Re: [TLS] Mail regarding draft-ietf-tls-tls13

Ben Personick <ben.personick@iongroup.com> Mon, 18 June 2018 19:10 UTC

Return-Path: <ben.personick@iongroup.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54918130E2F for <tls@ietfa.amsl.com>; Mon, 18 Jun 2018 12:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iontradingcom.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w6g5vsq0QW2I for <tls@ietfa.amsl.com>; Mon, 18 Jun 2018 12:10:07 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710054.outbound.protection.outlook.com [40.107.71.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCDFE130E29 for <tls@ietf.org>; Mon, 18 Jun 2018 12:10:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iontradingcom.onmicrosoft.com; s=selector1-iongroup-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/QHNGgxFfjADu6sVrG87RjrF07Q/Vs/R/kkCwio26Sk=; b=F1tn2WXlwI8mAeujypkRF5yQS5wLWSW63RspwAapAnBpVVmfxhxV0UV90Q/ztaGGX2+sfcfANBbIz/ZZTCAwYZnS4FoVxL27tSV0xA5yXv6rrYQHd0JyfGKVzI0rYNXgGI+XIdy5Sh0ZeovLmp56xXQbjxHBfA/IHgWfayZO7+0=
Received: from BN7PR14MB2356.namprd14.prod.outlook.com (20.176.22.33) by BN7PR14MB2433.namprd14.prod.outlook.com (20.176.22.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.17; Mon, 18 Jun 2018 19:10:05 +0000
Received: from BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7]) by BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7%3]) with mapi id 15.20.0863.016; Mon, 18 Jun 2018 19:10:05 +0000
From: Ben Personick <ben.personick@iongroup.com>
To: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Mail regarding draft-ietf-tls-tls13
Thread-Index: AdQCh415dfE0g1svTxONss1UmLapVwDZCf0AAEaFOTYABw3aAAAFfUx5
Date: Mon, 18 Jun 2018 19:10:05 +0000
Message-ID: <5fdded19-da5c-4d23-a0e3-e4e9e905f7aa@iongroup.com>
References: <BN7PR14MB23560D791932A8CB164C592D917F0@BN7PR14MB2356.namprd14.prod.outlook.com> <897AC345-0832-4252-9D96-5A030CBEAD25@dukhovni.org> <cc5fe1d8-b065-4f30-8b76-57714aea1949@iongroup.com>, <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org>
In-Reply-To: <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ben.personick@iongroup.com;
x-originating-ip: [38.108.249.203]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2433; 7:YSMkay4vIXQTP/A6do4RoULiQ8KFaXRuFFKi7goikw4Fnbx4j65X6/AfhAWEUMOSD72+AoZ17OUOSzJ+NaerpPcMf3igo+jTrnlhsr4IgfQCf9dddXpu7PbO7lvbsTtpp+M6SIvzxlzyl3DQQhkbq1tr0ruXppTVSaYrzSKc/U9aQ8K/WSmY8O1jfWTdKWV8TbzimUhJnX/NiCzUKEgUjPscR/b6hhjyiC5WC6EZVyX1PuawYeKrHYpvq2HPk/Vk
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3cd5ee97-815c-47ed-7f6e-08d5d54f19dd
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2433;
x-ms-traffictypediagnostic: BN7PR14MB2433:
x-microsoft-antispam-prvs: <BN7PR14MB243333E7E36398D946DA858391710@BN7PR14MB2433.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21532816269658);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:BN7PR14MB2433; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2433;
x-forefront-prvs: 0707248B64
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(39860400002)(396003)(366004)(376002)(346002)(189003)(199004)(3846002)(478600001)(6916009)(6246003)(5660300001)(68736007)(36756003)(25786009)(6116002)(53936002)(14454004)(31686004)(66066001)(2900100001)(105586002)(106356001)(26005)(31696002)(8676002)(54896002)(316002)(6486002)(53546011)(6506007)(6512007)(7736002)(81166006)(76176011)(99286004)(97736004)(6436002)(2906002)(3280700002)(3660700001)(229853002)(446003)(86362001)(476003)(2616005)(486006)(44832011)(11346002)(93886005)(186003)(81156014)(102836004)(5250100002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR14MB2433; H:BN7PR14MB2356.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: iongroup.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: cMcWjqWwEdzS0CHZz8PXieVom33NcecRjD6SBgYkhOqHNrwaTNbpGO67yykZsI5xcloO2QXNTNiIUGNJm7v9lE8gBubFlTVIpmXM7TxI4oEpVza+t/zWMkyXT3u07TYJIhj0AT91EsJ+YBM/e/vC6jGgMWttLnHjzFdYH4VGVXom5WHm26mfKaEHPrRePaEXrTM1SSehTDNb2623GI/00PhcO8Ie58iA/+rSTwP+7QP2Zu05QHHcmAwAtHR9vHfS0c917Epfo1s3qfMd/442yGjbCX2QJ1gWOLkNbml9VHj6HXlRnOz2zMTtTbtA6IGrYe+8A3X2vXnmKlXCu4MxMw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_5fdded19da5c4d23a0e3e4e9e905f7aaiongroupcom_"
MIME-Version: 1.0
X-OriginatorOrg: iongroup.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cd5ee97-815c-47ed-7f6e-08d5d54f19dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2018 19:10:05.3841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 768fe7d4-ebee-41a7-9851-d5825ecdd396
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2433
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n06AB7vJlz1hEC2ruOEEsZTlcBE>
X-Mailman-Approved-At: Mon, 18 Jun 2018 19:54:47 -0700
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 19:10:09 -0000

Hello Viktor,

  I am only concerned with offereing newer , faster, and more secure cipher suites on our web application, so that as clients have the ability to use them they can begin to do so.

  Our LB offers a method to present baoth an RSA and ECC cert at thw aame time, at the cost of buying both each year.

  I can only support ecdsa_rsa unless I have an ECC certificate to support ecsda_ecsde ciphers.

  Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no push to move towards offering them, because of various 'reasons'.

Ben

________________________________
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sent: Monday, June 18, 2018 12:32
To: Ben Personick
Cc: TLS WG
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13



> On Jun 18, 2018, at 9:10 AM, Ben Personick <ben.personick@iongroup.com> wrote:
>
> There is a common thread circulating, that all support for RSA Certificates/Ciphers are dropped in TLS 1.3.

This is not the case.

> As I wrote in the last email, I am aware we can implemenet ECC certs and ciphers in TLS 1.2, along side RSA certs/ciphers, however there is a consistent fear of breaking what already works by moving onto offering both an ECC and RSA certificate and corrosponding ciphers.

You should at least support verifying ECDSA certificates on the client
side, some servers your client software might connect to may have only
ECDSA certificates.  On the server side you can continue to use RSA
certificates if you wish.  While ECDSA is faster on the server, there
are still some clients (perhaps yours among them) that only support RSA,
and so you'd need to have both RSA and ECDSA certificates, which is
operationally a bit more challenging.

--
        Viktor.