IETF Logo Mail Archive

Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 30 March 2016 23:16 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFBA812D0FF for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 16:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeXQ-_h29gbu for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 16:16:53 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 870FC12D0E1 for <tls@ietf.org>; Wed, 30 Mar 2016 16:16:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9D03DBE2F; Thu, 31 Mar 2016 00:16:50 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmdxaKrtd1xp; Thu, 31 Mar 2016 00:16:49 +0100 (IST)
Received: from [10.87.49.100] (unknown [86.46.30.32]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id F1380BE29; Thu, 31 Mar 2016 00:16:48 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1459379809; bh=7unE4q5zQAi2fjy3252kJ1nVE1wwABfkO2YOmySp9Cg=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=gEXeo+rSpH6pithXHye7inOeQYSvvSLbmsrLKHB8e5qyHx4cb+htA5SXPzOBLVyDm ZgTIwUqh1LFvI1yvKyRO/4FSewilX34bi03v77MRXJ2+OEV03alf/VS9IKQliSA514 areaqzisfCEfAftoxRCw8I81SP+zblypY+U7HwO8=
To: Yoav Nir <ynir.ietf@gmail.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com> <56FBF1B5.8030906@akamai.com> <8737r8ymrd.fsf@alice.fifthhorseman.net> <20160330192008.GB771@LK-Perkele-V2.elisa-laajakaista.fi> <87egarbvic.fsf@alice.fifthhorseman.net> <F7468161-DC32-47E8-97F9-0680D344115A@gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56FC5E60.7070203@cs.tcd.ie>
Date: Thu, 31 Mar 2016 00:16:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <F7468161-DC32-47E8-97F9-0680D344115A@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="cshOmn4mfNeLx4VbhL6CWhlp91dJabKj1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iJiwEOVaZmeLUsSsHm8qw3NA3ts>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2016 23:16:55 -0000

(with no hats, except the one irritated with loadsa ciphersuites:-)

On 30/03/16 21:26, Yoav Nir wrote:
> That brings up another question. How do things move from “approved” 
> to “not-approved”? Does it require a diediedie document? What
> happens when we decide that 3DES is just too limited and there’s not
> good reason to use it, but there’s really no security issue with
> using it?

How about starting from the smallest possible set with "Y" in
the IETF recommended column? And then focus on keeping that set
as small as possible and actively not letting it grow.

Let's *pretty please* take this opportunity to prune the stupid
list of nearly 350 all ostensibly but so not equal ciphersuites
down to the smallest list that can reasonably be recommended.
Measurements seem to have indicated that just a handful is all
that really needs to be very widely supported.

That will require folks here to not mess about and to resist the
set of people who want ciphersuite foo because it's important to
just them and a few others.

Remember: Sean's proposed text, is to limit the "Y" to stuff that
we do expect to, and want to, see widely or very widely implemented
and deployed.

If this WG fail to take this opportunity to fix the 350 ciphersuite
stupidity then that'll be a pretty clear fail in which we'll all
(me included) have sadly partaken. Let's fix that eh?

S.

v2.23.0 | Report a Bug | By Email