Re: [TLS] A la carte handshake negotiation

Dave Garrett <> Fri, 12 June 2015 15:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 24B801A0074 for <>; Fri, 12 Jun 2015 08:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lR4zIG0l0Lfw for <>; Fri, 12 Jun 2015 08:14:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 96DBF1A0046 for <>; Fri, 12 Jun 2015 08:14:49 -0700 (PDT)
Received: by qkhq76 with SMTP id q76so18614455qkh.2 for <>; Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=9o2vJvb6b52vFZ1QG9MTPPY8dyhtI5uKkxE0eTjX9Mk=; b=HjIRJrTT1SG3x+3PV7waet5cvKXj3pZyoqDvk/jR1rElXEhPxUmpha6xBQ0Ibkj0iz YNmllay1eOfCCGkL2TTGd9A2wIGQ1WdspeJy4FjGMp/ECOMSOlyA30nROMPKCnPxlj6f 4QqwBgPYAHz3Ur8KW834xZQulOSlfyfvBNI5iKHo02bD4wPMtfIBxVDpr0iUXsQsqem5 HSKlv3QxXWJ5se3e9vYRsSqg/qn23z/WcjCFQRSW5++0mK2iRINfTe9B9vn/UdGMipA+ qOlBsf4+Lxrwdi6U+5Pq1O0nSDs9HM/xeuIlxO9EIU7XTeJ76eDav0kguMBaKlgIxfjd 4klA==
X-Received: by with SMTP id 39mr2723510qkw.42.1434122088926; Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id f137sm1768880qhc.41.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 12 Jun 2015 08:14:48 -0700 (PDT)
From: Dave Garrett <>
Date: Fri, 12 Jun 2015 11:14:47 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Jun 2015 15:14:51 -0000

On Friday, June 12, 2015 10:58:20 am Viktor Dukhovni wrote:
> On Thu, Jun 11, 2015 at 03:58:21PM -0400, Dave Garrett wrote:
> > * TLS 1.3 would only negotiate suites prefixed with ECDHE_ECDSA or ECDHE_PSK.
> Where are anonymous (ADH and AECDH) suites?

Still in the spec. I currently have usage of ECDHE_ECDSA or ECDHE_PSK as a "SHOULD", with "MUST NOT" for the explicitly deprecated bits. Anon is effectively a "SHOULD NOT". I don't think we can have an absolute mandate for only certain prefixes with a "MUST", as that would exclude new ones in the future. (e.g. a post-quantum key exchange will likely want to be negotiated with a separate cipher suite)

> > * TLS 1.3 implementations negotiate ECDHE/DHE & RSA/DSS/ECDSA solely via
> > the "supported_groups" & "signature_algorithms" extensions.
> Why include DSS?  It seems rather obsolete, and little used, at this
> time.

It's in there because there's no reason to explicitly cut it out completely. This proposal gets rid of all of the DSS cipher suites, however the extension already has DSS/DSA in there. This shifts signature negotiation to the extension; it doesn't actually change the extension. (though, it's possible a change of some kind will be needed) Removing support entirely is outside of the scope of this proposed change. I'm not against restricting/prohibiting its use, if that's the consensus.