IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-00.txt

Hubert Kario <hkario@redhat.com> Tue, 16 June 2015 10:07 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2EA31ACE59 for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 03:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yqx0ZIs-NMck for <tls@ietfa.amsl.com>; Tue, 16 Jun 2015 03:07:16 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F69C1ACE4E for <tls@ietf.org>; Tue, 16 Jun 2015 03:07:16 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id D73DB19CF9D; Tue, 16 Jun 2015 10:07:15 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-26.ams2.redhat.com [10.36.112.26]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t5GA7BHp025116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Jun 2015 06:07:15 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Tue, 16 Jun 2015 12:07:03 +0200
Message-ID: <5376091.DEdtQA7Asb@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.7 (Linux/4.0.4-202.fc21.x86_64; KDE/4.14.7; x86_64; ; )
In-Reply-To: <87pp4why81.fsf@latte.josefsson.org>
References: <20150611170317.13732.72719.idtracker@ietfa.amsl.com> <CAH8yC8=wUEpqrcCUdoYwTGbsjB25FUvHbj=zvXgo+5f4fmkt3Q@mail.gmail.com> <87pp4why81.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1928648.8zJh08JdMv"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/kLSCo_vkcvGSzG-7AZD4VBBS8lI>
Cc: Simon Josefsson <simon@josefsson.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 10:07:18 -0000

On Tuesday 16 June 2015 10:08:30 Simon Josefsson wrote:
> Jeffrey Walton <noloader@gmail.com> writes:
> >>>> What is the use-case?
> >>> 
> >>> 0.   Authentication other than via certificate-based PKI.  Establish
> >>> 
> >>>      anon TLS, and channel-bind the TLS-unique via GSSAPI or some
> >>>      other authentication method.
> >>> 
> >>> 1.  Unauthenticated opportunistic TLS.
> >>> 
> >>>     * Server performs no unnecessary signature operations,
> >>>     
> >>>       since the client can't verify the signature anyway.
> >>>       (More precisely the client can't verify the authenticity
> >>>       of the server keys, so it can only determine that somebody
> >>>       signed the handshake, but no idea whether it is the intended
> >>>       server).
> >> 
> >> Both those use-cases can be achieved by choosing, say, ECDHE_ECDSA and
> >> not verify the signature, right?
> > 
> > That's a violation of the engineering requirements :) If you don't
> > need server authenticity, then you don't ask for it. If you ask for
> > it, then you have to validate it.
> 
> It may appear that way -- but implementing support for ANON ciphers is
> more work than NOT implementing support for certificate validation.
> Supporting ANON in standards, implementation, testing/QA etc carry a
> cost.  We should strive towards offsetting costs with use-cases that can
> motivate the costs.

From QA perspective it's easier to test a specific ciphersuite than to test 
some obscure option that disables signature verification that every 
application names differently.

A(EC)DH ciphersutes are well known and used configuration option, "disable 
signature verification on ServerKeyExchange" is not.

> > I know I'm splitting hairs, but I would reject that kind of check-in.
> > I fear a proliferation of
> > https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html.
> > It also creates a few extra rules, and we have to teach them to
> > developers, QA and auditors.
> 
> Negotiating these ciphers and not verifying the signature is already
> widely deployed (e.g., SMTP STARTTLS), so there is nothing new that
> needs to be done.

this is true only in SMTP because of its legacy, it's not something we should 
encourage

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email