IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

"Salz, Rich" <rsalz@akamai.com> Tue, 21 August 2018 16:13 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914B9130F52 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 09:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h5zPtezJwVPs for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 09:13:50 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA0E130F2B for <tls@ietf.org>; Tue, 21 Aug 2018 09:13:48 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w7LG6kdk031193; Tue, 21 Aug 2018 17:13:37 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=Ax5Bms2Y7Kf61QsSLBiSlmaNzoICmf+8/HUEHHovWLc=; b=U8zrslRSSrlFrcDsbdZbKqHwWHdSvjWnTriTw9qIuaVkz0rFw/g7dmBBZaOBwKPtqs6V FCg2CWLLEmGNtjcNsPKhMEZZP79zQSwPosnCOLendnO9BUmo5PF1+hGIRTWwWmQXPBXQ 83QSVZnwt9HIKf4Hg+u/GA3rMO1rMhIb5ud8iUf/FxYnlcFCU+LBIA7cceK/+VyFNDWF bxTcYIqxO4TztlkBOHfZy6ntg65WfmdsUXnJN4iM6yAfJBC1zfT6IUwrXQiwvM/q9IqW lhnwc4N90Ikh2zQJNHuT1HoepO1CiKpl7/uTUjHfbFxqdeTE3SLOyhF965rJHVmvWO0A 7Q==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050102.ppops.net-00190b01. with ESMTP id 2kx8hc9sb8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 21 Aug 2018 17:13:36 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w7LGAxSA020281; Tue, 21 Aug 2018 12:13:36 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint1.akamai.com with ESMTP id 2kxesuy6rr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 21 Aug 2018 12:13:35 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 21 Aug 2018 12:13:35 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 21 Aug 2018 12:13:35 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1365.000; Tue, 21 Aug 2018 12:13:35 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, Andreas Walz <andreas.walz@hs-offenburg.de>, "tls@ietf.org" <tls@ietf.org>
CC: "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>
Thread-Topic: [TLS] integrity only ciphersuites
Thread-Index: AQHUOMcWIQ0ztQCz9UKccOekmBKud6TKWVQAgAAIAoCAABIwgIAABf+AgAAjtwD//78uAIAARU8A///Ai4A=
Date: Tue, 21 Aug 2018 16:13:35 +0000
Message-ID: <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <E6C9F0E527F94F4692731382340B337804AEFA24@DENBGAT9EH2MSX.ww902.siemens.net> <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net>
In-Reply-To: <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.0.180812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.35.74]
Content-Type: multipart/alternative; boundary="_000_D5FF0E0EF9C34843AB7719F45E3C00D5akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-21_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808210168
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-21_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808210168
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nTuA9JqTjZI1dmUKOdg2txxS5M0>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 16:14:04 -0000

Ø  If there would be support for integrity ciphers in TLS 1.3 it would enable the straight forward switch from TLS 1.2 also in these environments by keeping existing monitoring options.

Why do you want to move to TLS 1.3?  Why isn’t your existing solution good enough?


  *   [stf] Currently it is sufficient to use TLS 1.2- For certain use cases the utilized components have a rather long lifetime. One assumption is that TLS 1.3 will exist longer that TLS 1.2 and that certain software tools (also browsers) may not support TLS 1.2 in the future  …

Most browsers already do not support NULL encryption, and it is highly unlikely that any will add it for 1.3.  Have you any indication otherwise?  If you’re not going to use the algorithms in general use on the public Internet, then you should expect that standard clients such as browsers, will not work.  PeterG can attest to this. :)

v2.23.0 | Report a Bug | By Email