Re: [TLS] WGLC for draft-ietf-tls-ecc
Bodo Moeller <bmoeller@acm.org> Wed, 20 April 2005 03:44 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO68f-0005zA-Aw; Tue, 19 Apr 2005 23:44:33 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO68e-0005yc-50 for tls@megatron.ietf.org; Tue, 19 Apr 2005 23:44:32 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA22441 for <tls@ietf.org>; Tue, 19 Apr 2005 23:44:28 -0400 (EDT)
Received: from moutng.kundenserver.de ([212.227.126.171]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DO6Jm-0002bY-OP for tls@ietf.org; Tue, 19 Apr 2005 23:56:03 -0400
Received: from S01060030bdc6ced5.cg.shawcable.net[68.147.30.54] (helo=tau.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1DO68X3SR6-0005N6; Wed, 20 Apr 2005 05:44:25 +0200
Received: by tau.local (Postfix, from userid 500) id 5EC5E30CAB; Tue, 19 Apr 2005 21:43:36 -0600 (MDT)
Date: Tue, 19 Apr 2005 21:43:36 -0600
From: Bodo Moeller <bmoeller@acm.org>
To: Ari Medvinsky <arimed@windows.microsoft.com>
Subject: Re: [TLS] WGLC for draft-ietf-tls-ecc
Message-ID: <20050420034336.GA31857@tau.local>
References: <EC7D742B33592743BF23DAF2B678DE800EBE5579@win-msg-01.wingroup.windeploy.ntdev.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <EC7D742B33592743BF23DAF2B678DE800EBE5579@win-msg-01.wingroup.windeploy.ntdev.microsoft.com>
User-Agent: Mutt/1.4i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: Jeff Spelman <jeffspel@windows.microsoft.com>, Stefan Santesson <stefans@microsoft.com>, tls@ietf.org, Joshua Ball <joshball@windows.microsoft.com>, Cristian Ilac <crisilac@windows.microsoft.com>
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org
On Tue, Apr 19, 2005 at 03:15:56PM -0700, Ari Medvinsky wrote:
> 1) SHA1 issue:
>
> Since we are defining new cipher suites I don't think that it makes
> sense to say that we should not use a stronger hash function just
> because there are existing cipher suites that already use Sha1 or Md5.
Existing ciphersuites using SHA-1 surely don't *force* us to use SHA-1
for new ciphersuites. It's just that sticking to SHA-1 for now allows
us to use a harmonized approach to solve the problem for many
ciphersuites to minimize differences between ciphersuites.
If it was already precisely certain how the existing TLS ciphersuites
would be fixed, then we'd have an example to follow -- but I don't
think this is quite clear yet:
A straightforward approach would be to simply plug in SHA-256 instead
of SHA-1, thus introducing larger MAC tags. A disadvantage is that
SHA-256 is slower, and obviously that MAC tags would be longer. The
latter problem can be lessened by using SHA-192 instead (so that MAC
tags would be just four bytes longer than they are now), or by
truncating the MAC even more. But in any case, the newer SHAs are
slower than SHA-1. The future preferred MAC function for TLS might
end up being something different from any SHA-{1,192,256,...} HMAC;
so by using SHA-192 or SHA-256 now, we possibly will create more
confusion between different ciphersuites and protocol versions in the
future.
> The PRF problem needs to be addressed separately and should not be
> gaiting factor. Moreover, even if we are to wait until TLS 1.2, the
> approach to simply use SHA-256 whenever SHA1 is specified will not work
> for backward compatibility reasons.
Backward compatibility would be no problem: Protocol version
negotiation can decide which MAC to use, just like SSL 3.0
ciphersuites uses a slightly different MAC construction than the same
ciphersuites in TLS 1.0. (This time, the difference would be more
significant.) Those who want to totally avoid SHA-1 would have to
insist on the appropriate minimum protocol version.
> 2) Chaining with certs using mixed crypto (ECC/RSA) issue:
>
> I agree with your comments. However, the current version of the draft
> leaves this issue ambiguous. All that is needed is a couple of
> additional sentences which state that mixed chains are permitted (or not
> permitted) - it just needs to be explicit.
Agreed. The approach that seems to make most sense here is to come up
with a wording that can be added similarly both to
draft-ietf-tls-rfc2246-bis-09.txt and to draft-ietf-tls-ecc-09.txt.
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
- [TLS] WGLC for draft-ietf-tls-ecc Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ecc Nils Larsch
- Re: [TLS] WGLC for draft-ietf-tls-ecc Bodo Moeller
- RE: [TLS] WGLC for draft-ietf-tls-ecc Ari Medvinsky
- RE: [TLS] WGLC for draft-ietf-tls-ecc Ari Medvinsky
- Re: [TLS] WGLC for draft-ietf-tls-ecc Bodo Moeller
- RE: [TLS] WGLC for draft-ietf-tls-ecc Ari Medvinsky
- Re: [TLS] WGLC for draft-ietf-tls-ecc Bodo Moeller
- Re: [TLS] WGLC for draft-ietf-tls-ecc Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-ecc Nils Larsch
- Re: [TLS] WGLC for draft-ietf-tls-ecc Jack Lloyd
- Re: [TLS] WGLC for draft-ietf-tls-ecc Bodo Moeller
- Re: [TLS] WGLC for draft-ietf-tls-ecc Bodo Moeller