Re: [TLS] ID Tracker State Update Notice: <draft-ietf-tls-negotiated-ff-dhe-08.txt>

Andrey Jivsov <crypto@brainhub.org> Fri, 24 April 2015 07:34 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4D471B354E for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 00:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8zhqog4O45U for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 00:34:08 -0700 (PDT)
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:164]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 002171B356B for <tls@ietf.org>; Fri, 24 Apr 2015 00:32:50 -0700 (PDT)
Received: from resomta-po-08v.sys.comcast.net ([96.114.154.232]) by resqmta-po-05v.sys.comcast.net with comcast id KjYg1q001516pyw01jYqhU; Fri, 24 Apr 2015 07:32:50 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-08v.sys.comcast.net with comcast id KjYp1q0024uhcbK01jYpar; Fri, 24 Apr 2015 07:32:50 +0000
Message-ID: <5539F1A1.6030009@brainhub.org>
Date: Fri, 24 Apr 2015 00:32:49 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <20150403205046.26518.89784.idtracker@ietfa.amsl.com>
In-Reply-To: <20150403205046.26518.89784.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1429860770; bh=SPfcN4mJIlJORhLONc3VWkSQaomhQUZ2UC35RFPZhoM=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=HCeQpsABa+WCVzH83jBH6M4cYO28rvGBpOlrPVr2nDJfejRo9eXEBIMTpFG0ylAtj tjsa5BFiLjgdGjKSLWvTfRpwV3aEPKUzfoChwdrBnSpSbI8hq0fJmhQvwqHrRm92Hq ENGsQEUo1KkiA96+h3WsBdzWUv/eSpx4SdR/LRGrVNlhzJRy1CgxvtCtrcfxjNPr/b sNh487VC9t4lIMDUfWa4AKUWfraOsqLkZKenbZfETrKFSKqLRNTNe3/UiqCS+W0txg QeR1bR/VkjJxbuURxsSY6c4AENwecmTCrpjDi4Dab6burRre8nWaYpmcz/r3LVxpAL 6C/SnIO82qZsw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jJnoYnT124NFlH1N88STxsUE-QI>
Subject: Re: [TLS] ID Tracker State Update Notice: <draft-ietf-tls-negotiated-ff-dhe-08.txt>
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 07:34:11 -0000

I have a mostly editorial comment for sec 1.

The document calls the composite group with p-1 elements a "group" in 
sec 5. The document calls the the 2-element group in sec 5.1 a "small 
subgroup". The document calls the prime group with q=(p-1)/2 elements a 
"group" in sec. A.

Let's say we continue to call the q-element subset of p-1-element group 
a group, and continue to call the 2-element subset of p-1-element group 
a subgroup.

My concern is that the sec. 1 may be interpreted as that by virtue of 
using groups from this document a client avoids the issue of small 
subgroups. In reality, the main benefit of groups in this document is 
that they give us the minimal small subgroup and there is an efficient 
check for the membership in the large (sub)group. This check is 
correctly specified in sec 5.1, but it should not be skipped.

1. The sentences with two first occurrences of "subgroup", both in 
section 1, should be reworded to not suggest that this document avoids 
small subgroups.

2. One can go further and try to clear the terminology about the group 
by assuming that the
- _group_ has p-1
- _prime group_ has q
- _small subgroup_ has 2 elements.

i.e. insert "prime" in front of some "group", where appropriate.

BTW, I like the ability for the client to indicate the support for the 
DH group size.