[TLS] Deprecate DH_anon in favor of raw public keys?
Eric Rescorla <ekr@rtfm.com> Fri, 28 August 2015 17:35 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7CF1B30C2 for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 10:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUcj5gkYyfM8 for <tls@ietfa.amsl.com>; Fri, 28 Aug 2015 10:35:52 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6DD1B2EB2 for <tls@ietf.org>; Fri, 28 Aug 2015 10:35:52 -0700 (PDT)
Received: by wibcx1 with SMTP id cx1so3006865wib.1 for <tls@ietf.org>; Fri, 28 Aug 2015 10:35:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=z5PLD4wqYR2ALYEDLd021d6LdRm6hAzJ0WILa+nI0Rw=; b=F+TRfEb3ss7eVIE7ETyXCU0SM+vpDNBsyubtBaYVRV6HN+Ab3sU1to835vJCsozqom k8/RCtd9YCvNng744wNaK1OOGNKog0O6HpAjZ0hJh/kl72iNct2gcXM7RhfVkZyX/ukk aISIK6WQuk8xL7Eo6m5gNMjYX1Eei9ER6b5DxqdeXWe6285gxMuavvCeIaP8LWo4noWY ynVWN5bhNEuIOmd3czWKXSRylEx44FUpGethcWsTnGjDVpt8nR9AIHR6KRzwX06vcR2H /cQjLm3tQAJbSJDeQfmy+DP7O1dhuc2WCnAqG++e4fFpkHTzDbdq+vvwSjg6sDIStAB3 HVuw==
X-Gm-Message-State: ALoCoQk1tXOKxmUPcxOpqg8gchwjbsCdAF7zVJp9eYTO7kHeJj2DoqdgIA5nqxw22/+izTzkiG/t
X-Received: by 10.194.79.225 with SMTP id m1mr13013820wjx.8.1440783351264; Fri, 28 Aug 2015 10:35:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.179.221 with HTTP; Fri, 28 Aug 2015 10:35:11 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 28 Aug 2015 10:35:11 -0700
Message-ID: <CABcZeBNQ0AV4m0U9shshsaco5zGDXKzxFkVV3iB2Sbp_QoGmGg@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b10c903d9c672051e6283a1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/oC8pyqtrBl0ZE6pjkOq__O1TGXY>
Subject: [TLS] Deprecate DH_anon in favor of raw public keys?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 17:35:57 -0000
https://github.com/tlswg/tls13-spec/issues/233 Folks, We presently have some support for DH_anon cipher suites. I agree that this is a useful use case, but it's yet another mode. I would like to suggest that we instead deprecate it and instead always use Raw Public Key mode (https://tools.ietf.org/html/rfc7250). The idea is that the client would simply indicate support for a raw public key and the server could then either (a) spin a new key for this use or (b) use a long-term one. To my mind this has three advantages: 1. Complexity: It means that we have one less operational mode. And all the public key modes would look cryptographically similar. 2. It resolves the question of how you bind to the server's identity in 0-RTT mode (https://github.com/tlswg/tls13-spec/issues/219), namely the raw public key that goes in the Certificate message. 3. It makes it easier to do an SSH-style leap-of-faith mode since the server can use the same signing key for a long time while maintaining PFS. It seems to me that the two major counterarguments are: 1. Extra computational cost from the signature. I'm not worried too much about that since generally the anonymous contexts don't do a lot of connections and we don't really want to encourage pure anonymous (i.e., non-TOFU) modes anyway. 2. It's less explicit that this is unverified. Arguably this is a feature rather than a bug. Thoughts? -Ekr
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Dave Garrett
- [TLS] Deprecate DH_anon in favor of raw public ke… Eric Rescorla
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Martin Thomson
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Eric Rescorla
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Viktor Dukhovni
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Eric Rescorla
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Martin Thomson
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Martin Thomson
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Ronald del Rosario
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Nico Williams
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Eric Rescorla
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Nico Williams
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Eric Rescorla
- Re: [TLS] Deprecate DH_anon in favor of raw publi… Nico Williams