Transport Layer Security (TLS) Working Group Minutes Meeting : IETF 71, Monday 10 March 2008 Location: Philadelphia, Franklin 3/4, 15:20-17:20 Chairs : Eric Rescorla and Pasi Eronen Minutes : Tero Kivinen and Patrick Irwin Version : 2 (2008-03-13) ---------------------------------------------------------------------- WG summary Don Eastlake presented RFC 4366-bis, which is the separate draft for TLS extensions. This is mostly editorial but there are two technical issues about certificate URL hashing. The general consensus was (1) to mandate the hash and (2) deal with hash agility by defining a new code point if we need to. Pasi Eronen presented the DES/IDEA cipher suite document, which breaks those cipher suites out of the main TLS draft. There was discussion about what kind of disclaimer to use and general consensus that in future we need to put clear applicability statements on cipher suites. Pascal Urien presented ECDHE_PSK, a new WG item. This hasn't had enough review to advance yet. We commissioned two reviews. Eric Rescorla presented plans for DTLS 1.1. The intention is simply to rev the version to align with TLS 1.2 and fix ambiguities in the original spec. There was substantial support for adopting this as a WG item--needs to be confirmed on list. Kato Akihiro presented Camellia cipher suites with SHA-256. Camellia is already in TLS, but with SHA-1. ---------------------------------------------------------------------- Agenda bashing (chairs) ----------------------- Document status (chairs) ------------------------ Two new drafts, ECDHE-PSK and DES+IDEA ciphre suites moved to separate draft. TLS Extensions (Donald Eastlake) -------------------------------- 3 open editorial issues: #98, #99, #100 2 open Technical issues: #45 (Mandate certificate URL Hash) #46 (Hash agility for certificate URL) Eric: an issue similar to #45 was raised by NIST a long time ago. Everyone agreed to mandate? Tim?: Hash agility for certificate URL not absolutely necessary now; can be provided in future with different extension number. Otherwise extension would need to be handled differently in different versions. Pasi: Same issue exists with #45, with different extension handling in different versions. Is #45 widely implemented? Most popular implementations do not use this. Eric: Must include certificate url hash, this new mandatory requirement applies to all versions. DES and IDEA Cipher Suites (Pasi Eronen) ---------------------------------------- Ekr: Agree with the text. A problem may arise if we are opposed to vanity algorithms completely, so far TLS has been adding algorithms as it is harmless. Joe Saloway: there might be broader impact on the statement. Russ Housley: you have captured the discussion from the list, and I think it should go that way, i.e not directly to MUST NOT. Pasi: Most of the TLS ciphersuites do not use MUST/SHOULD etc text, thus they are MAY. Tim or Russ?: there will be real problems if we tell national bodies that they cannot make interoperable versions of their own algorithm. But presumably that code would get used, at least within some limited scope. Paul: This text is fine, and I think we can use that as stake for other documents. We can use it later to ask later documents to add similar scope. Pasi: There is nobody wanting to use IDEA, so this is not same. Paul: We can still use this same kind of text. Charlie: If someone later wants IDEA we can change it back to MAY, but it was previously recommended and now we are not recommending it anymore. Pasi: Important to expect that algorithms will be used. Otherwise we are wasting our time. ECDHE_PSK ciphersuites for TLS (Pascal Urien on behalf of Mohamad Badra) ------------------------------------------------------------------------ Next Steps - Is the document ready for WGLC? Eric: who has read the document? [4 people has read the document] Joe Salowey and Paul Hoffman volunteered to read the document and provide comments by the end of month DTLS 1.1 (Eric Rescorla) ------------------------ Pasi: is there issue with retransmissions and doing fragmentation again? Eric: no, reassemble before Gregory Lebovitz: Where is DTLS used? Eric: Keying for SRTP, CAPWAP, maybe others. Gregory: are there binding issues SRTP key extraction? [there's a draft explaining them] ?: Possibly transport model for SNMP Joe?: Proposals for using DTLS with RADIUS exist [Room supported calling this DTLS 1.2, and skipping 1.1 version.] Pasi: Who support adopting DTLS 1.1 as WG item [About dozen hands supporting, none against.] Camellia cipher suites for TLS (Akihiro Kato) --------------------------------------------- Tim: SP 800-57 says these are at least 256 bits, not exactly 256 bits Next steps in the TLS working group (chairs) -------------------------------------------- Pasi: TLS 1.2 not yet done, 2 docs through WGLC, and several ready for WGLC. Putting strain on WG chair resources. We try to get TLS 1.2 done and GCM documents to IESG first, other documents might need to wait a bit. ---------------------------------------------------------------------- end