Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-00.txt
Nikos Mavrogiannopoulos <nmav@redhat.com> Tue, 16 June 2015 08:46 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 525921A8874 for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 01:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8HFrzCbvIFwc for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 01:46:26 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3681A884C for <tls@ietf.org>; Tue, 16 Jun 2015 01:46:25 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 4124D19F215; Tue, 16 Jun 2015 08:46:25 +0000 (UTC)
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t5G8kMdF013546 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Tue, 16 Jun 2015 04:46:24 -0400
Message-ID: <1434444382.3824.11.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: noloader@gmail.com
Date: Tue, 16 Jun 2015 10:46:22 +0200
In-Reply-To: <CAH8yC8=wUEpqrcCUdoYwTGbsjB25FUvHbj=zvXgo+5f4fmkt3Q@mail.gmail.com>
References: <20150611170317.13732.72719.idtracker@ietfa.amsl.com> <201506122355.45772.davemgarrett@gmail.com> <87r3petrfq.fsf@latte.josefsson.org> <20150614134639.GN2050@mournblade.imrryr.org> <87bnggk7ub.fsf@latte.josefsson.org> <CAH8yC8=wUEpqrcCUdoYwTGbsjB25FUvHbj=zvXgo+5f4fmkt3Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gEy7woRjeFQjiIONiU2tn6jPlOo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 08:46:28 -0000
On Mon, 2015-06-15 at 19:46 -0400, Jeffrey Walton wrote: > > > > > > What is the use-case? > > > > > > 0. Authentication other than via certificate-based PKI. > > > Establish > > > anon TLS, and channel-bind the TLS-unique via GSSAPI or some > > > other authentication method. > > > > > > 1. Unauthenticated opportunistic TLS. > > > > > > * Server performs no unnecessary signature operations, > > > since the client can't verify the signature anyway. > > > (More precisely the client can't verify the authenticity > > > of the server keys, so it can only determine that somebody > > > signed the handshake, but no idea whether it is the > > > intended > > > server). > > > > Both those use-cases can be achieved by choosing, say, ECDHE_ECDSA > > and > > not verify the signature, right? > > > That's a violation of the engineering requirements :) If you don't > need server authenticity, then you don't ask for it. If you ask for > it, then you have to validate it. Not really. Validation of certificates is outside the scope of TLS. You may validate using PKIX, trust on first use, or not at all and still do TLS. Said that, I cannot think of many cases where you don't need server authenticity. Even the opportunistic encryption mentioned can use server authenticity, to verify using trust on first use for example. However, if you rely on the anonymous ciphersuites for opportunistic encryption you ensure that trust on first use _cannot_ be done. For the use case (0) mentioned, for authentication with alternative PKI methods, rfc7250 is more appropriate, rather than an anonymous ciphersuite. For channel-binding using anonymous ciphersuites, is that defined somewhere? If that practice is already used and defined by IETF, adding an anonymous ciphersuite may make sense. regards, Nikos
- [TLS] I-D Action: draft-ietf-tls-chacha20-poly130… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Dave Garrett
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Simon Josefsson
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Simon Josefsson
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Jeffrey Walton
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Simon Josefsson
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Simon Josefsson
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-chacha20-pol… Martin Rex