Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Colm MacCárthaigh <colm@allcosts.net> Sun, 16 July 2017 09:16 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA52127180 for <tls@ietfa.amsl.com>; Sun, 16 Jul 2017 02:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XD13bnHnfMar for <tls@ietfa.amsl.com>; Sun, 16 Jul 2017 02:16:25 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E5A3127058 for <tls@ietf.org>; Sun, 16 Jul 2017 02:16:24 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id a12so38383884ywh.3 for <tls@ietf.org>; Sun, 16 Jul 2017 02:16:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4tGNUnSaiK6fqAkBqsEttaQl1jD/BpiWCa7sVQgnpxk=; b=13fVcy0DpDXDTLuKcnpDFmwCfFQyZumy3nQWPRjwYnR2PYA2OUAlCROV7BoJa3aW2L 8zKK6z+CF+IvkERpllidDPlG1o+PgQC9rbDMQGV9ZzAFKEeKY1FuqGadoGtVvF6IxI0P WePn8Rlmf0HOfioTzoZ3ROM2EliwdL9gqkRZRWb/oaTTksvWuE6aERffv6fhKUQqUFyN XvxZbFhyORUeeQLJstTIpAaNZm3+8JyzrgJ2ZedIoU+oCi0WbIa9Hc6MMRuer/opXu2W RWb5Si9CBDQzAF955QWG8s1piYNAInuDbdjqjGjm1aQcXBbdo6wFFaUIomuVlZZ/IBlo 8uBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4tGNUnSaiK6fqAkBqsEttaQl1jD/BpiWCa7sVQgnpxk=; b=oujNPK9AOT+CVUngZVN/Gc4VL+ZZtUiyOqYZ5wwtaGY0Y8TsUcWPTROS0f21iE2RZy 2j1DRZvj/C0oF4TZTPUuRau9i6gAOiiYGu4z3fEYeUgzzhNP36f0bR7DdeWdH2u+Nq+m Zv8Gu7fii4u38ePvGlSs27pdMwmU/6XQy6HJIaSZqcRNHt83nMvH88UzbHiUdR6/uqLG IsChPLia/XVmjbC7V3AFX50HwEADmSFziwwdQMVl4dWfYCE2gqO6i5TZ1n6MttT8qcAg hBz8gCvaauhXPy35K42195/FSYlmjFHmGAr3NO+r9dzlLOkxhgXPPJfCKbEMLbqDlpBh 0dag==
X-Gm-Message-State: AIVw112aU1vv100FPTQdMx85kSFh8AKvCq1J6Sci6UfNK/LORudr/2Ni 2U4pCE8p7yL/9/K4znJqSVkjSvuZj638
X-Received: by 10.129.57.212 with SMTP id g203mr13466566ywa.101.1500196584254; Sun, 16 Jul 2017 02:16:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.27.4 with HTTP; Sun, 16 Jul 2017 02:16:23 -0700 (PDT)
In-Reply-To: <CAPt1N1m_Zi_2faa8KHcXnic4QjXCEDkwnf=RTbo-Crvh6nMC+g@mail.gmail.com>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDeSv+T1ww5_nr6NPgg9k44j7y04tJWC=KeaJF7Gtt+TVQ@mail.gmail.com> <9bd78bb6-1640-68f6-e501-7377dd92172f@cs.tcd.ie> <CAAF6GDeGKEBnUZZFXX0y0a2J2+sVg8VaHh-4H9bhN0Zzk-x9uA@mail.gmail.com> <6707e55d-63d3-01e2-4e98-5cc0644e29e0@cs.tcd.ie> <35f4c84c6505493d8035c0eaf8bf6047@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcq6_ML3yHSQTy-t5irYLS10VVzk_R+7nAUKqQpgcCkrQ@mail.gmail.com> <CAPt1N1m_Zi_2faa8KHcXnic4QjXCEDkwnf=RTbo-Crvh6nMC+g@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Sun, 16 Jul 2017 02:16:23 -0700
Message-ID: <CAAF6GDfmoFwQSHEF79AmSDBE6W6FwCu2=n-SU7sHipfsfVTeUg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, Matthew Green <matthewdgreen@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114c856e7f9f8d05546bbc04"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oX3QE4mqbMMEbqaUcqjnOT1cM5s>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 09:16:26 -0000

On Sun, Jul 16, 2017 at 2:08 AM, Ted Lemon <mellon@fugue.com> wrote:

> What it means for users to be denied the benefits of TLS 1.3 is that they
> don't get, for example, perfect forward secrecy.  Since the proposal was to
> do away with that anyway, but for all users, not just some users, that
> doesn't seem like it is better than just continuing to use TLS 1.2.
>

DH by default is just one benefit of TLS1.3, there are many others or else
we wouldn't be shipping it with so many changes and improvements. Otherwise
there would be no TLS1.3, and only a deprecation of the non-PFS cipher
suites. But that plainly isn't the case.

The main one I'm concerned about is me having to support non-TLS1.3 clients
;-) 1RTT key exchange is worth it alone.

-- 
Colm