Re: [TLS] Mail regarding draft-ietf-tls-tls13
Ben Personick <ben.personick@iongroup.com> Mon, 18 June 2018 19:10 UTC
Return-Path: <ben.personick@iongroup.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54918130E2F for <tls@ietfa.amsl.com>; Mon, 18 Jun 2018 12:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iontradingcom.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w6g5vsq0QW2I for <tls@ietfa.amsl.com>; Mon, 18 Jun 2018 12:10:07 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710054.outbound.protection.outlook.com [40.107.71.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCDFE130E29 for <tls@ietf.org>; Mon, 18 Jun 2018 12:10:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iontradingcom.onmicrosoft.com; s=selector1-iongroup-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/QHNGgxFfjADu6sVrG87RjrF07Q/Vs/R/kkCwio26Sk=; b=F1tn2WXlwI8mAeujypkRF5yQS5wLWSW63RspwAapAnBpVVmfxhxV0UV90Q/ztaGGX2+sfcfANBbIz/ZZTCAwYZnS4FoVxL27tSV0xA5yXv6rrYQHd0JyfGKVzI0rYNXgGI+XIdy5Sh0ZeovLmp56xXQbjxHBfA/IHgWfayZO7+0=
Received: from BN7PR14MB2356.namprd14.prod.outlook.com (20.176.22.33) by BN7PR14MB2433.namprd14.prod.outlook.com (20.176.22.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.17; Mon, 18 Jun 2018 19:10:05 +0000
Received: from BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7]) by BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7%3]) with mapi id 15.20.0863.016; Mon, 18 Jun 2018 19:10:05 +0000
From: Ben Personick <ben.personick@iongroup.com>
To: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Mail regarding draft-ietf-tls-tls13
Thread-Index: AdQCh415dfE0g1svTxONss1UmLapVwDZCf0AAEaFOTYABw3aAAAFfUx5
Date: Mon, 18 Jun 2018 19:10:05 +0000
Message-ID: <5fdded19-da5c-4d23-a0e3-e4e9e905f7aa@iongroup.com>
References: <BN7PR14MB23560D791932A8CB164C592D917F0@BN7PR14MB2356.namprd14.prod.outlook.com> <897AC345-0832-4252-9D96-5A030CBEAD25@dukhovni.org> <cc5fe1d8-b065-4f30-8b76-57714aea1949@iongroup.com>, <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org>
In-Reply-To: <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ben.personick@iongroup.com;
x-originating-ip: [38.108.249.203]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2433; 7:YSMkay4vIXQTP/A6do4RoULiQ8KFaXRuFFKi7goikw4Fnbx4j65X6/AfhAWEUMOSD72+AoZ17OUOSzJ+NaerpPcMf3igo+jTrnlhsr4IgfQCf9dddXpu7PbO7lvbsTtpp+M6SIvzxlzyl3DQQhkbq1tr0ruXppTVSaYrzSKc/U9aQ8K/WSmY8O1jfWTdKWV8TbzimUhJnX/NiCzUKEgUjPscR/b6hhjyiC5WC6EZVyX1PuawYeKrHYpvq2HPk/Vk
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 3cd5ee97-815c-47ed-7f6e-08d5d54f19dd
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2433;
x-ms-traffictypediagnostic: BN7PR14MB2433:
x-microsoft-antispam-prvs: <BN7PR14MB243333E7E36398D946DA858391710@BN7PR14MB2433.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21532816269658);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:BN7PR14MB2433; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2433;
x-forefront-prvs: 0707248B64
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(39860400002)(396003)(366004)(376002)(346002)(189003)(199004)(3846002)(478600001)(6916009)(6246003)(5660300001)(68736007)(36756003)(25786009)(6116002)(53936002)(14454004)(31686004)(66066001)(2900100001)(105586002)(106356001)(26005)(31696002)(8676002)(54896002)(316002)(6486002)(53546011)(6506007)(6512007)(7736002)(81166006)(76176011)(99286004)(97736004)(6436002)(2906002)(3280700002)(3660700001)(229853002)(446003)(86362001)(476003)(2616005)(486006)(44832011)(11346002)(93886005)(186003)(81156014)(102836004)(5250100002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR14MB2433; H:BN7PR14MB2356.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: iongroup.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: cMcWjqWwEdzS0CHZz8PXieVom33NcecRjD6SBgYkhOqHNrwaTNbpGO67yykZsI5xcloO2QXNTNiIUGNJm7v9lE8gBubFlTVIpmXM7TxI4oEpVza+t/zWMkyXT3u07TYJIhj0AT91EsJ+YBM/e/vC6jGgMWttLnHjzFdYH4VGVXom5WHm26mfKaEHPrRePaEXrTM1SSehTDNb2623GI/00PhcO8Ie58iA/+rSTwP+7QP2Zu05QHHcmAwAtHR9vHfS0c917Epfo1s3qfMd/442yGjbCX2QJ1gWOLkNbml9VHj6HXlRnOz2zMTtTbtA6IGrYe+8A3X2vXnmKlXCu4MxMw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_5fdded19da5c4d23a0e3e4e9e905f7aaiongroupcom_"
MIME-Version: 1.0
X-OriginatorOrg: iongroup.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cd5ee97-815c-47ed-7f6e-08d5d54f19dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2018 19:10:05.3841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 768fe7d4-ebee-41a7-9851-d5825ecdd396
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2433
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n06AB7vJlz1hEC2ruOEEsZTlcBE>
X-Mailman-Approved-At: Mon, 18 Jun 2018 19:54:47 -0700
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 19:10:09 -0000
Hello Viktor, I am only concerned with offereing newer , faster, and more secure cipher suites on our web application, so that as clients have the ability to use them they can begin to do so. Our LB offers a method to present baoth an RSA and ECC cert at thw aame time, at the cost of buying both each year. I can only support ecdsa_rsa unless I have an ECC certificate to support ecsda_ecsde ciphers. Since TLS 1.3 will continue to allow ecdsa_rsa ciphers, there will be no push to move towards offering them, because of various 'reasons'. Ben ________________________________ From: Viktor Dukhovni <ietf-dane@dukhovni.org> Sent: Monday, June 18, 2018 12:32 To: Ben Personick Cc: TLS WG Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13 > On Jun 18, 2018, at 9:10 AM, Ben Personick <ben.personick@iongroup.com> wrote: > > There is a common thread circulating, that all support for RSA Certificates/Ciphers are dropped in TLS 1.3. This is not the case. > As I wrote in the last email, I am aware we can implemenet ECC certs and ciphers in TLS 1.2, along side RSA certs/ciphers, however there is a consistent fear of breaking what already works by moving onto offering both an ECC and RSA certificate and corrosponding ciphers. You should at least support verifying ECDSA certificates on the client side, some servers your client software might connect to may have only ECDSA certificates. On the server side you can continue to use RSA certificates if you wish. While ECDSA is faster on the server, there are still some clients (perhaps yours among them) that only support RSA, and so you'd need to have both RSA and ECDSA certificates, which is operationally a bit more challenging. -- Viktor.
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ilari Liusvaara
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Martin Rex
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Salz, Rich
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Hubert Kario
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Tony Arcieri
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Tony Arcieri
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Viktor Dukhovni
- Re: [TLS] Mail regarding draft-ietf-tls-tls13 Sean Turner
- [TLS] Mail regarding draft-ietf-tls-tls13 Ben Personick