On Sun, Aug 2, 2015 at 11:11 AM, David Mazieres < dm-list-tcpcr...@scs.stanford.edu> wrote: > > Well, a priori, one can argue that even though TCP-use-TLS may require > more engineering effort in absolute terms than tcpcrypt, the delta > between application-level TLS (required anyway) and transport-level TLS > is smaller than the effort required for all of tcpcrypt (which can't be > shared). However, a posteriori, given that we still don't have a > profile
I'd like to address this "profile" issue briefly, since it seems to be a sticking point for a number of people. First, there seem to be two different things that people mean when they say "profile": (1) A description of the particular operational modes of TLS that people should support. (2) A (somewhat?) self-contained document that describes just the subset of TLS that people need to support. As I said in the WG meeting, I don't think that the latter is that useful and I'm actually somewhat surprised that people want it. To be honest, I didn't realize that there was much demand for it prior to Prague, which is why I didn't bother to produce anything. Probably a failure of understanding on my part, so sorry about that. I'd basically assumed that when people meant a profile they meant #1, and as I said, I think it's fairly obvious, and pretty orthogonal to the question of whether or not TLS is the right choice here. But maybe I'm just too close to things so it's not obvious to others. In any case, what you'd want is something like: - ECDH_anon with P256 and Curve25519 - AES_128_GCM; AES_256_GCM; ChaCha/Poly1305 - SHA256 for the PRF - Session hash - No renegotiation [Banned in TLS 1.3] - No compression [Banned in TLS 1.3] - RFC5705 tickets [or PSK in 1.3] I'm sure there are a few other things people would like nailed down, but I think the big issue here is whether or not we would require TLS 1.3 or not. I would argue for not, but i can understand why people would feel the other way. If we're taking "profile" to mean (2) above, which is what I take to be the direction the WG would like, then it's obviously easier to write down if you only commit to one version of TLS. -Ekr
_______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc