IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Mike <mike-list@pobox.com> Fri, 12 October 2007 21:41 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgSFo-00073J-Ni; Fri, 12 Oct 2007 17:41:08 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgSFn-000733-Dd for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 17:41:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgSFn-00070W-3y for tls@lists.ietf.org; Fri, 12 Oct 2007 17:41:07 -0400
Received: from sceptre.pobox.com ([207.106.133.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgSFW-0005sk-O1 for tls@lists.ietf.org; Fri, 12 Oct 2007 17:40:56 -0400
Received: from sceptre (localhost.localdomain [127.0.0.1]) by sceptre.pobox.com (Postfix) with ESMTP id 1A7A02EF for <tls@lists.ietf.org>; Fri, 12 Oct 2007 17:40:24 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sceptre.sasl.smtp.pobox.com (Postfix) with ESMTP id D954A89367 for <tls@lists.ietf.org>; Fri, 12 Oct 2007 17:40:23 -0400 (EDT)
Message-ID: <470FEA1F.7030500@pobox.com>
Date: Fri, 12 Oct 2007 14:41:51 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com> <470EF76B.5050102@pobox.com> <20071012045718.DE16033C21@delta.rtfm.com> <470FB525.7010308@pobox.com> <20071012180445.1D22D33C21@delta.rtfm.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]>
In-Reply-To: <p06240828c3357a914a76@[192.168.1.3]>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

>> How long do you think it would take
>> to add this extension to a TLS toolkit?  In my own code, I could
>> probably do it in less than a day, with time left over to get in a
>> round of 18 holes.
> 
> No doubt. Of what positive and negative value would such code be?

Positives:

   - this would allow a server to maintain multiple sets of keys
     and certificate chains of varying cryptographic strength;
     clients with differing requirements could ask for the level
     they desire, instead of being stuck with the lowest common
     denominator
   - a server could support multiple sets of Diffie-Hellman
     parameters, such as all of the groups in RFC 3526; a client
     could choose the parameters rather than being forced to
     accept the server's default (which is probably chosen more
     for performance than security)
   - knowing exactly what the client is looking for helps the
     server select the appropriate cipher suite without the need
     for the client to renegotiate the connection; for example,
     if the server only supports 1024-bit DH parameters, and the
     client asks for 1536-bit, the server can skip past the DHE_*
     cipher suites and select maybe an RSA-based cipher suite
     that the client would accept
   - this mechanism would give power to the client that it
     currently doesn't have, to directly influence the crypto-
     graphic strength of the connection beyond simply listing
     acceptable cipher suites
   - hash agility (or now signature algorithm agility) is being
     added to TLS; this is cryptographic strength agility
   - a client is free to develop its own security profiles; no
     "standard" profiles would be defined
   - a server can keep statistics on the values it receives,
     allowing an administrator to know when it would make sense
     to add support for longer keys, based on actual demand

Negatives:

   - effort is needed to write a specification and approve it
   - a server may not support the extension, so a client may
     have to implement an inefficient renegotiation scheme in
     addition anyway
   - Eric doesn't like it ;-)
   - Others?

> Confusing and/or giving users false senses of security are definitely 
> negative.

Fully agreed.  I don't see how this would be confusing or give
a false sense of security.  The client still has to check that
the requested key lengths (and other parameters it cares about)
are satisfied in the negotiated session.

Mike


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email