Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC
"Mark Tillinghast" <Mark_Tillinghast@symantec.com> Thu, 02 October 2008 19:14 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 817B53A69CD; Thu, 2 Oct 2008 12:14:31 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8904028C0EE for <tls@core3.amsl.com>; Thu, 2 Oct 2008 12:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.148
X-Spam-Level:
X-Spam-Status: No, score=-6.148 tagged_above=-999 required=5 tests=[AWL=0.451, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zQx75SDhreq for <tls@core3.amsl.com>; Thu, 2 Oct 2008 12:14:28 -0700 (PDT)
Received: from extu-mxob-2.symantec.com (extu-mxob-2.symantec.com [216.10.194.135]) by core3.amsl.com (Postfix) with ESMTP id B9FCD3A67B1 for <tls@ietf.org>; Thu, 2 Oct 2008 12:14:28 -0700 (PDT)
Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by extu-mxob-2.symantec.com (8.14.1/8.14.1) with ESMTP id m92JE6vR027039 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Thu, 2 Oct 2008 12:14:06 -0700
Received: from reserved-155-64-230-18.ges.symantec.com ([155.64.230.18] helo=TUS1XCHECNPIN01.enterprise.veritas.com) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.67) (envelope-from <Mark_Tillinghast@symantec.com>) id 1KlTck-0003bx-MG for tls@ietf.org; Thu, 02 Oct 2008 12:14:06 -0700
Received: from TUS1XCHEVSPIN04.enterprise.veritas.com ([155.64.230.53]) by TUS1XCHECNPIN01.enterprise.veritas.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Oct 2008 12:14:06 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 02 Oct 2008 12:13:39 -0700
Message-ID: <5FD537098FD21B439D882EEDD9299A233B267B@TUS1XCHCLUPIN09.enterprise.veritas.com>
In-Reply-To: <mailman.91.1222974007.11013.tls@ietf.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: New version of draft-ietf-tls-ecdhe-psk after the WGLC
thread-index: AckkwZHNDKc+7dJBRKmkwXv1ZXZwfQAADNYA
References: <mailman.91.1222974007.11013.tls@ietf.org>
From: Mark Tillinghast <Mark_Tillinghast@symantec.com>
To: tls@ietf.org
X-OriginalArrivalTime: 02 Oct 2008 19:14:06.0734 (UTC) FILETIME=[0A5512E0:01C924C3]
Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
I would like to remove the SHA-1 stuff completely. Compatibility with SHA-1 is anathema to me. Mark -----Original Message----- From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of tls-request@ietf.org Sent: Thursday, October 02, 2008 12:00 To: tls@ietf.org Subject: TLS Digest, Vol 51, Issue 2 Send TLS mailing list submissions to tls@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/tls or, via email, send a message with subject or body 'help' to tls-request@ietf.org You can reach the person managing the list at tls-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of TLS digest..." Today's Topics: 1. Re: New version of draft-ietf-tls-ecdhe-psk after the WGLC (Pasi.Eronen@nokia.com) 2. Re: New version of draft-ietf-tls-ecdhe-psk after the WGLC (Mohamad Badra) 3. Re: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC (Brian Minard) 4. Re: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC (Russ Housley) ---------------------------------------------------------------------- Message: 1 Date: Thu, 2 Oct 2008 11:29:21 +0300 From: <Pasi.Eronen@nokia.com> Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC To: <badra@isima.fr> Cc: tls@ietf.org Message-ID: <1696498986EFEC4D9153717DA325CB7201C760D1@vaebe104.NOE.Nokia.com> Content-Type: text/plain; charset="iso-8859-1" Mohamad Badra wrote: > > Dear Pasi, > >> The contents of the draft have changed quite a bit since version >> -02 (which was posted just before the Dublin meeting), and I have >> some comments about the changes: > > > In fact, we discussed adding SHA256 and SHA348 to the document to > avoid publishing several seperated documents; and if I recall well, > your recommendation was to do that in one single document. If the > group doesn't agree with this change, I will post the old version. I think having them all in a single document is better; it's the other changes in -03 I commented. > > It's a bit surprising that > > e.g. TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, when negotiated in TLS > > 1.2, would use the TLS PRF with SHA-1 as the hash function. Note > > that e.g. TLS_DHE_PSK_WITH_AES_128_CBC_SHA (from RFC 4279) would > > in this situation use the TLS PRF with SHA-256. > > In this case, I would know where I can read that cipher suites > described in RFC 4492, when negotiated in TLS 1.2, will use the TLS > PRF with SHA-256. Do you refer to Section 5 of TLS 1.2? > > The same for TLS_DHE_PSK_WITH_AES_128_CBC_SHA. Yes, I'm referring to Section 5 of TLS 1.2. > > My suggestion would be to say that all these cipher suites can be > > negotiated with any TLS version; when used with TLS <1.2, they use > > the PRF from that version; when used with TLS >=1.2, they use the > > TLS PRF with SHA-256 or SHA-384. (In other words: they'd work the > > same way as the cipher suites in RFC 4492/4279/4785.) > > > > This change would probably allow us to remove the SHA-1 suites > > completely. > > With regard to version 2 of the document, only SHA-1 suites are > described. So why we need to do this step? I would ask it this way: if the document has SHA-256/384 based suites, why does it need the SHA-1 suites? (Cipher suites isn't one of those things where having more is automatically better.) > > Also, while I can understand combining AES-128 with > > SHA-256, and AES-256 with SHA-384, I'm not sure why we need to > > combine NULL encryption with three different MACs... > > In the case we are going to remove the SHA-1 suites with NULL > encryption, only 2 combinations will be available (if we keep the > logic of moving away from SHA-1 and towards stronger hash > algorithms, as RFC 5288 and 5289 do). Yes, but why do we need two combinations? What problem is solved by having two, instead of just one? Best regards, Pasi ------------------------------ Message: 2 Date: Thu, 02 Oct 2008 11:57:48 +0200 From: Mohamad Badra <badra@isima.fr> Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC To: Pasi.Eronen@nokia.com Cc: tls@ietf.org Message-ID: <48E49B1C.4040603@isima.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Pasi, Pasi.Eronen@nokia.com wrote: > Mohamad Badra wrote: >> Dear Pasi, >> >>> The contents of the draft have changed quite a bit since version >>> -02 (which was posted just before the Dublin meeting), and I have >>> some comments about the changes: >> >> In fact, we discussed adding SHA256 and SHA348 to the document to >> avoid publishing several seperated documents; and if I recall well, >> your recommendation was to do that in one single document. If the >> group doesn't agree with this change, I will post the old version. > > I think having them all in a single document is better; it's > the other changes in -03 I commented. OK. > >> > It's a bit surprising that >> > e.g. TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, when negotiated in TLS >> > 1.2, would use the TLS PRF with SHA-1 as the hash function. Note >> > that e.g. TLS_DHE_PSK_WITH_AES_128_CBC_SHA (from RFC 4279) would >> > in this situation use the TLS PRF with SHA-256. >> >> In this case, I would know where I can read that cipher suites >> described in RFC 4492, when negotiated in TLS 1.2, will use the TLS >> PRF with SHA-256. Do you refer to Section 5 of TLS 1.2? >> >> The same for TLS_DHE_PSK_WITH_AES_128_CBC_SHA. > > Yes, I'm referring to Section 5 of TLS 1.2. OK. > >> > My suggestion would be to say that all these cipher suites can be >> > negotiated with any TLS version; when used with TLS <1.2, they use >> > the PRF from that version; when used with TLS >=1.2, they use the >> > TLS PRF with SHA-256 or SHA-384. (In other words: they'd work the >> > same way as the cipher suites in RFC 4492/4279/4785.) >> > >> > This change would probably allow us to remove the SHA-1 suites >> > completely. >> >> With regard to version 2 of the document, only SHA-1 suites are >> described. So why we need to do this step? > > I would ask it this way: if the document has SHA-256/384 based > suites, why does it need the SHA-1 suites? > > (Cipher suites isn't one of those things where having more > is automatically better.) Unfortunately, these new arguments aren't presented in WGLC, which would also have been applicable to the previous two versions. I don't know, but don't we need a WG consensus on that change? >> > Also, while I can understand combining AES-128 with >> > SHA-256, and AES-256 with SHA-384, I'm not sure why we need to >> > combine NULL encryption with three different MACs... >> >> In the case we are going to remove the SHA-1 suites with NULL >> encryption, only 2 combinations will be available (if we keep the >> logic of moving away from SHA-1 and towards stronger hash >> algorithms, as RFC 5288 and 5289 do). > > Yes, but why do we need two combinations? What problem is solved > by having two, instead of just one? Which one do you suggest? and why only one of both? (WRT RFC5288 and 5289 portfolio, I prefer keeping both of them,) Best regards, Badra ------------------------------ Message: 3 Date: Thu, 2 Oct 2008 08:00:45 -0400 From: Brian Minard <bminard@certicom.com> Subject: Re: [TLS] Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC To: "tls@ietf.org" <tls@ietf.org> Message-ID: <C49217E2D694874EB820EA90DCE67619011DDDB124@EX40.exchserver.com> Content-Type: text/plain; charset="us-ascii" Here are a couple of clarifications we'd like to see in the draft. ------------------------------ Message: 4 Date: Thu, 02 Oct 2008 11:22:49 -0400 From: Russ Housley <housley@vigilsec.com> Subject: Re: [TLS] Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC To: Brian Minard <bminard@certicom.com> Cc: tls@ietf.org Message-ID: <20081002152313.998D528C1F8@core3.amsl.com> Content-Type: text/plain; charset="us-ascii"; format=flowed Brian: I'll post an update in a few minutes that includes more information on certification paths. I am confused by your last paragraph. ECDH_ECDSA is not discussed in this draft. Only, ECDHE_ECDSA is used in this draft. Russ At 08:00 AM 10/2/2008, Brian Minard wrote: >Here are a couple of clarifications we'd like to see in the draft. > > From section 4: > Server and client certificates used to establish a Suite B-compliant > connection MUST be signed with ECDSA. For certificates used at the > 128-bit security level, the subject public key MUST use the P-256 > curve, and the digital signature MUST be calculated using the P-256 > curve and the SHA-256 hash algorithm. For certificates used at the > 192-bit security level, the subject public key MUST use the P-384 > curve, and the digital signature MUST be calculated using the P-384 > curve and the SHA-384 hash algorithm. > >Does this only apply to the client/server certificates or every >certificate in the client/server chain? > >Can some guidance be added on certificate key usages and TLS 1.2 for >Suite B >(http://www.nsa.gov/ia/industry/Suite_B_Certificate_and_CRL_Profile_200 >80528.pdf)? >This document clearly requires two different certificates and >references NIST SP 800-56A (section 5.6.4.2) as the reason for this. > >I am wondering if you can confirm that the comment requiring two server >certificates is directed at servers supporting both ECDH_ECDSA and >ECDHE_ECDSA key exchange methods (i.e., completely different cipher >suites). For example, if I deploy a server supporting only one of these >key exchange methods, that server would only need one certificate. > >-----Original Message----- >From: ietf-announce-bounces@ietf.org [mailto:ietf-announce- >bounces@ietf.org] On Behalf Of The IESG >Sent: Thursday, September 25, 2008 11:30 AM >To: IETF-Announce >Subject: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites >for TLS) to Informational RFC > > >The IESG has received a request from an individual submitter to >consider >the following document: > > >- 'Suite B Cipher Suites for TLS ' > <draft-rescorla-tls-suiteb-06.txtas an Informational RFC > > >The IESG plans to make a decision in the next few weeks, and solicits >final comments on this action. Please send substantive comments to >the >ietf@ietf.org mailing lists by 2008-10-23. Exceptionally, >comments may be sent to iesg@ietf.org instead. In either case, please >retain the beginning of the Subject line to allow automated sorting. > > >The file can be obtained via >http://www.ietf.org/internet-drafts/draft-rescorla-tls-suiteb-06.txt > > > > >IESG discussion can be tracked via > > >https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag >=15530&rfc_flag=0 > > >_______________________________________________ >IETF-Announce mailing list >IETF-Announce@ietf.org >https://www.ietf.org/mailman/listinfo/ietf-announce ------------------------------ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls End of TLS Digest, Vol 51, Issue 2 ********************************** _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] New version of draft-ietf-tls-ecdhe-psk aft… Mohamad Badra
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Pasi.Eronen
- [TLS] RE: New version of draft-ietf-tlRE: New v… badra
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Mohamad Badra
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Mohamad Badra
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Pasi.Eronen
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Mohamad Badra
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Mark Tillinghast
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Alfred Hönes
- Re: [TLS] New version of draft-ietf-tls-ecdhe-psk… Mark Tillinghast