Re: [TLS] A la carte handshake negotiation

Dave Garrett <davemgarrett@gmail.com> Fri, 12 June 2015 15:14 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B801A0074 for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 08:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lR4zIG0l0Lfw for <tls@ietfa.amsl.com>; Fri, 12 Jun 2015 08:14:49 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96DBF1A0046 for <tls@ietf.org>; Fri, 12 Jun 2015 08:14:49 -0700 (PDT)
Received: by qkhq76 with SMTP id q76so18614455qkh.2 for <tls@ietf.org>; Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=9o2vJvb6b52vFZ1QG9MTPPY8dyhtI5uKkxE0eTjX9Mk=; b=HjIRJrTT1SG3x+3PV7waet5cvKXj3pZyoqDvk/jR1rElXEhPxUmpha6xBQ0Ibkj0iz YNmllay1eOfCCGkL2TTGd9A2wIGQ1WdspeJy4FjGMp/ECOMSOlyA30nROMPKCnPxlj6f 4QqwBgPYAHz3Ur8KW834xZQulOSlfyfvBNI5iKHo02bD4wPMtfIBxVDpr0iUXsQsqem5 HSKlv3QxXWJ5se3e9vYRsSqg/qn23z/WcjCFQRSW5++0mK2iRINfTe9B9vn/UdGMipA+ qOlBsf4+Lxrwdi6U+5Pq1O0nSDs9HM/xeuIlxO9EIU7XTeJ76eDav0kguMBaKlgIxfjd 4klA==
X-Received: by 10.55.22.167 with SMTP id 39mr2723510qkw.42.1434122088926; Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id f137sm1768880qhc.41.2015.06.12.08.14.48 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 12 Jun 2015 11:14:47 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201506111558.21577.davemgarrett@gmail.com> <20150612145820.GR2050@mournblade.imrryr.org>
In-Reply-To: <20150612145820.GR2050@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201506121114.47527.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/h0-ACnMNUERg_bmaC3nsrJ-AYuw>
Subject: Re: [TLS] A la carte handshake negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 15:14:51 -0000

On Friday, June 12, 2015 10:58:20 am Viktor Dukhovni wrote:
> On Thu, Jun 11, 2015 at 03:58:21PM -0400, Dave Garrett wrote:
> > * TLS 1.3 would only negotiate suites prefixed with ECDHE_ECDSA or ECDHE_PSK.
> 
> Where are anonymous (ADH and AECDH) suites?

Still in the spec. I currently have usage of ECDHE_ECDSA or ECDHE_PSK as a "SHOULD", with "MUST NOT" for the explicitly deprecated bits. Anon is effectively a "SHOULD NOT". I don't think we can have an absolute mandate for only certain prefixes with a "MUST", as that would exclude new ones in the future. (e.g. a post-quantum key exchange will likely want to be negotiated with a separate cipher suite)

> > * TLS 1.3 implementations negotiate ECDHE/DHE & RSA/DSS/ECDSA solely via
> > the "supported_groups" & "signature_algorithms" extensions.
> 
> Why include DSS?  It seems rather obsolete, and little used, at this
> time.

It's in there because there's no reason to explicitly cut it out completely. This proposal gets rid of all of the DSS cipher suites, however the extension already has DSS/DSA in there. This shifts signature negotiation to the extension; it doesn't actually change the extension. (though, it's possible a change of some kind will be needed) Removing support entirely is outside of the scope of this proposed change. I'm not against restricting/prohibiting its use, if that's the consensus.


Dave