Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

The chairs are forwarding this document to our AD to progress towards publication. Cheers, Joe On Tue, Apr 11, 2017 at 8:21 AM, Joseph Salowey wrote: > Hi Daniel, > > Please submit a revised draft with the changes below. > > Thanks, > > Joe > > > On Tue, Mar 21, 2017 at 11:08 AM, Daniel Migaul

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Hi Joe, Thanks for the reminder. I just posted it. Let me know if there is anything I have to do. Yours, Daniel On Tue, Apr 11, 2017 at 11:21 AM, Joseph Salowey wrote: > Hi Daniel, > > Please submit a revised draft with the changes below. > > Thanks, > > Joe > > > On Tue, Mar 21, 2017 at 11:08

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Hi Daniel, Please submit a revised draft with the changes below. Thanks, Joe On Tue, Mar 21, 2017 at 11:08 AM, Daniel Migault < daniel.miga...@ericsson.com> wrote: > Hi, > > Thank you for the review and comments received. Given the discussion our > understanding was that the consensus was to r

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Hi, Thank you for the review and comments received. Given the discussion our understanding was that the consensus was to remove CCM-256 so that suites defined by the document apply both for TLS1.2 as well as for TLS1.3. The draft available on github [1

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> On 1 Mar 2017, at 15:06, Aaron Zauner wrote: > > >> On 24 Feb 2017, at 14:07, Salz, Rich wrote: >> >>> Assuming 256-bit AES-CCM suites are needed, I think the better place to put >>> them is in the TLS 1.3 document. >> >> That's a really big assumption. ;) >> >> I think the burden is on f

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> On 01 Mar 2017, at 14:29, Yoav Nir wrote: > > >> On 1 Mar 2017, at 15:06, Aaron Zauner wrote: >> >> >>> On 24 Feb 2017, at 14:07, Salz, Rich wrote: >>> Assuming 256-bit AES-CCM suites are needed, I think the better place to put them is in the TLS 1.3 document. >>> >>> That's a

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

And they all cost 10 cents a piece, never get updated, and control the floodgates that hold back the biblical flood. > On 1 Mar 2017, at 16:28, Salz, Rich wrote: > > You know what amazes about IoT? No matter what someone tries to do there is > a chip/SoC out there that can't do it. > > Shrug

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

You know what amazes about IoT? No matter what someone tries to do there is a chip/SoC out there that can't do it. Shrug. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

On Wed, Mar 01, 2017 at 01:06:27PM +, Aaron Zauner wrote: > I don't see why the IoT/embedded-world can't make use of ChaCha/Poly > in future implementations? IF the embedded platform is "generic" (say, it's an ARM Cortex M0+), then ChaCha20 is faster than anything using AES. Poly1305 is less c

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> On 24 Feb 2017, at 14:07, Salz, Rich wrote: > >> Assuming 256-bit AES-CCM suites are needed, I think the better place to put >> them is in the TLS 1.3 document. > > That's a really big assumption. ;) > > I think the burden is on folks to *prove* (yeah, I know) that additional > cipher suite

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

There's an argument that it's worth building in a 256-bit cipher for quantum resistance. Not clear that AES-256 is the best 256-bit cipher though. William On Fri, Feb 24, 2017 at 9:07 AM, Salz, Rich wrote: > > Assuming 256-bit AES-CCM suites are needed, I think the better place to > put > > the

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Right. I fee l strongly that it'd be wise to bless a single 256-bit cipher as part of the core TLS 1.3 family of techniques, but I don't feel strongly that it should be AES-256. ChaCha? Cheers, William On Fri, Feb 24, 2017 at 9:55 AM, Salz, Rich wrote: > > There's an argument that it's worth b

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

TLS 1.3 currently has AES-256-GCM and ChaCha20-Poly1305 as 256-bit ciphers. AES-CCM ciphers are more oriented towards an IOT niche where CCM is implemented for lower layer protocols. I'm not sure if there are implementations of AES-256-CCM or AES-256-CCM_8 in use. Joe On Fri, Feb 24, 2017 at 7

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> There's an argument that it's worth building in a 256-bit cipher for quantum > resistance. Not clear that AES-256 is the best 256-bit cipher though. Yes, I get that. "not clear" is a highly uncompelling argument, tho. ___ TLS mailing list TLS@ietf.or

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> Assuming 256-bit AES-CCM suites are needed, I think the better place to put > them is in the TLS 1.3 document. That's a really big assumption. ;) I think the burden is on folks to *prove* (yeah, I know) that additional cipher suites are needed. ___ T

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> On 24 Feb 2017, at 7:38, Joseph Salowey wrote: > > The difference between what is defined in 1.3 and this document is the 256 > bit CCM cipher suites. The document does not specify cipher suites for TLS > 1.3. > > Is it important for TLS 1.3 to have support for these cipher suites? > > I

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

The difference between what is defined in 1.3 and this document is the 256 bit CCM cipher suites. The document does not specify cipher suites for TLS 1.3. Is it important for TLS 1.3 to have support for these cipher suites? If it is then we either need to add the cipher suites to this document

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

On Wed, Feb 22, 2017 at 08:04:13AM +, Salz, Rich wrote: > Why not just say > The CCM cipher suites are not (currently) defined for TLS 1.3 > > And leave it at that. We're all quite proud of the fact, and > deservedly so, that we only have three ciphers defined for TLS 1.3. > Let's try t

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

> On 22 Feb 2017, at 8:42, Martin Thomson wrote: > > On the interaction with TLS 1.3, we probably need a decision to be made: > > 1. strike TLS 1.3 from the document and only mention it in the way Joe > suggests, TLS 1.3 doesn't get the CCM suites (it already has the > equivalent of the GCM sui

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Why not just say The CCM cipher suites are not (currently) defined for TLS 1.3 And leave it at that. We're all quite proud of the fact, and deservedly so, that we only have three ciphers defined for TLS 1.3. Let's try to hold that position as long as possible. ___

Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

On the interaction with TLS 1.3, we probably need a decision to be made: 1. strike TLS 1.3 from the document and only mention it in the way Joe suggests, TLS 1.3 doesn't get the CCM suites (it already has the equivalent of the GCM suites) 2. strike TLS 1.3 from the document, and add new TLS 1.3 C

[TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Here are the open issues for draft-ietf-tls-ecdhe-psk-aead 1. Why does TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256 use SHA256 instead of SHA384 like the other 256 bit cipher suites? (From Russ Housley) 2. Since the security considerations mention passwords (human chosen secrets) it should mention d