Re: [TLS] Should we use proof-of-possession rather than signatures?
Michael Hamburg <mike@shiftleft.org> Tue, 24 November 2015 21:25 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B891A8A95 for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 13:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.156
X-Spam-Level: **
X-Spam-Status: No, score=2.156 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXX1t0hDBlYF for <tls@ietfa.amsl.com>; Tue, 24 Nov 2015 13:25:57 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD2A91A8A55 for <TLS@ietf.org>; Tue, 24 Nov 2015 13:25:57 -0800 (PST)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id D290F3AA71; Tue, 24 Nov 2015 13:23:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1448400198; bh=lb4Z/h79be8jjjvWgdAZL2OaLRary19RD76hth3Rxqk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Au8xXgjxTPJisSAa9LAVaS+1EBWEm5n+bKDAe1Fi1oc7ggEclsHF2pqCnohLM1kO/ bccp5Fv1p00UkVARGssNDzUN4uTXsjApIgN3vfriuGP967IHpu3y3syw2aeMCrqwjp U3kweYd9p0ITAANqUSvVCf+szUeJe1dGCIEycAUI=
Content-Type: multipart/alternative; boundary="Apple-Mail=_CB4165EF-17FB-4814-BF46-09F9022825B2"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <CADi0yUPtprXrczVPDObj8MQd9tnXMysepbFNA=whrJV=H1E65w@mail.gmail.com>
Date: Tue, 24 Nov 2015 13:25:57 -0800
Message-Id: <727C6597-F386-4349-B334-6D8442354F1E@shiftleft.org>
References: <CAH9QtQEwXBYapbNb5FC0=yOHJ_brmx+P0_6ODoWP-wQOQW=oMg@mail.gmail.com> <CABcZeBOk0mXFAHR_LFvN0CjuH3TuiMpOB5YossX+3oPMMx-aaQ@mail.gmail.com> <689E730F-63D4-4D64-B678-D5A701983146@shiftleft.org> <CADi0yUPtprXrczVPDObj8MQd9tnXMysepbFNA=whrJV=H1E65w@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/quqd6_WAPWD-T8zXf8YMzonO3IM>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Should we use proof-of-possession rather than signatures?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 21:25:59 -0000
> On Nov 24, 2015, at 12:27 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > On Tue, Nov 24, 2015 at 12:53 PM, Mike Hamburg <mike@shiftleft.org <mailto:mike@shiftleft.org>> wrote: > > I agree that the speed and size savings are not necessarily worth the complexity. If we were rolling a new protocol from scratch they probably would be though. > > The all-DH-based solution, with DH certificates, does not add complexity but rather simplifies the protocol and analysis, and opens the option of more efficient protocols (e.g. MQV-like ones). But the world does not seem ready to depart from the beloved signature certificates. > > Hugo I agree for new protocols, but the proposal for TLS isn’t all-DH. It’s allowing both all-DH and DHE+sign. That’s more complex than just allowing DHE+sign. But I suppose the difference in TLS as proposed is really just putting a DH+MAC in CertificateVerify instead of a signature, which isn’t a complicated difference. Sorry to be negative. I really do like all-DH for simplicity, compactness and speed, especially if IP-encumbered algorithms are available. I’m not against its inclusion in TLS if others think it’s worth the complexity of adding another option. But I’m grumpy because this thread started with an insecure proposal justified using incorrect numbers. — Mike
- [TLS] Should we use proof-of-possession rather th… Bill Cox
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Mike Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Michael Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Hugo Krawczyk
- Re: [TLS] Should we use proof-of-possession rathe… Michael Hamburg
- Re: [TLS] Should we use proof-of-possession rathe… Bill Cox
- Re: [TLS] Should we use proof-of-possession rathe… Eric Rescorla
- Re: [TLS] Should we use proof-of-possession rathe… Bill Cox