Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt

Sean Turner <turners@ieca.com> Tue, 02 December 2014 21:40 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818441A6F21 for <tls@ietfa.amsl.com>; Tue, 2 Dec 2014 13:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.032
X-Spam-Level: *
X-Spam-Status: No, score=1.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_BARE_IP_2=1.999, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_71=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYx7CscUv2xQ for <tls@ietfa.amsl.com>; Tue, 2 Dec 2014 13:40:21 -0800 (PST)
Received: from gateway12.websitewelcome.com (gateway12.websitewelcome.com [67.18.72.134]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576961A1EF8 for <tls@ietf.org>; Tue, 2 Dec 2014 13:40:21 -0800 (PST)
Received: by gateway12.websitewelcome.com (Postfix, from userid 5007) id 868D0EC65E007; Tue, 2 Dec 2014 15:40:20 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway12.websitewelcome.com (Postfix) with ESMTP id 74555EC65DFC1 for <tls@ietf.org>; Tue, 2 Dec 2014 15:40:20 -0600 (CST)
Received: from [96.231.218.201] (port=62644 helo=192.168.1.7) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1XvvBD-0008O8-VB for tls@ietf.org; Tue, 02 Dec 2014 15:40:20 -0600
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <20141202181956.GX285@mournblade.imrryr.org>
Date: Tue, 02 Dec 2014 16:40:24 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA271B3C-8216-4654-8E80-2441B37DAC85@ieca.com>
References: <20141202132629.8023.24760.idtracker@ietfa.amsl.com> <547DC339.80800@streamsec.se> <20141202174033.GW285@mournblade.imrryr.org> <547DFF6F.6080505@streamsec.se> <20141202181956.GX285@mournblade.imrryr.org>
To: tls@ietf.org
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.218.201
X-Exim-ID: 1XvvBD-0008O8-VB
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.7) [96.231.218.201]:62644
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 5
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/niixDuvdc3ixqqMyHFlPUnfapSg
Subject: Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 21:40:22 -0000

On Dec 02, 2014, at 13:19, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:

> On Tue, Dec 02, 2014 at 07:05:35PM +0100, Henrick Hellstr?m wrote:
> 
>> On 2014-12-02 18:40, Viktor Dukhovni wrote:
>>> Given the far from universal support for ECDSA by clients, a server
>>> that wants to use ECDSA when possible, but still wants to interoperate
>>> with more than just a select few clients really SHOULD have both
>>> ECDSA and RSA certificates.
>> 
>> Fair enough, but is it really an acceptable outcome that a fully conformant
>> server (that is deployed with only RSA certificates) and a fully conformant
>> client (that only implements one of the mandatory ECDSA cipher suites) will
>> not be able to negotiate a connection?
> 
> This document does not replace the mandatory to implement cipher
> suites in TLS 1.x.  So the client and server MUST still both offer
> the usual (RSA-based) MTI cipher suites for each version of TLS
> they support.

This is correct - RFC 4492 didn’t change the MTI cipher suites for TLS1.0-1.2 and since 4492bis is just an update it won’t change the MTI cipher suites either.

spt

> The text in question provides additional ciphersuites that conformant
> implementations SHOULD support.  So in your example, a client that
> suports ECDH(E) only with ECDSA, will employ neither EC based key
> agreement nor EC based authentication.  The various MTI cipher
> suites don't require either.
> 
> This said, perhaps the asymmetry between the client and server
> requirements deserves more explanation.
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls