Re: [TLS] draft-gutmann-tls-eccsuites

Henrik Grubbström <grubba@gmail.com> Mon, 07 July 2014 17:30 UTC

Return-Path: <grubba@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91B401A0377 for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 10:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjtIkiOFDjj4 for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 10:30:03 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED12E1A040D for <tls@ietf.org>; Mon, 7 Jul 2014 10:30:02 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id c11so3129793lbj.17 for <tls@ietf.org>; Mon, 07 Jul 2014 10:30:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=2N68rG3s28IXjzB76Qh88sc0JerITpo7Brwng2+uFqU=; b=Abme7LBY37PFOddm6a1fGIjtcNhDYR8v0mHuTDdsFBqJNq9IG1XtS7Ni5pg2mNwLPr pQK6cpZvnhssGLUbob264w8lhq6n6I1b0f03zAjK0Wgu4OUqAZZ/omd2PAfVWw2GyrSO 6NzaMQ8sl/C2P2kKqZgc5uh00Hq7Ql0uL20GIp/8f+GUakk8YDx8nGUqLyYA1EPnzX+o aKuaXIZYb8eH9h2MQi+Z4tKUL0BdUelMNfcKTGA6QImvDSILynP1nC6L9i93AWX36BIn U8S/VfijgVGdoEF2aiaqhRRw6GOxFamQgDveH/wOxzSIwzAJOLKo6Dx/WLVlt9B55HW+ pXbQ==
MIME-Version: 1.0
X-Received: by 10.112.143.8 with SMTP id sa8mr2320902lbb.89.1404754201213; Mon, 07 Jul 2014 10:30:01 -0700 (PDT)
Received: by 10.112.29.173 with HTTP; Mon, 7 Jul 2014 10:30:01 -0700 (PDT)
Date: Mon, 7 Jul 2014 19:30:01 +0200
Message-ID: <CALuAYvb0GoysWgR54c1UQ+PPe_kdUdU52Brtx_q=L6b0a+rtrQ@mail.gmail.com>
From: =?UTF-8?Q?Henrik_Grubbstr=C3=B6m?= <grubba@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jOatM4mZ8FeZlK4GWZB4K6utkaE
Subject: Re: [TLS] draft-gutmann-tls-eccsuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 17:30:04 -0000

Hi Peter et al.

On Mon, Jul 7, 2014 at 2:56 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> Speaking of ECC drafts, I've posted an updated version of my ECC ciphersuites
> draft, now with the Brainpool curves added:
>
> http://tools.ietf.org/html/draft-gutmann-tls-eccsuites-06

Hmm...

>From the above draft section 2:

| If no additional Chinese-menu ECC suites are used, implementations
| SHOULD NOT send the Supported Elliptic Curves or Supported Point
| Formats extensions since these parameters are fully specified by the
| suite choice.

Have you considered the following note in RFC 4492 section 5.1?

| NOTE: A server participating in an ECDHE-ECDSA key exchange may use different
| curves for (i) the ECDSA key in its certificate, and (ii) the
ephemeral ECDH key in the
| ServerKeyExchange message. The server must consider the extensions
in both cases.

As I read the above, your suites would default to imply extra
restrictions on the possible server certificates, as you would be
restricted to only the same curve as in the suite (eg you wouldn't be
able to use a SECP521 cert with
TLS_ECDHE_ECDSA_P384_SHA384_WITH_AES_256_GCM_SHA384, as the server
wouldn't know if the client was capable of verifying the cert).

The server can probably safely assume that the client supports
certificates for all the curves in the client hello suites, but this
doesn't help with certs using curves not in the list of suites in the
draft.

Or is the intent of the draft that the server just should select a
cert and hope for the best?

Anyway, the intended ECDSA certificate policy ought to be made
explicit in the draft.

/grubba

--
Henrik Grubbström                                       grubba@grubba.org
Roxen Internet Software AB                              grubba@roxen.com