Re: [TLS] Ala Carte Cipher suites - was: DSA should die

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Mon, Apr 06, 2015 at 08:25:02PM -0700, Tony Arcieri wrote:

> Looks like the opinion of TLS implementers is this far unanimously against
> this proposal. I would like to give the counterpoint from a TLS user
> perspective.

I see no unanimity.  I think that long-term the cross product
simplifies maintenance (simpler internal tables with less duplication),
and makes it easier to sensibly sort the cipher-suites by independent
preferences for each feature.

Yes, there'll need to be new APIs for specifying separate preferences
for the key agreement suites vs. bulk crypto suites.  Some may find
this an opportunity to drop legacy interfaces.

In OpenSSL many of the building blocks are already there, thus
we can build up a cipher-suite from its parts:

    $ openssl ciphers -v kECDHE+aECDSA+AES128+AESGCM
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD

All that's missing is separate ordered cipherstring settings for
the components.  These would be UI improvements I think.  Yes, not
easy retrofits into existing applications, but ultimately worth it
IMHO.  Assuming of course TLS is still the swiss-army knife of
security protocols and needs to support a range of choices for each
element of the cipher-suite.

Were any radical simplification to just 1 or 2 (composite) ciphersuites
actually realistic, then breaking those down would be silly.  As
it stands I don't see a likely choice of just 2 ciphersuites that
serve all TLS users, and thus ala carte makes sense to me.

-- 
	Viktor.