Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC

[Alfred Hönes <ah at tr-sys.de>]

At Thu, 2 Oct 2008 12:13:39 -0700, Mark Tillinghast wrote:
>
> I would like to remove the SHA-1 stuff completely.
> Compatibility with SHA-1 is anathema to me.
> 
> Mark

Mark, could you please explain why this argument has not been
raised during WGLC, when the draft *only* contained backwards
compatible cipher suites that could also be supported in
previous versions of TLS that lack support of SHA-2 ?
The draft was intended to complement RFC 4279 and RFC 4785
in an equivalent manner with the ECC [1] based key exchanges
from RFC 4492, and as such had been adopted as a WG work item.

And why have similar arguments not been raised before the
publication of RFC 5246 and other recent documents ?
If I understand your reasoning, consequently TLS 1.2 ought
to have deprecated all pre-existent TLS cipher suites using
SHA-1 and covered by that document, as should have RFC 5288
and 5289 for the respectively related earlier cipher suites.
Did you mean that?

I am posting this message because, if I recall correctly,
the recent additions are based on a question I had raised
during WGLC, which triggered a discussion thread.  This would
perhaps have been the proper time to make your voice audible.

As a follow-up, the TLS session in Dublin has consented to
solicit an update of the draft taking the WGLC comments into
proper consideration, and to then forward it to the IESG.
The first step has been done.
The author has judged to include the SHA-2 cipher suites
taking into account that, after the draft had been delayed
by a busy working group until TLS 1.2 had been completed,
this would be now be a commensurate step forward.
Reading the diffs I cannot see that the updated draft
violates the rough consensus achieved at WGLC.  The
additions look clearly structured and follow the spirit
of the previous versions in a straightforward manner.

I am not aware of any recent striking developments in
cryptanalysis since the WGLC that would necessitate an
immediate fundamental reconsideration.  The NIST reportedly
intends to support SHA-1 for more than two years to come.
The primary use of it here anyway is within HMAC -- and that's
commonly still considered not being attacked successfully.
Other IETF WGs currently even hesitate to remove MD-2 and MD-5
from document updates in progress, because they want to leave
the decision to the deployment and the applications using
theirs specifications.  Equally, the PSK cipher suites are
targetted at managed environments that should be able to make
educated decisions on which cryptographic strenght they need.

Mark, therefore I kindly ask you to study the "Working Group
Guidelines and Procedures" (BCP 25, RFC 2418) before you try
to disrupt these procedures.  Thanks.


Kind regards,
  Alfred.

-- 

P.S.: [1]
An interesting (less technical) reading about the development and
the socialization of ECC can be found in a recent research paper
from two of the 'cradles of ECC' :
  A. H. Koblitz, N. Koblitz & A. Menezes; "Ellitic Curve Cryptography:
  The Serpentine Course of a Paradigm Shift";
  Univ. of Washington / Univ. of Waterloo; Aug 2008, revised Sep 2008
available at:
  <http://www.cacr.math.uwaterloo.ca/techreports/2008/cacr2008-19.pdf>
Have a nice reading!  { The authors must also have visited IETF
meetings and followed WG discussions.  :-)  }
If in hurry, skip to Section 13 and look into the mirror.   :-)

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah at TR-Sys.de                     |
+------------------------+--------------------------------------------+

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls