IETF Logo Mail Archive

Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites

Aaron Zauner <azet@azet.org> Wed, 06 April 2016 15:24 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CFA712D660 for <tls@ietfa.amsl.com>; Wed, 6 Apr 2016 08:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JtoXmm6N-fs for <tls@ietfa.amsl.com>; Wed, 6 Apr 2016 08:24:16 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 688DB12D781 for <tls@ietf.org>; Wed, 6 Apr 2016 08:21:07 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id n3so68073613wmn.0 for <tls@ietf.org>; Wed, 06 Apr 2016 08:21:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=P1ip9ayDHN8ok9O3asjw8yUS6rU4g8niUIOOGmW1qy8=; b=g5R3RQRcjW+jaabAd3bD5DVkyPsh26Iz0qS8OI0xqbwv38J+Db5q94SKieHQfFTL/Y eyjBbvVqPZ7fRCTqbqwBqhYMvlgN/RqSL08Z4mRgiyuNe+Phwv8oPZXy2jfy743NqSWk D9W7daAror0PZHzaH3O5jLSIlxcpiS3dyl5ME=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=P1ip9ayDHN8ok9O3asjw8yUS6rU4g8niUIOOGmW1qy8=; b=cmRYyOBO/nEbBFwqtBp1Upg3/YCRZ7zfo6QTk3OmC5Iks6PLYYAimWMv9gO7lupJou YAmWExm6qLtojur7JfcEqevBOSgOhTUoWxB+aYDSsqFrhkrrd/09dGy/9lO46t2wdWNp IlMscy1UbYQdgv1CwtW0au0kr9DaH9SB4rv8l2BimsxrVz2PJXmUmT3dhgOusDtubcKm fHBWotUazjbJi1OSfcyNo1YNwS4nz4U6vVzbXK24H6872cXpMY8CO4BYWI5RJ3j0nixk stxzFFqSmPp4gZdhKFiCIc8VzYmSa8x2bRWYnw14MNI0ebDvMHsUWIK3oZ+i6Ls9VWi4 PPeA==
X-Gm-Message-State: AD7BkJKuFQfwmEX0x3f5mPpw7YFg4N1TWm1xT9WHnN8rvawkK4NGaS5E91eNMexvenHUew==
X-Received: by 10.28.218.145 with SMTP id r139mr25618302wmg.52.1459956065996; Wed, 06 Apr 2016 08:21:05 -0700 (PDT)
Received: from [192.168.23.127] (chello212017113090.11.11.vie.surfer.at. [212.17.113.90]) by smtp.gmail.com with ESMTPSA id a184sm1835031wma.3.2016.04.06.08.21.03 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Apr 2016 08:21:03 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_FD0CF216-BAFA-47EE-ABD1-2F2C72714806"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com>
Date: Wed, 06 Apr 2016 17:21:29 +0200
Message-Id: <BABA92DA-1429-4A3F-8E87-1CAD67B92C95@azet.org>
References: <20DDE657-E1A9-4705-936D-40673294C4EB@sn3rd.com>
To: Sean Turner <sean@sn3rd.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rvjUPxc1SAQa7CeaIMJn8WLG_yk>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] call for consensus: changes to IANA registry rules for cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 15:24:18 -0000

Hi,

> On 30 Mar 2016, at 03:53, Sean Turner <sean@sn3rd.com> wrote:
> 
> Hi!
> 
> In Yokohama, we discussed changing the IANA registry assignment rules for cipher suites to allow anyone with a stable, publicly available, peer reviewed reference document to request and get a code point and to add an “IETF Recommended” column to the registry.  This change is motivated by the large # of requests received for code points [0], the need to alter the incorrect perception that getting a code point somehow legitimizes the suite/algorithm, and to help implementers out.  We need to determine whether we have consensus on this plan, which follows:
> 
> 1. The IANA registry rules for the TLS cipher suite registry [1] will be changed to specification required.
> 
> 2. A new “IETF Recommended” column will be added with two values: “Y” or “N”.  Y and N have the following meaning:
> 
> Cipher suites marked with a “Y” the IETF has consensus on
> and are reasonably expected to be supported by widely
> used implementations such as open-source libraries.  The
> IETF takes no position on the cipher suites marked with an
> “N”.  Not IETF recommended does not necessarily (but can)
> mean that the ciphers are not cryptographically sound (i.e.,
> are bad).  Cipher suites can be recategorized from N to Y
> (e.g., Curve448) and vice versa.
> 
> 3. We will add a “Note" to the IANA registry itself (i.e., on [0]) that matches the above so that the same information is available to those who don’t read the IANA considerations section of the RFC.
> 
> Please indicate whether or not you could support this plan.

I maintain the OCB draft and I do support this idea. Sorry for joining this thread late. I did however vote on it during the meeting on monday.

What's still unclear to me from the discussion is what suites would get a Y or N and which suites won't. Are we just talking about WG consensus or does implementation-availability weigh in here? It's not perfectly clear to me how this would be decided; just because the IANA registry flags a certain suite as preferred doesn't mean it actually will be implemented, and vice-versa. Library authors sometimes implement algorithms out of pure interest and love for coding. I, too, think going beyond a simple Y/N would just further complicate things for implementers and people trying to understand the IANA registry.

Aaron

v2.23.0 | Report a Bug | By Email