Re: [TLS] A la carte handshake negotiation

Dave Garrett <> Sat, 13 June 2015 16:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DDBF01A1B0D for <>; Sat, 13 Jun 2015 09:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FYDHEfFIFOMW for <>; Sat, 13 Jun 2015 09:30:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 873EC1A010F for <>; Sat, 13 Jun 2015 09:30:05 -0700 (PDT)
Received: by qcnj1 with SMTP id j1so17337107qcn.0 for <>; Sat, 13 Jun 2015 09:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=95l0dmYVy079WJaJgScbMR95fglOgaNi4Z5NHgiH7iI=; b=mtHsAZgrq2WHu1633xD+ZL66arWiZXtsuZ2BnT7mzY2KdC3hhQBwXMmad+Q0K/Guuf SPToSp9GxKSVclwpvU790cQfnbJvaYDr1JxwUQKTXzNEjqxuN4GFZK2gBHTYWGrb3stW Cu5INGj8iE2T7sgqzXodW+6BmXvC5iH3q4N7i76RbK2ZuRuqlaIeuprEkBAkBH2l2WIY TH/nsNWDTCuOUnHibR7vyaYIYbEy7US0wbgehJX6ONenU4lEwaC1HbAkd1xRhb2VJcyU KLz85qjkMPgZN9SnsXRRyWhruj8+4PHX7NCecoCmxCBq9HRcOpTTumkiZjpS2EpPEH71 sz7A==
X-Received: by with SMTP id j84mr26269029qhc.29.1434213004849; Sat, 13 Jun 2015 09:30:04 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id b82sm3390951qkh.36.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 13 Jun 2015 09:30:04 -0700 (PDT)
From: Dave Garrett <>
To: "Salz, Rich" <>
Date: Sat, 13 Jun 2015 12:30:03 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Jun 2015 16:30:07 -0000

On Saturday, June 13, 2015 12:12:32 pm Salz, Rich wrote:
> I think this is headed in the wrong direction.
> We want to minimize the number of ciphers and cipher-suites, not allow for a mind-boggling combinatorial explosion that will cripple interop.

It's mostly just the ECDHE AEAD PSK & anon suites that never got defined for one reason or another.

With this a la carte proposal, TLS 1.3 would only use ECDHE suites and be able to negotiate DHE or ECDHE using it. The number of suites would go down, overall; it'd just have these new ones for PSK & anon.

The normal RSA/ECDSA suites that would be needed would drop in quantity far more drastically.

The idea is to just move to all suites being to defined for just ECDHE_{ECDSA|PSK|anon} and drop all {DH|DHE|ECDH}_* and ECDHE_{RSA|DSS}.

Technically, we could allow DHE_anon & DHE_PSK to negotiate ECDHE or DHE via the extension, but we'd like to deprecate all the old DHE suites to avoid even the possibility of negotiating weak groups. It would also make the valid TLS 1.3+ suites all start with ECDHE (with the exception of plain PSK, if that has to be kept around).

Note that the list of AES AEAD suites could be pruned down notably if CCM8 was dropped in favor of CCM16 only (or vice versa).