IETF Logo Mail Archive

Re: [TLS] Authentication Only Ciphersuites RFC

Sean Turner <sean@sn3rd.com> Fri, 15 March 2019 16:34 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C5D12F18C for <tls@ietfa.amsl.com>; Fri, 15 Mar 2019 09:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lb6wSe2O5otp for <tls@ietfa.amsl.com>; Fri, 15 Mar 2019 09:34:41 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2496B12AF84 for <tls@ietf.org>; Fri, 15 Mar 2019 09:34:36 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id h39so10788780qte.2 for <tls@ietf.org>; Fri, 15 Mar 2019 09:34:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+1QUhDh5BQcHRrQQeTPp+awMVuR7hRwVh1qTq+dUQ8M=; b=jLIsDKBC63fwu1MDWRjr1450qwoyDl30FS9nBxwUmzXFn0Klf7Trx4shs76GuODzRa znkeoAl92x5R3+Te+2uiCOVybQpyqnwAno6bYRH6mEtcfHAywLo/ky8HpOVfPq6DRfJW Dxtxhy0EeYwEPBWjU4oxY+FFamsOhglHFNgrQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+1QUhDh5BQcHRrQQeTPp+awMVuR7hRwVh1qTq+dUQ8M=; b=DfQLCmAYt8miU9JDqX1p5glyxVckR735f411sYeZcYiETvud/h7wG1VVsMzH79JPEI LtNWeXpWljmCak76TmvreQGjU2+LMkmpZ7+8TqxZzzCNAHd8oW+chUZA4LykaNXyRE01 /+iPehF7HKX9UfTJ6jjxUUZM5oisb7BJGQyV19TQOVISWitI7oVjR9u7GahcOWj9e09r lCIGjCcQPx+jvHzF1RC5FV4F9JvMgngDDlqp08DjHYDljWJJ74lFjw+KzwPzxdl/FRnj Jbw3bl+bVub7z8o7thhGQ7tAqZ6UgcEVs3p+ETVOXssYw/CEDSNP1r1h0Fq2lnqFF/Dp OBjg==
X-Gm-Message-State: APjAAAUv1FQ2oHkCmX+pHyRQFiIuSwKzRA7ASJeXiMV0oQJywCxONcWE EvGXGeax08BiLPW28wUmRk0wTcql37kguQ==
X-Google-Smtp-Source: APXvYqy8GopPbr1xda/EL9do35C3oawpwzMX9K28UElvH7HSw1IUm++NV1pFMBIwq3p8xJ0eggQsbg==
X-Received: by 2002:ac8:2949:: with SMTP id z9mr3579873qtz.302.1552667675329; Fri, 15 Mar 2019 09:34:35 -0700 (PDT)
Received: from [172.16.0.18] ([96.231.222.170]) by smtp.gmail.com with ESMTPSA id i29sm1659258qtc.78.2019.03.15.09.34.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Mar 2019 09:34:34 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <BN6PR2201MB1092B0FAD8AB0334CF151996997B0@BN6PR2201MB1092.namprd22.prod.outlook.com>
Date: Fri, 15 Mar 2019 12:34:33 -0400
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA9C20F7-C947-423B-A699-59C35C0FC1C0@sn3rd.com>
References: <BN6PR2201MB1092B0FAD8AB0334CF151996997B0@BN6PR2201MB1092.namprd22.prod.outlook.com>
To: Jack Visoky <jmvisoky@ra.rockwell.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zGRGtA5IpUF_p9ubYOfB9YYptcQ>
Subject: Re: [TLS] Authentication Only Ciphersuites RFC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 16:34:44 -0000

(no hat on)

Could we make a couple of tweaks to the to the IANA considerations section that:

1. The draft should probably indicate the values for the other columns.  They’ve been assigned this way so this is more of a documentation thing:

  These DTLS-OK column value is “Y” and
  the Recommended column value is “N”.

2. Ask IANA to add something like the following as note:

  These ciphers provide only data integrity protection and no
  confidentiality protections, i.e., in other words these algorithms
  provide no privacy.  Consult the Applicability Statement in the
  reference column.

While you could argue #2 is maybe a bit over the top because the draft is already referenced and people really ought to read the draft/RFC before implementing, I think we have some experience with that not being the case.  Also, I suspect that based on the concerns raised by Rich (and others) this note couldn’t really hurt.  Some will say that the IANA registries are not the right place for this kind of note, but I do tend to think that the more places we sprinkle security clue the better.


Nits:

s1: r/message../message.

s2: should be:

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.


spt

> On Feb 26, 2019, at 15:54, Jack Visoky <jmvisoky@ra.rockwell.com> wrote:
> 
> TLS Colleagues, 
> If you recall we discussed a draft for authentication only ciphersuites over email back in August of 2018.  We've since made some updates to that draft.  We also have gotten IANA assignments to the authentication only ciphersuites for TLS 1.3 and have updated the draft to reflect the new assignments.
> To that extent, as the IoT community is looking to adopt these ciphersuites, we would like to solicit review of the draft:
>     
>     https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-02
>     
> and request that it be published as informational draft given that the IoT forums are looking to adopt its use and the draft can serve as the guide for use and interoperability.
>  
> Thanks and Best Regards,
>  
> --Jack (and Nancy)
>  
>  
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email