Re: [TLS] Inclusion of OCB mode in TLS 1.3

Aaron Zauner <> Wed, 21 January 2015 17:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9CB891A1B37 for <>; Wed, 21 Jan 2015 09:20:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4pEveqCHF21u for <>; Wed, 21 Jan 2015 09:20:20 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 50A441A1B2F for <>; Wed, 21 Jan 2015 09:20:20 -0800 (PST)
Received: by with SMTP id x3so10844366wes.5 for <>; Wed, 21 Jan 2015 09:20:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=whB88E2uWbQ/7MEZS+GlyLuONsc7+NQL77pJ4hKz0vw=; b=lBRqQCZpNWpohUGcvPf1tvObJZbxkrSjxBlkFGWEaYGw3XKna7gjqq++CXd5qeyEy/ pobeDQ9VcBDoUOg3QbMwM7SJeKdNQ4gwhGORLuPAA6dP8m4n35OeDd/Z75VtHM3+2HmZ LfRLOwEE609oieOzeUI5KdNUi4JHTNaEE1NqljFU6ibHWuv7NMh3RFl4v/3hUfpZ+91c pVU0PSHcrpgkCOBIZ6E/wKSJyVLBa3XIIYY4gbE0yDo8gs5woIJiVGdRD0EUovSyBBVj 1/vvhhKw8Ay52i1oLo7aQC/c+P+CUPeBHP5ytDVqVbgsE4DQQZoyqqX884ULSaYs1Juf ihEA==
X-Gm-Message-State: ALoCoQmmgbM2W6mnFAzPS+LaAttEuXhW+NxuiLo+qtpQWGwmpgKIbLD2z81Qon9sZInPYYM98VVA
X-Received: by with SMTP id t19mr21885276wiv.6.1421860819086; Wed, 21 Jan 2015 09:20:19 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id cx3sm8099170wib.10.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 Jan 2015 09:20:18 -0800 (PST)
Message-ID: <>
Date: Wed, 21 Jan 2015 18:20:16 +0100
From: Aaron Zauner <>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nico Williams <>
References: <> <> <> <> <> <> <> <> <20150121165008.GQ2350@localhost> <> <20150121170922.GS2350@localhost>
In-Reply-To: <20150121170922.GS2350@localhost>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enigE3D86AC9621E8A98A8FA3001"
Archived-At: <>
Cc: TLS Mailing List <>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Jan 2015 17:20:23 -0000

Nico Williams wrote:
> Sure, but why not just deprecate/remove non-ECDH ciphersuites and be done?

That'd be the best option, I agree. But Nikos pointed out that people
might still want PSK without diffie-hellman at all for confined
environments/embedded. Otherwise I wouldn't have put it in there in the
first place. I'm happy to remove these ciphersuites if there's consensus.

> Negotiate key exchange, server authentication, PRF, hash, and
> cipher+mode separately.  (Cipher and mode go together, as not every mode
> makes sense for every cipher, but key exchange should have no relation
> to the choice of cipher+mode.)  Key exchange and server authentication
> are closely tied in some cases (e.g., RSA key transport), but that's not
> a problem (SSHv2 managed).

Sounds like a plan. But more like something for the TLS spec than this
ID, right?

RSA as key transport doesn't concern this ID anyway. And AFAIK it's
going deprecated with TLS 1.3 because of security concerns. I've even
explicitly stated it in the security considerations section of my ID.