Re: [TLS] MTI policy & practice (Was: Re: Comments on various things on agenda)
Aaron Zauner <azet@azet.org> Mon, 09 March 2015 21:13 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73DE1A90F5 for <tls@ietfa.amsl.com>; Mon, 9 Mar 2015 14:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCbvuhf2XnKI for <tls@ietfa.amsl.com>; Mon, 9 Mar 2015 14:13:19 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92F8D1A916B for <tls@ietf.org>; Mon, 9 Mar 2015 14:12:18 -0700 (PDT)
Received: by wevl61 with SMTP id l61so13421540wev.10 for <tls@ietf.org>; Mon, 09 Mar 2015 14:12:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=U0ys+LRcrKbzUV39GYkaLOHKaccJNguFVm6EeMFArwg=; b=dWWpQXl0vpfb/oPLf1536HgAc72dCFnNazpcpFIM38UtLgCvE0e4buzBrXTBHt3FgH 4dCmiPx65s3ub11EaDXEy5vRKeJaHDXZ7YD4EYCFKUyVViLC/wk1voQULf5u14hhwD2q 8zmRG/YPr0tGGFI+aVNVShaVpvv73trgDU2HykKAhZZ3IeZd8fM4vHlGUmh331XNdUG0 dNluKPDz83LdH0icaRMARhW/8XWAN5zp9dPj1Klo0afRtQNywQSlBjAOGHVOuteblzqX hLe775fS12EGDhWD1/X/jHYcdJOd/raUEi8UuQU7DcZp0CF51UI8CNQKwSLclvpOli7r /zIQ==
X-Gm-Message-State: ALoCoQnFlBs68G+TwfSkuwQGzGEfnbsMY22riZH0dJzWwSd1y/ekguD5sAbiMHg0X4PEHkBVKo1q
X-Received: by 10.180.75.233 with SMTP id f9mr34618135wiw.5.1425935537360; Mon, 09 Mar 2015 14:12:17 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id hl15sm10119040wib.3.2015.03.09.14.12.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Mar 2015 14:12:16 -0700 (PDT)
Message-ID: <54FE0CAC.1040504@azet.org>
Date: Mon, 09 Mar 2015 22:12:12 +0100
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Dave Garrett <davemgarrett@gmail.com>
References: <65D2FD736B6B2B48B2EAD2BD189DC9CC270CA949@LLE2K10-MBX01.mitll.ad.local> <201503091610.23008.davemgarrett@gmail.com>
In-Reply-To: <201503091610.23008.davemgarrett@gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig0CABAF90E43C38454BF63772"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/u-zGr5SGxna9DrNAlc3vWlLVa8o>
Cc: Stephen Checkoway <s@pahtak.org>, tls@ietf.org
Subject: Re: [TLS] MTI policy & practice (Was: Re: Comments on various things on agenda)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 21:13:21 -0000
Hi Dave, et al.,
Dave Garrett wrote:
> Honestly, I don't believe the existing policy is unreasonable. If implementers could actually be compelled to implement both, great, but RFCs can get ignored and in practice you could end up with only one... and no interop.
I don't see why having only one MTI ciphersuites would change that
outcome? If the RFC gets ignored anything could happen. A TLS
implementation that is unable to speak to other implementations is
pretty useless; that would probably also be the observation by the
implementers.
> A bigger problem is that just specifying MTI isn't enough in practice. It would be better to have an MTI and a separate MTD (MTI + mandatory to deploy). For example, with RC4 being phased out I've actually got a report from someone who has a host that uses TLS 1.2 but with their MTI suite (AES-CBC) disabled, and only RC4 and Camellia supported. This shouldn't be a thing we have to worry about. If we picked an MTD and an MTI, that would be far more reliable. Both would of course be subject to revision in a future RFC, and it should probably state that up front. (instead of pretending that everything will be fine forever)
>
I get why some implementers (e.g. embedded people) would only want to
have to implement one ciphersuite. My concern is also for deployment. I
do believe (possibly naively) that most implementers will know what
their users need. But then again -- maybe I'm just confused by the term
(which should be defined in more detail, in case) -- but doesn't
mandatory to deploy also mandate that implementations do support the
specified ciphersuites in practice?
I don't think that just because something has been 'convention' for some
time it's always the best option (see postel's law). It might make sense
to reevaluate as others have also stated in this thread.
Again; are there serious concerns why there should not be more than one
MTI ciphersuite in the TLS 1.3 spec.?
> MTI: ECDHE AES-GCM (possibly both ECDSA and RSA auth)
That would be again more than one ciphersuite. So why not have more than
one but with different AEAD constructions?
BTW: I'm not convinced ECDSA is the best path to take [0]. AFAIK from
deployments most commercial CAs do not issue ECDSA certificates either,
unless that has changed significantly over the last year or so.
>
> Also specifying MTI curves is probably a good idea at this point.
>
AFAICT it'll take CFRG some more time until a recommendation can be
made. I don't believe it'd be a good idea for TLS-WG to specify a curve
before there is consensus within CFRG.
Thanks,
Aaron
[0] djb explains this in more detail over here:
http://blog.cr.yp.to/20140323-ecdsa.html
- [TLS] TLS Interim - update and agenda Joseph Salowey
- Re: [TLS] TLS Interim - update and agenda Yoav Nir
- Re: [TLS] TLS Interim - update and agenda Benjamin Beurdouche
- Re: [TLS] TLS Interim - update and agenda Sean Turner
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- [TLS] Comments on various things on agenda (Was: … Ilari Liusvaara
- Re: [TLS] Comments on various things on agenda (W… Eric Rescorla
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Stephen Farrell
- Re: [TLS] Comments on various things on agenda (W… Aaron Zauner
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Aaron Zauner
- Re: [TLS] Comments on various things on agenda (W… Stephen Checkoway
- Re: [TLS] Comments on various things on agenda (W… Blumenthal, Uri - 0558 - MITLL
- [TLS] MTI policy & practice (Was: Re: Comments on… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Yoav Nir
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Aaron Zauner
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Watson Ladd
- Re: [TLS] MTI policy & practice (Was: Re: Comment… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Brian Sniffen
- Re: [TLS] Comments on various things on agenda (W… Dave Garrett
- Re: [TLS] Comments on various things on agenda (W… Sean Turner