Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 31 March 2016 15:33 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8252112D571 for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 08:33:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.841
X-Spam-Level:
X-Spam-Status: No, score=-1.841 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2QVNVV-vHnt for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 08:33:55 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C908612D1EA for <tls@ietf.org>; Thu, 31 Mar 2016 08:33:54 -0700 (PDT)
Received: from [192.168.10.140] ([200.89.69.175]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MdK8t-1aUG2n2bBL-00IWKB; Thu, 31 Mar 2016 17:33:51 +0200
To: Eric Rescorla <ekr@rtfm.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com> <56FD15F6.30305@gmx.net> <CABcZeBN5G7Mo+UGNn=K=_STweziub_zCJsrKER3GZ-XZR_rsgQ@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <56FD4360.7010100@gmx.net>
Date: Thu, 31 Mar 2016 17:33:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBN5G7Mo+UGNn=K=_STweziub_zCJsrKER3GZ-XZR_rsgQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="uSvagITv4md5VxMhw2bhAwfvRoJ4cQPEC"
X-Provags-ID: V03:K0:C6U+t8aI0UH+X6QhvI9jxX4PwPiMB+Z2PXPoOK+Am9ON4yr+mdv z9RO/5qoWpzbnkkUr+KkzvNvFSLW0q8j1LET1Z4mcVKggb6B84Q2NK2xJ35ka0q5ot6bo3H zeVeFu4Yg9mYRDMt7APJ5X2EsAe9jk7J05inMxxdnkysPAKf1tG71qCpee3XGri0wWfzjlq gHpSqoadtGYX6gQfUcHCg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:XgSF5pCA37w=:+K6mKc5QjIB4h5k3e6B4Cg H7Hkq5fqAjhrpRdAgKpxnlKoqn2uS1gRXd5EGu9bGw1K+JwLcFo8Mw6fzVFs90alJZKys6M4M uo8FBgrqML3P5BCk5IkCUDIWFpjSRJ5/mcJnw6KbFFpjC7hKry4j7sM4uUg3ddE3XW9Kh0/9T U4pX9UhTkCSDD02lpARNDPOS2zCgGeA0tY7l8amXQQeIbHfO1jk56kN7uKj0a0HntD5P78cM3 H9S20BKg5CIFGrzbiQSLCpkoZt9VI+52OfWVwFUtSWKdlzHhS5Y82Z6vo2NnhLQeep63TGqfi lVR+HmECioHQIjVR/nMEjJLF6+1roLOiBJuLjTZm0p7kJVXIVLRmvnjNKvdsH5a1YYMCnjEKT To34+Nw4Z1AVtUBiETZQLt15kVL1M+CGWPMTc27l3N37ZOzCq7IkVN1EvkazFhxffYkjN82ZD 7jq3+584qvhtPbat+3EOkuCcoXtoouK9JdqNG2q9TdZG8y/OyKA7DlngbONnd2jcK0OaLyuUn hxNhKs0OmiGG8EaTqrkpwSvu0viGA6B5l1rKmWfHC6fgJLO0k78Sbp95SpNg5mNHULLBvt8T+ 2n4gb790ccxoe0Kizh7QxfAKqwEIZSzpL+2tkunVsELRN9fSB/OtWBKu49BamURQ2fWFBXzwh 1JugLF90j9ZbuunJBc1nG6K9yz9eJpY8RfS9osidKFRzztYv4zcwhpSTFmmVIYQs4ykY+w7Ku JeAEh9j22LD8WQGzp8fcRr+ZFTyf6bjL1y8fho6oXTjrr/cOaxt7g2ja/jQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jeDGvxxFgCN90TjrEA0PFRI0KA8>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 15:33:58 -0000
Hi Ekr, On 03/31/2016 05:05 PM, Eric Rescorla wrote: > Hannes, > > No, the proposal is to remove both EC and non-EC DHE 0-RTT profiles. > > The only way to do 0-RTT would be with a PSK (in both PSK and > PSK-(EC)DHE modes). I see. This is, of course, a bit unfortunate. > However, this would include PSKs established via a previous session, > i.e., resumption-PSK. Only established in previous sessions or also distributed out-of-band (as it would be done with PSKs normally). The way you phrased it sounds like you want to exclude the out-of-band case and I wonder why. Ciao Hannes > > -Ekr > > > On Thu, Mar 31, 2016 at 5:20 AM, Hannes Tschofenig > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > > Hi Sean, > > just to make sure that I properly understand the question: You are > suggesting to remove the DHE support but not the ECDHE support from the > 0-RTT exchange. > > Removing the DHE support is fine for us (at ARM) since we are focused on > ECDHE for IoT devices. The DTLS/TLS profile and other IETF > specifications very much focused on ECDHE and do not consider the use of > DHE. > > Ciao > Hannes > > > On 03/29/2016 03:11 PM, Sean Turner wrote: > > All, > > > > To make sure we’ve got a clear way forward coming out of our BA > > sessions, we need to make sure there’s consensus on a couple of > > outstanding issues. So... > > > > There also seems to be (rougher) consensus not to support 0-RTT via > > DHE (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only > > 0-RTT mode as PSK. The security properties of PSK-based 0-RTT and > > DHE-based 0-RTT are almost identical, but 0-RTT PSK has better > > performance properties and is simpler to specify and implement. Note > > that this does not permanently preclude supporting DHE-based 0-RTT in > > a future extension, but it would not be in the initial TLS 1.3 RFC. > > > > If you think that we should keep DHE-based 0-RTT please indicate so > > now and provide your rationale. > > > > J&S > > > > _______________________________________________ TLS mailing list > > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Call for consensus: Removing DHE-based 0-RTT Sean Turner
- Re: [TLS] Call for consensus: Removing DHE-based … Bill Cox
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Ryan Hamilton
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Ilari Liusvaara
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Joseph Salowey