Re: [TLS] PR #23 for RFC4492bis
David Benjamin <davidben@chromium.org> Mon, 04 July 2016 16:12 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C725B12D1AE for <tls@ietfa.amsl.com>; Mon, 4 Jul 2016 09:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4-zvC9KlWNW for <tls@ietfa.amsl.com>; Mon, 4 Jul 2016 09:12:17 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81FAC12D18C for <tls@ietf.org>; Mon, 4 Jul 2016 09:12:17 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id s63so155005931ioi.3 for <tls@ietf.org>; Mon, 04 Jul 2016 09:12:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WNR31xpe18Xw4j+9JkZpytZ3R31wGtya8Ijdl5MTCgw=; b=gL/t4F/sa+X30vTLQgmzxTl3VnW7Z79dHgLvppgeYwSmZb/kNnT0i8jM6904CaKtmv pFVLtvm8CLz7NKuz/tAWyeD37Z5ezNyB/2rO4jwp+QZsZ4Mcy0evjFN2ypy7oEfNPzhG ulevVnqIdlVvfV33sgFdpTd8QX/9Y4e05muSw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WNR31xpe18Xw4j+9JkZpytZ3R31wGtya8Ijdl5MTCgw=; b=KXaynehA45RV63zzgi02eNXFGGP7VPLIcqvpVxdKejFG+zX7E3hT1lO9gL3nr8Cmkm aOZM4d/lTEX2ifdO4jZu/WGNp71kXqPv3PE2eWG61JkKcbI5UA1W9Tf1shXvfXzFlhtz Rh26cW3EPr2v7VmtsjbgRFGI7jJ6Vr9a4E5Cozb8TQnX1cCoAFbH3ya5pySSEE5ShOic a4KZuztdu+w5rxZRpjtZUwZhdArdfTICd9IZIW8cLWuHRs5XiSFiSu/c8f/YUO2CLrM8 355js/ulFqBzAiAW3AQ/TSxF/0rG3u+s6Ev1fuV131NLo6mWCKz2iUFo1lFNse2A4s/a P2vQ==
X-Gm-Message-State: ALyK8tLXoemo8AFQbyFpFLPlAYzI/zA6LlUjgR3OqaW+bJsEzXZwhSc3OTeUdmrViYGxhu8Ra3N1+Y/UgmuYoptp
X-Received: by 10.107.13.82 with SMTP id 79mr10509084ion.97.1467648736683; Mon, 04 Jul 2016 09:12:16 -0700 (PDT)
MIME-Version: 1.0
References: <4A93EB96-11C3-4F08-B1DC-6ED21E11BFC0@gmail.com> <20160704140625.GD4287@LK-Perkele-V2.elisa-laajakaista.fi> <C5503852-9B73-41DD-A54C-5B5ADA643397@gmail.com>
In-Reply-To: <C5503852-9B73-41DD-A54C-5B5ADA643397@gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 04 Jul 2016 16:12:06 +0000
Message-ID: <CAF8qwaB+zBnHAras4e2Mjhts=e-C0dGKbBZRu7zioVqcbd9V6Q@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="001a113fdb5e9b36c80536d19911"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uT9fLI108Z2sOINLWHNHIk_6GBw>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PR #23 for RFC4492bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 16:12:20 -0000
On Mon, Jul 4, 2016 at 7:59 AM Yoav Nir <ynir.ietf@gmail.com> wrote: > > > On 4 Jul 2016, at 5:06 PM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > On Mon, Jul 04, 2016 at 03:46:00PM +0300, Yoav Nir wrote: > >> Hi > >> > >> Based on an email exchange with Nikos Mavrogiannopoulos, I’ve submitted > a PR. > >> > >> https://github.com/tlswg/rfc4492bis/pull/23 > >> > >> If there are no objections, I will accept it and submit version -08 > this Friday. > > > > While scanning through, I noticed that the Ed25519 and Ed448 "curves" > > are still there. I think negotiating those should be done the same way > > as in TLS 1.3 (those would then appear as hash=7 signature=3/4 IIRC). > > IMO this makes it very complex. TLS 1.3 replaces the old > signature_algorithms extension that had pairs of signature algorithm/hash > algorithm with one that has 16-bit values. > > It changes things for ECDSA as well. We’re not going to change ECDSA in > TLS 1.2. So if we wanted to adopt that we would still interpret 0x04,0x03 > as ECDSA (with whatever curve) along with SHA-256, while 0x07,0x03 would be > Ed25519, not ECDSA with some unknown hash function 0x07. > > Seems strange to me, but I’ll make whatever changes the group wants. > Oops, I think I agreed to backport this at IETF 95 and completely forgot. Sorry about that! My bad. Although, thinking about it now, I'm not sure if we should bother. As you mention, it's weird since ECDSA still needs to be interpreted in the 1.2 style, despite being spelled in the 1.3 way. We'd also end up with the new scheme being defined in two places. It seems better to get X25519 / X448 out the door first as that has no prerequisites. X25519 in TLS already has running code today. Chrome ships it, and Google servers have it enabled. The 1.1.0 release of OpenSSL is also slated to have support. Ed25519 / Ed448, on the other hand, don't even have an embedding in X.509 yet (though hopefully the main question remaining will get resolved in curdle soon). Then there's the timeline for draft-irtf-cfrg-eddsa, which I'm not familiar with. New signature schemes also depend on CAs being willing to sign them which, for the web PKI, I expect will not be fast. Saying new signature schemes are only defined for 1.3 and up seems reasonable enough to me, though I suppose it depends on how the timelines for all the other drafts end up looking. David
- Re: [TLS] PR #23 for RFC4492bis Yoav Nir
- Re: [TLS] PR #23 for RFC4492bis David Benjamin
- Re: [TLS] PR #23 for RFC4492bis Yoav Nir
- Re: [TLS] PR #23 for RFC4492bis Ilari Liusvaara
- [TLS] PR #23 for RFC4492bis Yoav Nir