com (10.173.191.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Wed, 1 Mar 2017 13:18:55 +0000
Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0933.016; Wed, 1 Mar 2017 13:18:55 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Aaron Zauner <azet@azet.org>
Thread-Topic: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
Thread-Index: AQHSj3N1z8IXvDyfJEuMUkRo/k0w1KF/+8GA//+uQQA=
Date: Wed, 01 Mar 2017 13:18:54 +0000
Message-ID: <D4DC341D.311E1%qdang@nist.gov>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CY4PR09MB1464243342F19FCBE48C37E7F3550@CY4PR09MB1464.namprd09.prod.outlook.com> <26137F3B-5655-44CA-877E-7168CE02DBF1@azet.org>
In-Reply-To: <26137F3B-5655-44CA-877E-7168CE02DBF1@azet.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: azet.org; dkim=none (message not signed) header.d=none;azet.org; dmarc=none action=none header.from=nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: a679fd2b-c3d1-401e-2f66-08d460a58306
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR09MB1461;
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1461; 7:X4o1ZDyGmSxfgOObWJ/OQDihiQIroHoBXJJHj2mR9nfcen+VZgZ9uRO660He8vvn57ZZ6W1/V0sNMOeqBELIRjUbDrO5foxcNO/CMRa6pmgzscaux5CRHSbYUT4PbHCA+iQek4AuApaB8BiTImucvf46YU0jNLRsuLIgxwXQm541K9HOxdwNh+l4MnBkQ5pfKqENhscpvv7KfzoocKRRxFNOCGEy0R4WK0fYW+wvG/ZRDdnvrBwsNuBFKjtAjKKSg6/K6UDjwKlDPIeeM6uRjIYcm4w0tO6KrElazJafp0jWs3DOmbgP+f6Wkes1DD7yJOQQoMO9YbqJemA73AY1Pg==
x-microsoft-antispam-prvs: <CY4PR09MB1461325CC8C69853E24E33EFF3290@CY4PR09MB1461.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(20161123558025)(6072148); SRVR:CY4PR09MB1461; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1461;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39850400002)(39410400002)(39840400002)(39860400002)(39450400003)(24454002)(377454003)(7736002)(6246003)(86362001)(54356999)(76176999)(6486002)(50986999)(53936002)(2950100002)(6916009)(4326008)(5660300001)(189998001)(38730400002)(106116001)(53546006)(110136004)(3660700001)(102836003)(77096006)(83506001)(2906002)(66066001)(2900100001)(6436002)(6506006)(122556002)(229853002)(8676002)(36756003)(8936002)(92566002)(3846002)(236005)(99286003)(6116002)(6512007)(54896002)(54906002)(81166006)(25786008)(3280700002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1461; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D4DC341D311E1qdangnistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 13:18:54.8422 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1461
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dN3lmaoJA3Md105NiJWoS4gSB9I>
Cc: IRTF CFRG <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 13:18:59 -0000


From: Aaron Zauner <azet@azet.org<mailto:azet@azet.org>>
Date: Wednesday, March 1, 2017 at 8:11 AM
To: 'Quynh' <Quynh.Dang@nist.gov<mailto:Quynh.Dang@nist.gov>>
Cc: Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>>, IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).


On 25 Feb 2017, at 14:28, Dang, Quynh (Fed) <quynh.dang@nist.gov<mailto:quynh.dang@nist.gov>> wrote:
Hi Sean, Joe, Eric and all,
I would like to address my thoughts/suggestions on 2 issues in option a.
1) The data limit should be addressed in term of blocks, not records. When the record size is not the full size, some user might not know what to do. When the record size is 1 block, the limit of 2^24.5 blocks (records) is way too low unnecessarily for the margin of 2^-60.  In that case, 2^34.5 1-block records is the limit which still achieves the margin of 2^-60.

I respectfully disagree. TLS deals in records not in blocks, so in the end any semantic change here will just confuse implementors, which isn't a good idea in my opinion.

Over the discussion of the PRs, the preference was blocks.

Quynh.



Aaron