Re: [TLS] Inclusion of OCB mode in TLS 1.3

Aaron Zauner <> Wed, 14 January 2015 16:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7CC9D1A90D4 for <>; Wed, 14 Jan 2015 08:52:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VcUl2xbpvfOT for <>; Wed, 14 Jan 2015 08:52:02 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 270051A90E9 for <>; Wed, 14 Jan 2015 08:52:02 -0800 (PST)
Received: by with SMTP id l15so12254612wiw.4 for <>; Wed, 14 Jan 2015 08:52:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=KBrwMS/HyvpRMI2Xm6tVOk0h+0zCMZSRiNexK53NpRE=; b=e712JA/Pf07nhz7GcgXNRDfys6U/fORrEOY0CbksnJ9eaT9kCIgXw0OBEZibNLj4OD tTLyKKdRYyQxfgDp3wb1l6xD6Mh0jHlt7dByvNbLnhleRzzAdmhO0lQ7rBlraA6RXYdL BL1/Yh9Y796DnkC8nIk5n28OLjcOm2c8FexX1KwHHcZjPG/O3qNsKiatU1Y5P+StZOwp b8u1zxPK4TaOHnFcXJoHRaGy3dfGjgFHDfcZU/E1GgJlx+elzYnZsQ9AIanqPGtxmVmq sI8bsKND23rYxJSz4jDUYJTC1WAa2seJtrrEEggQW9nLU6GNO1QhUvjdOKVrzojM3gPM yDEg==
X-Gm-Message-State: ALoCoQl6gz8bkmutetmKAY2yug6XHeg3ue7HCE5Cs+aJkNlW+zFCNFq4SDlt3tx1DRS7mTzwtPkE
X-Received: by with SMTP id fg3mr44153590wib.36.1421254320649; Wed, 14 Jan 2015 08:52:00 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id q10sm30784096wjx.34.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 Jan 2015 08:51:59 -0800 (PST)
Message-ID: <>
Date: Wed, 14 Jan 2015 17:51:55 +0100
From: Aaron Zauner <>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig1C25391296086EEAD1A4CD1A"
Archived-At: <>
Cc: TLS Mailing List <>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Jan 2015 16:52:07 -0000

Nikos Mavrogiannopoulos wrote:
> I don't see why OCB has to be tied to TLS 1.3. The last time such move
> was made with having GCM/AEAD restricted to TLS 1.2, it proved quite
> wrong (in the sense that not doing it would have avoided the majority of
> the problems we saw the last years). TLS 1.3 is a draft document to be
> deployed in 2-3 years after published (in the best case scenario). There
> is no reason the existing implementations cannot take advantage of OCB,
> if ever defined. 
I'm trying to find a compromise between having to pollute the TLS
ciphersuite registry with tons of ciphersuites (as has been pointed out
to me is not desirable) and OCB being deployable in the real world for
implementors that would like to use it (and are allowed to w.r.t. it's

If the majority is for a) dropping the idea b) having OCB in >= TLS 1.2,
and thus tons of ciphersuites or c) for TLS 1.3 applicable ciphersuites
only - I'll draft it that way.

Having this discussion beforehand will also save time on editing the
draft all the time, in case on is to be written.

I'm open for any suggestions and some consensus on the topic would be nice.