Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC

[<Pasi.Eronen at nokia.com>]

Hi,

The contents of the draft have changed quite a bit since version -02
(which was posted just before the Dublin meeting), and I have some 
comments about the changes:

It's a bit surprising that e.g. TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
when negotiated in TLS 1.2, would use the TLS PRF with SHA-1 as the 
hash function. Note that e.g. TLS_DHE_PSK_WITH_AES_128_CBC_SHA (from 
RFC 4279) would in this situation use the TLS PRF with SHA-256.

My suggestion would be to say that all these cipher suites can be
negotiated with any TLS version; when used with TLS <1.2, they use
the PRF from that version; when used with TLS >=1.2, they use the
TLS PRF with SHA-256 or SHA-384. (In other words: they'd work the
same way as the cipher suites in RFC 4492/4279/4785.)

This change would probably allow us to remove the SHA-1 suites 
completely. Also, while I can understand combining AES-128 with 
SHA-256, and AES-256 with SHA-384, I'm not sure why we need to 
combine NULL encryption with three different MACs...

Best regards,
Pasi 

> -----Original Message-----
> From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On 
> Behalf Of ext Mohamad Badra
> Sent: 29 September, 2008 13:27
> To: Joseph Salowey (jsalowey); Eric Rescorla
> Cc: tls mailing list
> Subject: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC
> 
> Dear all,
> 
> A new version of draft-ietf-tls-ecdhe-psk is now available 
> (http://www.ietf.org/internet-drafts/draft-ietf-tls-ecdhe-psk-03.txt).
> 
> All WGLC and post-WGLC comments received have now been acted 
> upon, the 
> References have been updated, and the new version now 
> includes a minimum 
> number of cipher suites using SHA-2 algorithms as in RFC 5289 
> etc. (and 
> which are only usable with TLS 1.2 and up) as well, in order to avoid 
> having to produce an extra document to conform with the IESG 
> appeal to 
> move to stronger hash algorithms.
> 
> The draft should now be ready to request publication as an 
> RFC; at IEFT 
> 72, the WG had agreed to postpone that until after the publication of 
> TLS 1.2, RFC 5246 (which has happened six weeks ago) and the 
> progress of 
> the other two TLS cipher suite WG drafts (which have been 
> published as 
> RFCs 5288 and 5289 five weeks ago), to simplify the treatment 
> of References.
> 
> Best regards,
> -- 
> Mohamad Badra
> CNRS - LIMOS Laboratory
> 
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls