IETF Logo Mail Archive

Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 31 March 2016 18:28 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC13612D723 for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 11:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FprEUGXoVPgQ for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 11:28:23 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0102.outbound.protection.outlook.com [65.55.169.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6316D12D732 for <tls@ietf.org>; Thu, 31 Mar 2016 11:28:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mEDHvb8oFFkAFXQvNitpDvPZm6ScLanwyftM8QI1reE=; b=Y0/IJCsXXXbGcph401LgTKNlKypJ0vPJxm3Ih9+xEkAPNJKr4NLpc6yhq9MrZsTvcNEzBb+xD7Zhc1uDxevV3CTjv5AQTvWHE756f07f1oiujnpUo4l6yzAazeEzSymRthiLWRSM2pM7bafET798S0GydgmAKe8A3kVIvVSOHjA=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.447.15; Thu, 31 Mar 2016 18:28:21 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0447.024; Thu, 31 Mar 2016 18:28:21 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "Salz, Rich" <rsalz@akamai.com>, "Kaduk, Ben" <bkaduk@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] call for consensus: changes to IANA registry rules for cipher suites
Thread-Index: AQHRi1OtnDhSFiyjlECabVgyoehPf59ztwEAgAAEsgCAAAkrgIAABHGAgAABqACAAADdAIAAAYAAgAAAugCAAAQigIAAAyIAgAAIlhA=
Date: Thu, 31 Mar 2016 18:28:21 +0000
Message-ID: <BLUPR03MB13965B858D13FF533FB04CB58C990@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com> <56FD2A0A.1050607@gmx.net> <56FD4A42.2080100@akamai.com> <56FD4E32.5060409@gmx.net> <56FD55E3.9060605@akamai.com> <56FD599D.2040206@gmx.net> <56FD5B00.3090007@akamai.com> <ca13e48abd8042c38bc2116bd5574f85@usma1ex-dag1mb1.msg.corp.akamai.com> <56FD5CFC.8090508@gmx.net> <9ed6f4205baf4602857b3c4539fc1941@usma1ex-dag1mb1.msg.corp.akamai.com> <56FD610F.10301@gmx.net> <56FD63B0.2070205@cs.tcd.ie>
In-Reply-To: <56FD63B0.2070205@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:7::1d2]
x-ms-office365-filtering-correlation-id: 0ca86a60-7764-4e0c-fba0-08d359923d1e
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:aZ86X48wtQfDjR1U6Cx8A9lxr/I6PyjIdp+UB2R5tOY6GLOAkwk3BMR96DH/GB6UhtOsMuMEuikDKXpp2V/2YPcdKvK/1QJmLV2I9FfE9NBgyI1cqvRBWuKiqflyJNgoIwfqobR6n6rmtiq4n+H+nA==; 24:/r6Tbr/ksrBsDG/M5qo8r5LcZDHyODTRAn+s30xiWsgxO3ynDooFdLcab2Mcq2XVO6k2V+v3/9HZPGHkbaRR6x3i6qQMbb0iCTPD8Iui8Ps=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
x-microsoft-antispam-prvs: <BLUPR03MB139579ED799794D047B57C028C990@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 0898A6E028
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(24454002)(377454003)(561944003)(19580395003)(189998001)(107886002)(2950100001)(86362001)(5001770100001)(19580405001)(93886004)(2900100001)(33656002)(5004730100002)(575784001)(87936001)(76176999)(54356999)(76576001)(86612001)(10090500001)(50986999)(15975445007)(81166005)(106116001)(10290500002)(10400500002)(8990500004)(5005710100001)(77096005)(99286002)(5008740100001)(2906002)(3660700001)(3280700002)(74316001)(5003600100002)(1096002)(92566002)(586003)(6116002)(122556002)(102836003)(1220700001)(5002640100001)(11100500001)(3826002)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2016 18:28:21.3191 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/o0-0T9cp89QmhdqFXRm1a7Nm_eQ>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 18:28:28 -0000

I'm in favor of this change, as long as it's a binary Y/N. I believe that "Y" can only possibly mean that there is rough IETF consensus to adopt. "Y" cannot mean that this cipher is "cryptographically sound" or "secure", nor can it mean that the "Y" cipher suites are MTI.

The reason I'm in favor is because we can' block the world from implementing the cipher suites they want, even if we don't like what they want or don't have the bandwidth/motivation to analyze every proposal.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Stephen Farrell
Sent: Thursday, March 31, 2016 10:52 AM
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; Salz, Rich <rsalz@akamai.com>; Kaduk, Ben <bkaduk@akamai.com>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites


If smaller devices don't use algorithms that can be used to talk to random servers on the Internet, then they are choosing to not try to get interop. That seems like a shame to me, unless there's a really good reason and IMO, mostly there isn't, at the ciphersuite level. I would hope we all won't make the GCM/CCM mistake again for example (that "we" being roughly some combination of IETF/IEEE folks).

So I think the proposed change here, if it leads to fewer but more ubiquitously deployed ciphersuites, will help smaller devices. And I do think the IETF recommended column might lead us some way in that direction.

Cheers,
S.

On 31/03/16 18:40, Hannes Tschofenig wrote:
> I can see some value in having this IANA registry list for 
> ciphersuites in the way being proposed (even if it may be interpreted 
> differently by different audiences). There have been, of course, too 
> many algorithms used only in specific countries and those 
> substantially increased the ciphersuite list.
> 
> I am just a little bit worried that everything developed for the IoT 
> enviroment is quite likely labled as not recommended by the IETF in 
> this registry because of the Web focus in this group.
> 
> The JPAKE is the item that we are currently interested in because we 
> have contributed to the standardization work related to Thread and the 
> stack we had implemented. Of course, the remark that JPAKE might not 
> be a good fit for TLS 1.3 may be correct.
> 
> Ciao
> Hannes
> 
> On 03/31/2016 07:25 PM, Salz, Rich wrote:
>>> Interesting idea. You see this IANA registry more as the mandatory 
>>> to implement algorithm list (for Web apps).
>>
>> I don't.  But lots of outsiders do, and I know they exert pressure on various projects and TLS/AD "leadership".  I've only had a little bit of it via openssl compared to those folks.
>>
>> --
>> Senior Architect, Akamai Technologies
>> IM: richsalz@jabber.at Twitter: RichSalz
>>
>>
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.i
> etf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40micro
> soft.com%7cf32d2e5ac29e49c2d49308d3598d2ad3%7c72f988bf86f141af91ab2d7c
> d011db47%7c1&sdata=%2bqpo4fWxLXAhxEZHhv7A9A1BvA60qYUIX0Ds3GWn7WA%3d
>

v2.23.0 | Report a Bug | By Email