Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 13 March 2014 18:36 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 646C91A07AD for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ao1GORZbyceX for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:36:42 -0700 (PDT)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 0A62C1A0729 for <tls@ietf.org>; Thu, 13 Mar 2014 11:36:41 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id p61so1236907wes.27 for <tls@ietf.org>; Thu, 13 Mar 2014 11:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=24ko+Esi/kwTiquE8glzarf8yMq6yEgD7ztVGaMcVrc=; b=m5MUjAsovgiI1Udl/BA1iKuuUy3svOXFyUkK1vbyGa1SYA+mRsLrZMMIeD97e3xPmL cT6gPipYKF2ThJggAXJCBitoGhdsqa72I3HiyARGAjf2NGPWqaZx7KAc1jz0LXTQNMcb Zn6GujKqHi1OkDZc7gFSzY57t0n/uXvpaTYCCbzV8gLxJA3VNN4uxTi5oCfgHzAauifJ RdDNBVVQYE4k3kDov/oTaIQhki3ReEKj6n1bNXXt3DLoE6zuiwWSWPpj8Y97T9Wl4DmD 18Aljlo7n5V4lz5wwbdI7emFhpkXDf7Ucej7pmYOGui15D2Q2Csj0Ku3HKtOHWBudTBf 2w+Q==
X-Received: by 10.180.13.197 with SMTP id j5mr2897496wic.14.1394735794953; Thu, 13 Mar 2014 11:36:34 -0700 (PDT)
Received: from [10.0.0.4] ([109.64.6.27]) by mx.google.com with ESMTPSA id v6sm9711838wif.0.2014.03.13.11.36.33 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 13 Mar 2014 11:36:34 -0700 (PDT)
Message-ID: <5321FAB1.2070309@gmail.com>
Date: Thu, 13 Mar 2014 20:36:33 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>, Manuel Pégo urié-Gonnard <mpg@polarssl.org>
References: <CAK3OfOgw70LVQsykxNZSH9+4Dn2inBTx0q0KrvujS1LOY1i9tg@mail.gmail.com> <532024EF.4060607@polarssl.org> <CAK3OfOiyVqett-bQ4Eta3MLFQSVkR_z2qPRow7C2bNxCoSNxbQ@mail.gmail.com>
In-Reply-To: <CAK3OfOiyVqett-bQ4Eta3MLFQSVkR_z2qPRow7C2bNxCoSNxbQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/z_OEQAYl_82byR2WZAEx_2rY4rg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 18:36:43 -0000

Hi Nico,

this is about much more than anon-DH cipher suites. The proposal that if 
the client doesn't see a DANE certificate, it can initiate a TLS 
connection with (only) anon-DH means that even if the server does have a 
PKIX certificate (maybe it's old and has not heard of TLSA yet:-), the 
client will not be able to get an authenticated connection with it. So 
we will probably need these cipher suites combined with additional TLS 
signaling, as well as certificate pinning, to allow clients to juggle 
securely between authenticated and anonymous TLS.

Thanks,
	Yaron

On 03/13/2014 07:02 AM, Nico Williams wrote:
[...]

>
> In the SMTP case when there's no TLSA RRs in the DNS for the server
> and the server has no certificates, the client may prefer to use anon
> DH/ECDH.  Considering that e-mail has historically had very poor
> privacy protection, that would be a huge step up.  But today an SMTP
> client can't get high-performance ECDH and AEAD ciphers :(