Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt

"Dan Harkins" <> Mon, 11 July 2016 20:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8772412D0E8 for <>; Mon, 11 Jul 2016 13:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wvXrP4ws8ZvJ for <>; Mon, 11 Jul 2016 13:26:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 61DD012D0E4 for <>; Mon, 11 Jul 2016 13:26:42 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 805811FE02C8; Mon, 11 Jul 2016 13:26:41 -0700 (PDT)
Received: from (SquirrelMail authenticated user by with HTTP; Mon, 11 Jul 2016 13:26:42 -0700 (PDT)
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
Date: Mon, 11 Jul 2016 13:26:42 -0700
From: Dan Harkins <>
To: Sean Turner <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Jul 2016 20:26:43 -0000

  I'm glad I have to opportunity to make you happy Sean :-)

On Mon, July 11, 2016 7:40 am, Sean Turner wrote:
> I think I can take this bit:
> On Jul 10, 2016, at 06:51, Peter Dettman <>
> wrote:
>> I'm also curious whether there is a precedent in other RFCs for an
>> explicit minimum curve bits, or perhaps a de facto implementer's rule?
> I'd be happy to be wrong here. but to my knowledge no there's not been
> an explicit minimum for curve bits.  There have however been similar (at
> least in my non-cryptographer mind) for RSA key sizes so if we wanted to
> define an explicit minimum curve bits then we could.

  draft-ietf-tls-pwd-07 includes a RECOMMENDED practice of ensuring
the curves used provide commensurate strength with the ciphersuite
negotiated. Section 10, "Implementation Considerations", says:

   It is RECOMMENDED that implementations take note of the strength
   estimates of particular groups and to select a ciphersuite providing
   commensurate security with its hash and encryption algorithms.  A
   ciphersuite whose encryption algorithm has a keylength less than the
   strength estimate, or whose hash algorithm has a blocksize that is
   less than twice the strength estimate SHOULD NOT be used.

  And I would like to take this opportunity to remind everyone that
the only difference between TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
and TLS_ECCPWD_WITH_AES_128_GCM_SHA256 is that the latter is resistant
to dictionary attack and the former is not.