Re: [TLS] Ala Carte Cipher suites - was: DSA should die

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Sat, Apr 04, 2015 at 06:52:50AM +0200, Aaron Zauner wrote:

> I actually really like the idea. But there're a couple of open questions
> to that;
> What happens to existing ciphersuites?

Those that are strong enough to survive into TLS 1.3 are subsumed
by the new ala-carte choices.

> And given we switch to a
> model of asymmetric and symmetric ciphersuites: (how) do we document all
> the implicit ciphersuites that are defined once a new symmetric or
> asymmetric algorithm is defined?

There's no need to document the "cross-product", just document the
inputs.  Making it a cross-product fills in gaps, for example,
there are at present no AECDH (key agreement) plus AEAD (symmetric
bulk crypto) ciphersuites.

Note that digests play a role in both the handshake and in the bulk
crypto MAC.  

For the handshake, there's the digest used in certificates (which
seems odd to negotiate as it is I think rare for either end to have
multiple variands of a given certificate chain with different
digests).  There's also the digest used for key derivation.

If the leading proposal is to go with 2 axes for the cross-product,
then I would fix the key-agreement PRF in each handshake type, and
use the supported digests extension as a "hint" to the peer to aid
in certificate selection.  I say "hint", because the peer will do
its best to send a suitable chain, when it has more than one, but
typically such "hints" are not particularly effective, and the peer
may as well use whatever it has.

For example, with DANE-EE(3) the signature of the peer certificate
is never checked and is irrelevant.

-- 
	Viktor.