Re: [TLS] Pull Request: Removing the AEAD explicit IV

Watson Ladd <watsonbladd@gmail.com> Thu, 19 March 2015 04:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFA21A8790 for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 21:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpWgt0LUhCX3 for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 21:43:32 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46DA71A8715 for <tls@ietf.org>; Wed, 18 Mar 2015 21:43:32 -0700 (PDT)
Received: by yhle43 with SMTP id e43so10000223yhl.2 for <tls@ietf.org>; Wed, 18 Mar 2015 21:43:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=f5hRoXNXFKNYlMa1lE/e/OZPUu5I1p9TP1OATi2wYiI=; b=wamGJtpjuIU+mlEZTrvFwAy3a8dKPcnKRx7uTJaYhxO8zKaX6kkvbBTA/R/L1tdVQe jZo9xdtXLNhgaIiKVV2DmzYIwf8TwWU+YmIEpS+/GlNYINHshPmdSjVIdUwcrOUIrheZ tPpnulpkHhQhi3ZzFgWYTLK2Tc1mYLUouL3lgcCtwXyou7cxQaOel91Bmkq8hFvsGVme XMNfqM3/FnFNqKVkVcUU/ihE1iLCuArXhiUtBxCm7rFupVVxDwNhd5AewQUGy6Veywye N7QAdvrTQM4fLL+wFNG4R6uJnc5n+1FEsfBztfv9mdaKp5hxt5nIoTFW0tmzQdPbiUnC ZJjw==
MIME-Version: 1.0
X-Received: by 10.236.220.65 with SMTP id n61mr75279910yhp.44.1426740211635; Wed, 18 Mar 2015 21:43:31 -0700 (PDT)
Received: by 10.170.58.201 with HTTP; Wed, 18 Mar 2015 21:43:31 -0700 (PDT)
In-Reply-To: <CAAF6GDeEvnt7Gzz-8VutTwaO5BCq8ZA4Z-CSKoY4oYkwqvAn_A@mail.gmail.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <CAAF6GDdbr57hVa4OD-wCfQtx46bo_D858V_25w8gTtd+M8OhzQ@mail.gmail.com> <CACsn0ckU==QcJhTvyov2DeJCKq_kxvfqK=AkFKsyFcRbQBfC-Q@mail.gmail.com> <CAAF6GDeEvnt7Gzz-8VutTwaO5BCq8ZA4Z-CSKoY4oYkwqvAn_A@mail.gmail.com>
Date: Wed, 18 Mar 2015 21:43:31 -0700
Message-ID: <CACsn0cnxePn2J7hQymPOGDzRfUjMAnDnbjNiGugMrZVLayDARw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jV1yiL5kDxP-OK3NKEC8QQeIkes>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 04:43:33 -0000

On Wed, Mar 18, 2015 at 9:24 PM, Colm MacCárthaigh <colm@allcosts.net>; wrote:
> Why would the extension break?

Because it currently supports the TLS 1.2 record layer and AEAD mode,
not the now different TLS 1.3 one. I confirmed this would be a minor
issue with the author yesterday.  Sure, we can say that for any
implementation, and this hasn't yet made it into the wild yet, but now
both the kernel and userland sides need changes for TLS 1.3. Add in
some release cycles and LTS releases, and you get some more sites that
will not upgrade for a long time. It's not the only example: I've
heard rumors that some implementations do the record layer in more
unusual ways, while having the handshake in more softwarelike things.

I'm not claiming this is a particularly big nit, rather something that
tells me to lean on the conservative side when changing things related
to the record layer as compared to the handshake.

Sincerely,
Watson Ladd
>
> On Wed, Mar 18, 2015 at 9:21 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:
>> I'm afraid that by radically changing the record layer we may be
>> working ourselves into a corner. If we're going to make a change this
>> radical, why not make equally radical changes to simplify the protocol
>> further if that's possible? I'm also not sure what we're supposed to
>> be gaining from this change: while it's true that we don't need to
>> send the explicit nonce, I don't know that we are losing anything from
>> having it. Yes, I know the ChaCha draft does it a seemingly more
>> sensible way, but the last thing we need is to further increase the
>> codesize of TLS implementations.
>>
>> I do know that a recently implemented extension to FreeBSD won't work
>> anymore without some changes. (see
>> http://2015.asiabsdcon.org/timetable.html.en#P7A for an abstract)
>>
>> Sincerely,
>> Watson Ladd
>
>
>
> --
> Colm



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin