Re: [TLS] security levels for TLS
Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 00:04 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgUUR-0004kQ-Be; Fri, 12 Oct 2007 20:04:23 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgUUP-0004fr-RD for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 20:04:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgUUP-0004fj-Hl for tls@lists.ietf.org; Fri, 12 Oct 2007 20:04:21 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgUUO-0002e4-Ax for tls@lists.ietf.org; Fri, 12 Oct 2007 20:04:21 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id F21A233C21; Fri, 12 Oct 2007 17:00:10 -0700 (PDT)
Date: Fri, 12 Oct 2007 17:00:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <4710000A.7020006@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <200710122237.30517.nmav@gnutls.org> <20071012200032.70EEA33C23@delta.rtfm.com> <4710000A.7020006@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013000010.F21A233C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Fri, 12 Oct 2007 16:15:22 -0700, Mike wrote: > > >>> Confusing and/or giving users false senses of security are definitely > >>> negative. > >> Actually I think the latter sentence describes the current situation! > > > > How so? Nothing at all stops you from putting any indicator you > > like in your code. Why does IETF have to standardize it? > > I think there is some mis-communication going on. I have never > even mentioned the IETF standardizing an "indicator" of security > level. Someone else may have, but I reject that idea as well. Well, two things seem to be being discussed simultaneously: 1. Standardizing simplified "levels" of security which correspond to cipher suites and key sizes. E.g., STRONG would be symmetric algorithm X or Y with asymmetric algorithm A and key size a or asymmetric algorithm B with key size b. MEDIUM is symmetric algorithm W with asymmetric algorithm A with key size a' or asymmetric algorithm B with key size b'. This is purely a documentation issue and doesn't require any on-the-wire changes to TLS. 2. Modifying TLS to allow the client to indicate the size of the keys/group it would like for each asymmetric algorithm. This is an on-the-wire protocol change. As I understand your messages, you've been endorsing both of these. I'm against both of these, for related, but distinct reasons. I'm against the former because I think it's actually very hard to produce any reasonable standardized account of which algorithms and key sizes fit into which level. In any case, this is something that an implementation can easily offer without any standard, it simply will not necessarily have the same level->algorithm mapping as another implementation. I'm against the second because I believe it adds marginal benefit at a significant cost to interoperability and complexity. An extension like this only makes sense if: 1. Servers have a number of different kinds of keying material of different strengths. 2. Clients are in a position to make intelligent choices about which asymmetric key strengths are appropriate. In my experience, neither is true. Moreover, it's worth noting that in the current environment any client which attempts to request a key > 1024 bits will find that it can connect to practically nobody. To a first order, this is just another way to create interop problems. With regard to key lengths: as I indicated before, the dominant security issue in systems of this kind is quality of implementation and maintenance. If you don't trust the server to choose appropriate key sizes, why on earth would you trust that it's not chock full of remote vulnerabilities? -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman