IETF Logo Mail Archive

Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Sean Turner <sean@sn3rd.com> Wed, 06 April 2016 17:16 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AD0812D623 for <tls@ietfa.amsl.com>; Wed, 6 Apr 2016 10:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIYsh26cNpRt for <tls@ietfa.amsl.com>; Wed, 6 Apr 2016 10:16:19 -0700 (PDT)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5DCB12D5F0 for <tls@ietf.org>; Wed, 6 Apr 2016 10:16:18 -0700 (PDT)
Received: by mail-qg0-x232.google.com with SMTP id c6so41521690qga.1 for <tls@ietf.org>; Wed, 06 Apr 2016 10:16:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FN2xscADRsW/NwJQuomRIUbodXPmRmBYSH4bQRzYW3M=; b=kPS3vmdq1Zyb+HRQtpONnZChvZ9w9eGxawomZNWRjfN4wnSQptT7MYTw5zkBf2D2x2 KtiWqJT2cjwNCl8INqfSix/Hsi6wBLOPOxO8Ll5Rp3x4IxzVmrBD7OjrHnyNuRtYudZI rgTPRqtMpsYen5D52VP0eCtH/DkXQV5cI8URc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FN2xscADRsW/NwJQuomRIUbodXPmRmBYSH4bQRzYW3M=; b=ekCFuThi1TkvoKobRlhBD79qXpwwRJvFCtr7Eo8GpWPj9AJFMqCGvkgU9MTl0n7dyR oKwZA1mmdBvr4g1HqN+0jvIzti32Jm7beUMNR23NBgtfnMHmsx7sffh8p/cWPfN68xVs 2W/et2rlENy6BdRXessk1Mar96UysYjlQG3HO8Q9KUiU6cIL8EXPZMU4O3em5VZN7YfW z6tNDnG++I11UB5WCNPYnwibqIw3POmenjV5nvInpjvFwkhpeuKLqHiJ4tJ2ILuFViUz mKY7X2CTdfNjyaPEF+RR/RibZnWcSRFe1rmUCJKc7fQXNYUnpAHYNkyIKMvHCQ0eZuqz YCNg==
X-Gm-Message-State: AD7BkJLVD6+Ox4sn9nWLUGvxGl1F+Hq1S7iW1ME/55wCOeVEGbHJ6A5F64CCatnFwzNClA==
X-Received: by 10.140.153.135 with SMTP id 129mr39544999qhz.38.1459962977827; Wed, 06 Apr 2016 10:16:17 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:176:fca1:5cc3:4f89:2dc6? ([2001:67c:370:176:fca1:5cc3:4f89:2dc6]) by smtp.gmail.com with ESMTPSA id c90sm1649566qkj.47.2016.04.06.10.16.15 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Apr 2016 10:16:16 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <BABA92DA-1429-4A3F-8E87-1CAD67B92C95@azet.org>
Date: Wed, 06 Apr 2016 14:16:13 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <AAEB8C16-4744-41C5-AD0B-16E41EC08F2A@sn3rd.com>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com> <BABA92DA-1429-4A3F-8E87-1CAD67B92C95@azet.org>
To: Aaron Zauner <azet@azet.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lab_wfunW5oPZMsYKl138kR-kwI>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 17:16:21 -0000

On Apr 06, 2016, at 12:21, Aaron Zauner <azet@azet.org> wrote:
> 
> Hi,
> 
>> On 30 Mar 2016, at 03:53, Sean Turner <sean@sn3rd.com> wrote:
>> 
>> Hi!
>> 
>> In Yokohama, we discussed changing the IANA registry assignment rules for cipher suites to allow anyone with a stable, publicly available, peer reviewed reference document to request and get a code point and to add an “IETF Recommended” column to the registry.  This change is motivated by the large # of requests received for code points [0], the need to alter the incorrect perception that getting a code point somehow legitimizes the suite/algorithm, and to help implementers out.  We need to determine whether we have consensus on this plan, which follows:
>> 
>> 1. The IANA registry rules for the TLS cipher suite registry [1] will be changed to specification required.
>> 
>> 2. A new “IETF Recommended” column will be added with two values: “Y” or “N”.  Y and N have the following meaning:
>> 
>> Cipher suites marked with a “Y” the IETF has consensus on
>> and are reasonably expected to be supported by widely
>> used implementations such as open-source libraries.  The
>> IETF takes no position on the cipher suites marked with an
>> “N”.  Not IETF recommended does not necessarily (but can)
>> mean that the ciphers are not cryptographically sound (i.e.,
>> are bad).  Cipher suites can be recategorized from N to Y
>> (e.g., Curve448) and vice versa.
>> 
>> 3. We will add a “Note" to the IANA registry itself (i.e., on [0]) that matches the above so that the same information is available to those who don’t read the IANA considerations section of the RFC.
>> 
>> Please indicate whether or not you could support this plan.
> 
> I maintain the OCB draft and I do support this idea. Sorry for joining this thread late. I did however vote on it during the meeting on monday.
> 
> What's still unclear to me from the discussion is what suites would get a Y or N and which suites won't. Are we just talking about WG consensus or does implementation-availability weigh in here? It's not perfectly clear to me how this would be decided; just because the IANA registry flags a certain suite as preferred doesn't mean it actually will be implemented, and vice-versa. Library authors sometimes implement algorithms out of pure interest and love for coding. I, too, think going beyond a simple Y/N would just further complicate things for implementers and people trying to understand the IANA registry.
> 
> Aaron

What we’re talking about is IETF consensus (i.e., it’s got to get through an IETF LC which is slightly higher than just a WGLC), but we’d do a one sentence tweak to the TLS WG charter to make the TLS WG be the entity that determine whether there’s a Y or N.

A “Y” does not guarantee that it will be implemented and that’s why we put "and are reasonably expected to be supported by widely used implementations such as open-source libraries.”  Those are pretty good weasel words, but since there’s no protocol police we can’t really say they will be implemented.  On the other hand, open source implementations also have their own pressures they have to deal with that I’m not sure should automatically impact the list.  I also am worried about just adding algorithms that are in an open source implementation because I believe just about everybody that’s requested a code point starts the conversation out with “I’ve got this OpenSSL patch …. "

spt

v2.23.0 | Report a Bug | By Email