Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Watson Ladd wrote: >Martin Rexwrote: >> >> The suggestion to accept a recognized TLSv1.2 cipher suite code point >> as an alternative indicator for the highest client-supported protocol >> version is not really a "mechanism". It's efficient (with 0-bytes on >> the wire), intuitive and extremely backwards-compatible (will not upset >> old servers, neither version-intolerant as the Win2008/2012 servers, >> nor extension-intolerant servers. > > It's a substantial change made after WG last call. That alone makes it > improper. If you want to get WG consensus for such a change, go ahead. > But don't try making this in the dead of night. The proposed small addition of when the TLS cipher suites can be negotiated is clearly *NOT* a change, and certainly not substantial. Implementors that want to completely ignore this small addition can do so and will remain fully compliant, they will not have to change a single line of code. For those implementing the proposed addition there will be two very desirable effects: 1) make more TLS handshakes succeed 2) make more TLS handshakes use TLS protocol version TLSv1.2 rather than TLSv1.1 or TLSv1.0 come at an extremely low cost, and this addition has ZERO downsides. The IETF is about promoting interoperability. You seem to have a problem with either or both of the above outcomes, but I fail to understand which and why. > >> It's worse -- there are still TLS servers out there which choke on >> TLS extensions (and TLS server which choke on extension ordering). > > TLS 1.2 demands extensions work. Sending a TLS 1.2 hello without > extensions is going to make it impossible to implement many features > TLS 1.2 security relies on. Actually, it does not. TLSv1.2 works just fine without TLS extension, although there are a few implementations in the installed base which got this wrong. rfc5246 appendix E.2 shows that TLSv1.2 interop with extension-less ClientHellos was desired and assumed to be possible. Some implementors got it wrong. > >> It seems that there are others facing the same issue: >> >> https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows >> >> and defer enabling to explicit customer opt-in. >> >> >> Really, a very compatible and extremely robust and useful approach would >> be to allow implied client protocol version indication through presence of >> TLSv1.2-only cipher suite codepoints and this would allow large parts >> of the installed base to quickly start using TLSv1.2--without breaking >> existing usage scenarios and without the hazzle for users having to opt-in >> and test stuff. > > The people who have these problems are not "large parts" of the > install base. They are large parts of *your* install base. Don't > confuse these two. The above WinHTTP issue alone applies to Win7, which is about 50% of the installed base of Desktops PCs. Refering to ~50% of the installed base as "large parts" seems OK to me. YMMV. -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On Tue, May 30, 2017 at 1:03 PM, Martin Rexwrote: > Eric Rescorla wrote: >> On Tue, May 23, 2017 at 9:34 PM, Martin Rex wrote: >>> >>> This change _still_ prohibits the server from negotiating these algorithms >>> with TLSv1.1 and below. >>> >>> Could you elaborate a little on where and why you see a problem with this? >>> >> >> For starters, TLS 1.3 has already designed a completely independent >> mechanism for doing version negotiation outside of ClientHello.version, >> so doing another seems pretty odd. In any case, it's not something you >> do between IETF-LC and IESG approval. > > The suggestion to accept a recognized TLSv1.2 cipher suite code point > as an alternative indicator for the highest client-supported protocol > version is not really a "mechanism". It's efficient (with 0-bytes on > the wire), intuitive and extremely backwards-compatible (will not upset > old servers, neither version-intolerant as the Win2008/2012 servers, > nor extension-intolerant servers. It's a substantial change made after WG last call. That alone makes it improper. If you want to get WG consensus for such a change, go ahead. But don't try making this in the dead of night. > > >> >>> As this changes tries to explain, had such a text been used for all >>> TLSv1.2 AEAD cipher suite code points, then browsers would have never >>> needed any "downgrade dance" fallbacks, POODLE would have never >>> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid >>> would not been needed, either. >> >> I'm not sure this is true, because there were also servers which did >> not understand extensions. > > > It's worse -- there are still TLS servers out there which choke on > TLS extensions (and TLS server which choke on extension ordering). TLS 1.2 demands extensions work. Sending a TLS 1.2 hello without extensions is going to make it impossible to implement many features TLS 1.2 security relies on. > > Sending TLS extensions is therefore a negotiation scheme that we > can not ship as patch into the installed base, because we *KNOW* > that it will break a few existing usage scenarios. Stuff that needs > TLS extensions is therefore an opt-in only scheme -- and even when > making it opt-in, we may have to additonally provide a TLS extension > exclusion list of hostnames. > > It seems that there are others facing the same issue: > > https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows > > and defer enabling to explicit customer opt-in. > > > Really, a very compatible and extremely robust and useful approach would > be to allow implied client protocol version indication through presence of > TLSv1.2-only cipher suite codepoints and this would allow large parts > of the installed base to quickly start using TLSv1.2--without breaking > existing usage scenarios and without the hazzle for users having to opt-in > and test stuff. The people who have these problems are not "large parts" of the install base. They are large parts of *your* install base. Don't confuse these two. > > > -Martin > > ___ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Eric Rescorla wrote: > On Tue, May 23, 2017 at 9:34 PM, Martin Rexwrote: >> >> This change _still_ prohibits the server from negotiating these algorithms >> with TLSv1.1 and below. >> >> Could you elaborate a little on where and why you see a problem with this? >> > > For starters, TLS 1.3 has already designed a completely independent > mechanism for doing version negotiation outside of ClientHello.version, > so doing another seems pretty odd. In any case, it's not something you > do between IETF-LC and IESG approval. The suggestion to accept a recognized TLSv1.2 cipher suite code point as an alternative indicator for the highest client-supported protocol version is not really a "mechanism". It's efficient (with 0-bytes on the wire), intuitive and extremely backwards-compatible (will not upset old servers, neither version-intolerant as the Win2008/2012 servers, nor extension-intolerant servers. > >> As this changes tries to explain, had such a text been used for all >> TLSv1.2 AEAD cipher suite code points, then browsers would have never >> needed any "downgrade dance" fallbacks, POODLE would have never >> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid >> would not been needed, either. > > I'm not sure this is true, because there were also servers which did > not understand extensions. It's worse -- there are still TLS servers out there which choke on TLS extensions (and TLS server which choke on extension ordering). Sending TLS extensions is therefore a negotiation scheme that we can not ship as patch into the installed base, because we *KNOW* that it will break a few existing usage scenarios. Stuff that needs TLS extensions is therefore an opt-in only scheme -- and even when making it opt-in, we may have to additonally provide a TLS extension exclusion list of hostnames. It seems that there are others facing the same issue: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows and defer enabling to explicit customer opt-in. Really, a very compatible and extremely robust and useful approach would be to allow implied client protocol version indication through presence of TLSv1.2-only cipher suite codepoints and this would allow large parts of the installed base to quickly start using TLSv1.2--without breaking existing usage scenarios and without the hazzle for users having to opt-in and test stuff. -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi, Please find the version the secretariat just published. I believe all comments have been addressed. Thank you all for the reviews! Yours, Daniel -Original Message- From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org] Sent: Thursday, May 25, 2017 9:32 AM To: John Mattsson; Daniel Migault Subject: New Version Notification for draft-ietf-tls-ecdhe-psk-aead-05.txt A new version of I-D, draft-ietf-tls-ecdhe-psk-aead-05.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Name: draft-ietf-tls-ecdhe-psk-aead Revision: 05 Title: ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for Transport Layer Security (TLS) Protocol version 1.2 Document date: 2017-05-24 Group: tls Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-ietf-tls-ecdhe-psk-aead-05.txt Status: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ Htmlized: https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-psk-aead-05 Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-ecdhe-psk-aead-05 Abstract: This document defines several new cipher suites for the Transport Layer Security (TLS) protocol version 1.2. The cipher suites are all based on the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key (ECDHE_PSK) key exchange together with the Authenticated Encryption with Associated Data (AEAD) algorithms AES-GCM and AES- CCM. PSK provides light and efficient authentication, ECDHE provides forward secrecy, and AES-GCM and AES-CCM provides encryption and integrity protection. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat On Wed, May 24, 2017 at 6:29 PM, Martin Thomson wrote: > On 25 May 2017 at 07:43, Daniel Migault > wrote: > > From your response I understand you do not request changes. > > > I am requesting changes. Just say that > TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uses AEAD_AES_128_GCM, and so > forth. It's not hard to be explicit. > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On 25 May 2017 at 07:43, Daniel Migaultwrote: > From your response I understand you do not request changes. I am requesting changes. Just say that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uses AEAD_AES_128_GCM, and so forth. It's not hard to be explicit. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
>From your response I understand you do not request changes. Yours, Daniel On Wed, May 24, 2017 at 4:24 PM, Martin Thomsonwrote: > On 25 May 2017 at 07:14, Joseph Salowey wrote: > > [Joe] It seems that a reasonable interpretation of the text is that the > AEAD > > constructs will pair with the cipher suite that share the same name. Do > you > > still think we need to provide an explicit mapping between the two? > > > Reasonable, sure, even obvious. I've learned that reasonable doesn't > work always. Note that the order that the AEADs are listed doesn't > match the order of the cipher suites. > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On 25 May 2017 at 07:14, Joseph Saloweywrote: > [Joe] It seems that a reasonable interpretation of the text is that the AEAD > constructs will pair with the cipher suite that share the same name. Do you > still think we need to provide an explicit mapping between the two? Reasonable, sure, even obvious. I've learned that reasonable doesn't work always. Note that the order that the AEADs are listed doesn't match the order of the cipher suites. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On Wed, May 24, 2017 at 1:13 PM, Martin Thomsonwrote: > On 25 May 2017 at 00:04, Daniel Migault > wrote: > > > B) It is not true as TLS1.3 enables these cipher suites to be negotiated > > with TLS1.3. > > You can't negotiate the new suites with 1.3, but you can offer them in > case the server picks 1.2. > > Joe's proposal fixes this and other errors. > > > >> You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 > >> means to use AEAD_AES_128_GCM (and the same for the other > >> ciphersuites). I mention this because the order in which the AEAD > >> algorithms are mentioned is different to the order of the ciphersuites > >> in the list. > >> > > > > Unless I miss your comment, I believe the section 3 already addresses > it. If > > not please let me knoe what text you would like to see. > > > > """ > > 3. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites > > > >The cipher suites defined in this document are based on the AES-GCM > >and AES-CCM Authenticated Encryption with Associated Data (AEAD) > >algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM > >defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655]. > > > > """ > > You miss my comment. This does not prevent someone from deciding that > TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 should use AEAD_AES_128_CCM_8. > [Joe] It seems that a reasonable interpretation of the text is that the AEAD constructs will pair with the cipher suite that share the same name. Do you still think we need to provide an explicit mapping between the two? ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On 25 May 2017 at 00:04, Daniel Migaultwrote: > B) It is not true as TLS1.3 enables these cipher suites to be negotiated > with TLS1.3. You can't negotiate the new suites with 1.3, but you can offer them in case the server picks 1.2. Joe's proposal fixes this and other errors. >> You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 >> means to use AEAD_AES_128_GCM (and the same for the other >> ciphersuites). I mention this because the order in which the AEAD >> algorithms are mentioned is different to the order of the ciphersuites >> in the list. >> > > Unless I miss your comment, I believe the section 3 already addresses it. If > not please let me knoe what text you would like to see. > > """ > 3. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites > >The cipher suites defined in this document are based on the AES-GCM >and AES-CCM Authenticated Encryption with Associated Data (AEAD) >algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM >defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655]. > > """ You miss my comment. This does not prevent someone from deciding that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 should use AEAD_AES_128_CCM_8. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi, Thank Joe for the clarification. I removed section 4 and instead have the following section 3. This is the version 06. I will post it as soon as the datatracker allows me to submit a new version, so please let me know if that address all concerns. Yours, Daniel 3. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites The cipher suites defined in this document are based on the AES-GCM and AES-CCM Authenticated Encryption with Associated Data (AEAD) algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655]. Messages and premaster secret construction in this document are defined in [RFC5489]. The ServerKeyExchange and ClientKeyExchange messages are used and the premaster secret is computed as for the ECDHE_PSK key exchange. The elliptic curve parameters used in in the Diffie-Hellman parameters are negotiated using extensions defined in [I-D.ietf-tls-rfc4492bis]. For TLS 1.2, the following cipher suites are defined: TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {0xTBD,0xTBD}; TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {0xTBD,0xTBD}; TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xTBD,0xTBD}; TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {0xTBD,0xTBD}; The assigned code points can only be used for TLS 1.2. The cipher suites defined in this document MUST NOT be negotiated for any version of (D)TLS other than TLS 1.2. Servers MUST NOT select one of these cipher suites when selecting TLS version other than TLS 1.2. A client MUST treat the selection of these cipher suites in combination with a different version of TLS as an error and generate a fatal 'illegal_parameter' TLS alert. Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support equivalent functionality in TLS 1.3 [I-D.ietf-tls-tls13]. On Wed, May 24, 2017 at 11:03 AM, Joseph Saloweywrote: > Hi Daniel, > > Thanks for putting this revision together. The original text in draft 4 > went beyond the scope of what should be in the document (I was too hasty in > my review of the document and discussion on the list). Your current > proposal is an improvement, but it still discusses behavior that could > either conflict with other documents or discusses behavior that is not in > scope. > > My suggestion is to replace section 4 with the following paragraph (I > think this is similar to what Martin suggests): > > "The cipher suites defined in this document MUST NOT be negotiated for any > version of (D)TLS other than TLS 1.2. Servers MUST NOT select one of these > cipher suites when selecting TLS version other than TLS 1.2. A client MUST > treat the selection of these cipher suites in combination with a different > version of TLS as an error and generate a fatal 'illegal_parameter' TLS > alert." > > I think it would also be OK to add the following to point readers to > equivalent ciphers in 1.3. Here is some suggested text that could go in > the revised section 4: > > "Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, > TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support > equivalent functionality in TLS 1.3 [TLS 1.3]." > > Thanks, > > Joe > > > On Wed, May 24, 2017 at 7:04 AM, Daniel Migault < > daniel.miga...@ericsson.com> wrote: > >> Hi Martin, >> >> Thank you for your review. Some comment were about text in the >> applicability section. I think I agree with you that this section details >> and clarifies the following sentence of the previous section: """ The >> assigned code points can only be used for TLS 1.2.""". Most of the text of >> this section has been added in order to address comments, thus in order to >> make this section helpful for many readers, I prefer to keep most of the >> text you mentioned as not useful. >> >> Please see inline for more detail responses and let me know if that >> address your comments. >> >> Yours, >> Daniel >> >> On Wed, May 24, 2017 at 12:09 AM, Martin Thomson < >> martin.thom...@gmail.com> wrote: >> >>> Hi Daniel, >>> >>> This removes the offending text. >>> >>> This is incorrect: >>> >>> > Clients MUST NOT offer one of these cipher suites with a (D)TLS >>> version that differs from TLS 1.2. >>> >>> It should be possible to offer these when attempting to negotiate TLS >>> 1.3. The server simply cannot negotiate these cipher suites if it >>> chooses to use 1.3. I'd remove that sentence (and the one following >>> it, since it's redundant with the first sentence of the paragraph). >>> >>> My understanding is that you suggest to remove "Clients MUST NOT offer >> one ..." for the following reasons: >> >> A) it is redundant with the first sentence of the paragraph: "The cipher >> suites defined in this document MUST NOT be negotiated ...". This sentence >> clarifies on the client side what "MUST NOT be negotiated" means, and the >> same is
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi Daniel, Thanks for putting this revision together. The original text in draft 4 went beyond the scope of what should be in the document (I was too hasty in my review of the document and discussion on the list). Your current proposal is an improvement, but it still discusses behavior that could either conflict with other documents or discusses behavior that is not in scope. My suggestion is to replace section 4 with the following paragraph (I think this is similar to what Martin suggests): "The cipher suites defined in this document MUST NOT be negotiated for any version of (D)TLS other than TLS 1.2. Servers MUST NOT select one of these cipher suites when selecting TLS version other than TLS 1.2. A client MUST treat the selection of these cipher suites in combination with a different version of TLS as an error and generate a fatal 'illegal_parameter' TLS alert." I think it would also be OK to add the following to point readers to equivalent ciphers in 1.3. Here is some suggested text that could go in the revised section 4: "Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support equivalent functionality in TLS 1.3 [TLS 1.3]." Thanks, Joe On Wed, May 24, 2017 at 7:04 AM, Daniel Migaultwrote: > Hi Martin, > > Thank you for your review. Some comment were about text in the > applicability section. I think I agree with you that this section details > and clarifies the following sentence of the previous section: """ The > assigned code points can only be used for TLS 1.2.""". Most of the text of > this section has been added in order to address comments, thus in order to > make this section helpful for many readers, I prefer to keep most of the > text you mentioned as not useful. > > Please see inline for more detail responses and let me know if that > address your comments. > > Yours, > Daniel > > On Wed, May 24, 2017 at 12:09 AM, Martin Thomson > wrote: > >> Hi Daniel, >> >> This removes the offending text. >> >> This is incorrect: >> >> > Clients MUST NOT offer one of these cipher suites with a (D)TLS version >> that differs from TLS 1.2. >> >> It should be possible to offer these when attempting to negotiate TLS >> 1.3. The server simply cannot negotiate these cipher suites if it >> chooses to use 1.3. I'd remove that sentence (and the one following >> it, since it's redundant with the first sentence of the paragraph). >> >> My understanding is that you suggest to remove "Clients MUST NOT offer > one ..." for the following reasons: > > A) it is redundant with the first sentence of the paragraph: "The cipher > suites defined in this document MUST NOT be negotiated ...". This sentence > clarifies on the client side what "MUST NOT be negotiated" means, and the > same is done for the server side. If we provide clarification for the > server side, I would prefer to keep a clarification for the client side as > well. > > B) It is not true as TLS1.3 enables these cipher suites to be negotiated > with TLS1.3. In the text cipher suites stands for the cipher suites code > points of the IANA registry. Maybe we can have a better wording. However I > believe the next paragraph clarifies that TLS1.3 negotiates these ciphers > suites in a different way. Would the following wording address your > comment. If so I will update the section to remove the confusion. > > "Clients MUST NOT offer one of the cipher suites code points defined in > the document with a (D)TLS version that differs from TLS 1.2." > > The text in question is: > """ >The cipher suites defined in this document MUST NOT be negotiated for >any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one >of these cipher suites with a (D)TLS version that differs from TLS >1.2. Servers MUST NOT select one of these cipher suites with a TLS >version that differs from TLS 1.2. A client MUST treat the selection >of these cipher suites in combination with a version of TLS as an >error and generate a fatal 'illegal_parameter' TLS alert. > > """ > > >> As others have noted, the paragraph about TLS 1.3 isn't helpful and >> should be removed. >> >> > Suggestion to remove TLS1.3 related text was to clarify that the cipher > suites were only defined for TLS1.2. Unless I missed something we have > removed most of the text that could cause confusion. On the other hand, > TLS1.3 has been designed, and we also have received comments to position > the defined cipher suites toward TLS1.3 as we do fro TLS1.0 and TLS1.1. > This is the intent of the remaining text mentioning TLS1.3. > > In the applicable version section, the text for TLS1.3 is intended to > clarify why the cipher suites are restricted to TLS1.2. I believe this is > useful for readers not so familiar with TLS1.3 that may not be aware of how > TLS1.3 negotiate ciphers. My personal opinion is that it might be better to >
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi Martin, Thank you for your review. Some comment were about text in the applicability section. I think I agree with you that this section details and clarifies the following sentence of the previous section: """ The assigned code points can only be used for TLS 1.2.""". Most of the text of this section has been added in order to address comments, thus in order to make this section helpful for many readers, I prefer to keep most of the text you mentioned as not useful. Please see inline for more detail responses and let me know if that address your comments. Yours, Daniel On Wed, May 24, 2017 at 12:09 AM, Martin Thomsonwrote: > Hi Daniel, > > This removes the offending text. > > This is incorrect: > > > Clients MUST NOT offer one of these cipher suites with a (D)TLS version > that differs from TLS 1.2. > > It should be possible to offer these when attempting to negotiate TLS > 1.3. The server simply cannot negotiate these cipher suites if it > chooses to use 1.3. I'd remove that sentence (and the one following > it, since it's redundant with the first sentence of the paragraph). > > My understanding is that you suggest to remove "Clients MUST NOT offer one ..." for the following reasons: A) it is redundant with the first sentence of the paragraph: "The cipher suites defined in this document MUST NOT be negotiated ...". This sentence clarifies on the client side what "MUST NOT be negotiated" means, and the same is done for the server side. If we provide clarification for the server side, I would prefer to keep a clarification for the client side as well. B) It is not true as TLS1.3 enables these cipher suites to be negotiated with TLS1.3. In the text cipher suites stands for the cipher suites code points of the IANA registry. Maybe we can have a better wording. However I believe the next paragraph clarifies that TLS1.3 negotiates these ciphers suites in a different way. Would the following wording address your comment. If so I will update the section to remove the confusion. "Clients MUST NOT offer one of the cipher suites code points defined in the document with a (D)TLS version that differs from TLS 1.2." The text in question is: """ The cipher suites defined in this document MUST NOT be negotiated for any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one of these cipher suites with a (D)TLS version that differs from TLS 1.2. Servers MUST NOT select one of these cipher suites with a TLS version that differs from TLS 1.2. A client MUST treat the selection of these cipher suites in combination with a version of TLS as an error and generate a fatal 'illegal_parameter' TLS alert. """ > As others have noted, the paragraph about TLS 1.3 isn't helpful and > should be removed. > > Suggestion to remove TLS1.3 related text was to clarify that the cipher suites were only defined for TLS1.2. Unless I missed something we have removed most of the text that could cause confusion. On the other hand, TLS1.3 has been designed, and we also have received comments to position the defined cipher suites toward TLS1.3 as we do fro TLS1.0 and TLS1.1. This is the intent of the remaining text mentioning TLS1.3. In the applicable version section, the text for TLS1.3 is intended to clarify why the cipher suites are restricted to TLS1.2. I believe this is useful for readers not so familiar with TLS1.3 that may not be aware of how TLS1.3 negotiate ciphers. My personal opinion is that it might be better to have it explicit rather than implicit, and I would prefer to keep the text below: """ TLS version 1.3 and later negotiate these features in a different manner. Unlike TLS 1.2, TLS 1.3 separates authentication and cipher suite negotiation [I-D.ietf-tls-tls13] Section 1.2. TLS 1.3 supports PSK with ECDHE key exchange and the cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are part of the specification. As a result, TLS 1.3 and higher versions, negotiate and support these cipher suites in a different way. """ > This: > > > In addition, it is worth noting that TLS 1.0 [RFC2246] and TLS 1.2 > [RFC4346] split the pre-master into two parts. The PRF results from > mixing the two pseudorandom streams with distinct hash functions (MD5 and > SHA-1) by exclusive-ORing them together. > > You mean TLS 1.1 rather than 1.2. But as with the former paragraph, > talking about the limitations of TLS versions that you explicitly > don't support isn't useful. Remove this paragraph also. > > Yes that is TLS1.1. I updated it. I believe the text is useful as it provides a clear justification on why it should not be used on TLS version lower than 1.2. More specifically, previous version do not support AEAD, but this may not prevent someone using AEAD with these versions. The reason provided is not AEAD related but PSK related. I believe it is useful to explicitly justify
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi Daniel, This removes the offending text. This is incorrect: > Clients MUST NOT offer one of these cipher suites with a (D)TLS version that > differs from TLS 1.2. It should be possible to offer these when attempting to negotiate TLS 1.3. The server simply cannot negotiate these cipher suites if it chooses to use 1.3. I'd remove that sentence (and the one following it, since it's redundant with the first sentence of the paragraph). As others have noted, the paragraph about TLS 1.3 isn't helpful and should be removed. This: > In addition, it is worth noting that TLS 1.0 [RFC2246] and TLS 1.2 [RFC4346] > split the pre-master into two parts. The PRF results from mixing the two > pseudorandom streams with distinct hash functions (MD5 and SHA-1) by > exclusive-ORing them together. You mean TLS 1.1 rather than 1.2. But as with the former paragraph, talking about the limitations of TLS versions that you explicitly don't support isn't useful. Remove this paragraph also. Nits: s/pre-master(| secret)/premaster secret/g You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 means to use AEAD_AES_128_GCM (and the same for the other ciphersuites). I mention this because the order in which the AEAD algorithms are mentioned is different to the order of the ciphersuites in the list. On 24 May 2017 at 12:37, Daniel Migaultwrote: > re-sending with the version 05 but removing the diff to be under the 100 KB > limit. > Yours, > Daniel > > On Tue, May 23, 2017 at 9:28 PM, Daniel Migault > wrote: >> >> Hi Eric, >> >> Thank you for the feed backs. The version 05 contains all text changes you >> agreed. In addition, the text explaining dictionary/brute force has been >> removed and replace by a reference to 4279. The recommendation regarding to >> all PSK ciphers has been limited to the one of the document. Please see >> inline for more details. >> >> For some reasons I am not able to validate the submission of version 05. I >> have attached the diff with version 04 as well as the locally generated >> version 05. >> >> Yours, >> Daniel >> >> On Tue, May 23, 2017 at 7:40 PM, Eric Rescorla wrote: >>> >>> >>> >>> On Wed, May 24, 2017 at 6:00 AM, Daniel Migault >>> wrote: Hi Eric, Thank you for your reviews. Please see my responses inline. If you agree with the text I will update the draft. Yours, Daniel On Mon, May 22, 2017 at 10:11 PM, Eric Rescorla wrote: > > Eric Rescorla has entered the following ballot position for > draft-ietf-tls-ecdhe-psk-aead-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ > > > > -- > DISCUSS: > -- > > The following text appears to have been added in -04 > >A server receiving a ClientHello and a client_version indicating >(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from >this document in ClientHello.cipher_suites can safely assume that > the >client supports TLS 1.2 and is willing to use it. The server MUST >NOT negotiate these cipher suites with TLS protocol versions earlier >than TLS 1.2. Not requiring clients to indicate their support for >TLS 1.2 cipher suites exclusively through ClientHello.client_hello >improves the interoperability in the installed base and use of TLS >1.2 AEAD cipher suites without upsetting the installed base of >version-intolerant TLS servers, results in more TLS handshakes >succeeding and obviates fallback mechanisms. > > This is a major technical change from -03, which, AFAIK, prohibited > the server from negotiating these algorithms with TLS 1.1 and below > and maintained the usual TLS version 1.2 negotiation rules. > > This is a very material technical change. I don't consider it wise, > but in any case it would absolutely need WG consensus, which I > don't believe that it has given the recent introduction. I agree that the text is a technical change, and that it may not be appropriated to do so now. The reason I included it was that it was conform to the previous text, but I agree that implicit assumption of version 1.2 may need some
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
re-sending with the version 05 but removing the diff to be under the 100 KB limit. Yours, Daniel On Tue, May 23, 2017 at 9:28 PM, Daniel Migaultwrote: > Hi Eric, > > Thank you for the feed backs. The version 05 contains all text changes you > agreed. In addition, the text explaining dictionary/brute force has been > removed and replace by a reference to 4279. The recommendation regarding to > all PSK ciphers has been limited to the one of the document. Please see > inline for more details. > > For some reasons I am not able to validate the submission of version 05. I > have attached the diff with version 04 as well as the locally generated > version 05. > > Yours, > Daniel > > On Tue, May 23, 2017 at 7:40 PM, Eric Rescorla wrote: > >> >> >> On Wed, May 24, 2017 at 6:00 AM, Daniel Migault < >> daniel.miga...@ericsson.com> wrote: >> >>> Hi Eric, >>> >>> Thank you for your reviews. Please see my responses inline. If you agree >>> with the text I will update the draft. >>> >>> Yours, >>> Daniel >>> >>> On Mon, May 22, 2017 at 10:11 PM, Eric Rescorla wrote: >>> Eric Rescorla has entered the following ballot position for draft-ietf-tls-ecdhe-psk-aead-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/stat ement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ -- DISCUSS: -- The following text appears to have been added in -04 A server receiving a ClientHello and a client_version indicating (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from this document in ClientHello.cipher_suites can safely assume that the client supports TLS 1.2 and is willing to use it. The server MUST NOT negotiate these cipher suites with TLS protocol versions earlier than TLS 1.2. Not requiring clients to indicate their support for TLS 1.2 cipher suites exclusively through ClientHello.client_hello improves the interoperability in the installed base and use of TLS 1.2 AEAD cipher suites without upsetting the installed base of version-intolerant TLS servers, results in more TLS handshakes succeeding and obviates fallback mechanisms. This is a major technical change from -03, which, AFAIK, prohibited the server from negotiating these algorithms with TLS 1.1 and below and maintained the usual TLS version 1.2 negotiation rules. This is a very material technical change. I don't consider it wise, but in any case it would absolutely need WG consensus, which I don't believe that it has given the recent introduction. >>> >>> I agree that the text is a technical change, and that it may not be >>> appropriated to do so now. The reason I included it was that it was conform >>> to the previous text, but I agree that implicit assumption of version 1.2 >>> may need some additional discussion especially regarding RFC5246 Appendix >>> E. Unless you prefer further discussion I assume the text below address >>> your concern. >>> >>> The cipher suites defined in this document MUST NOT be negotiated for >>> any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one of >>> these cipher suites with a (D)TLS version that differs from TLS 1.2. >>> Servers MUST NOT select one of these cipher suites with a TLS version that >>> differs from TLS 1.2. A client MUST treat the selection of these cipher >>> suites in combination with a version of TLS as an error and generate a >>> fatal 'illegal_parameter' TLS alert. >>> >> >> Yes, this seems fine >> >> >> The discussion of dictionary attacks here seems inferior to that in 4279. In particular, you only need to actively attack one connection to capture the data you need for a brute force attack despite the text there referring to trying "different keys". Please correct that. I believe the text below address your concern: >>> >>> OLD: >>> Use of Pre-Shared Keys of limited entropy may allow an active >>> attacker attempts to connect to the server and try different keys. >>> For example, limited entropy may be provided by using a short PSK in >>> which >>> case an attacker may perform a brute-force attack. Another example >>> includes the use of a PSK chosen by a human which thus may be exposed to >>> dictionary attacks. >>> >>> NEW: >>> Pre-Shared Keys security relies on
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Hi Eric, Thank you for your reviews. Please see my responses inline. If you agree with the text I will update the draft. Yours, Daniel On Mon, May 22, 2017 at 10:11 PM, Eric Rescorlawrote: > Eric Rescorla has entered the following ballot position for > draft-ietf-tls-ecdhe-psk-aead-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ > > > > -- > DISCUSS: > -- > > The following text appears to have been added in -04 > >A server receiving a ClientHello and a client_version indicating >(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from >this document in ClientHello.cipher_suites can safely assume that > the >client supports TLS 1.2 and is willing to use it. The server MUST >NOT negotiate these cipher suites with TLS protocol versions earlier >than TLS 1.2. Not requiring clients to indicate their support for >TLS 1.2 cipher suites exclusively through ClientHello.client_hello >improves the interoperability in the installed base and use of TLS >1.2 AEAD cipher suites without upsetting the installed base of >version-intolerant TLS servers, results in more TLS handshakes >succeeding and obviates fallback mechanisms. > > This is a major technical change from -03, which, AFAIK, prohibited > the server from negotiating these algorithms with TLS 1.1 and below > and maintained the usual TLS version 1.2 negotiation rules. > > This is a very material technical change. I don't consider it wise, > but in any case it would absolutely need WG consensus, which I > don't believe that it has given the recent introduction. > I agree that the text is a technical change, and that it may not be appropriated to do so now. The reason I included it was that it was conform to the previous text, but I agree that implicit assumption of version 1.2 may need some additional discussion especially regarding RFC5246 Appendix E. Unless you prefer further discussion I assume the text below address your concern. The cipher suites defined in this document MUST NOT be negotiated for any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one of these cipher suites with a (D)TLS version that differs from TLS 1.2. Servers MUST NOT select one of these cipher suites with a TLS version that differs from TLS 1.2. A client MUST treat the selection of these cipher suites in combination with a version of TLS as an error and generate a fatal 'illegal_parameter' TLS alert. > > The discussion of dictionary attacks here seems inferior to that > in 4279. In particular, you only need to actively attack one > connection to capture the data you need for a brute force attack > despite the text there referring to trying "different keys". > Please correct that. > > I believe the text below address your concern: OLD: Use of Pre-Shared Keys of limited entropy may allow an active attacker attempts to connect to the server and try different keys. For example, limited entropy may be provided by using a short PSK in which case an attacker may perform a brute-force attack. Another example includes the use of a PSK chosen by a human which thus may be exposed to dictionary attacks. NEW: Pre-Shared Keys security relies on its associated entropy, and it is RECOMMENDED to follow to ensure the PSK has enough entropy. Possible reasons for low entropy includes PSK chosen by humans or PSK of small length as well as using random generators with limited entropy. PSK of limited entropy may allow an attacker to test different PSK values against a valid output such as master secret or any output derived from it. In this document, the master secret is generated using the PSK as well as the ECDHE shared secret. The use of ECDHE limits the possibilities of passive eavesdropping attackers, as the ECDHE shared secret is not expected to be derived from the observed ECDH parameters. As a result, passive eavesdropping is unlikely to happen, and the collection of all necessary material relies on an active attack. An active attacker may collect the necessary material by setting a TLS session as a client with the legitimate server. One PSK is tested for each session, and a match occurs when key exchange succeeds. On the other hand, an active attacker may also consider gathering the necessary information for offline computation. One way consists in getting a legitimate client to establish a connection with the attacker. It is also assumed
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
On Tue, May 23, 2017 at 9:34 PM, Martin Rexwrote: > Eric Rescorla wrote: > > draft-ietf-tls-ecdhe-psk-aead-04: Discuss > > > > -- > > DISCUSS: > > -- > > > > The following text appears to have been added in -04 > > > >A server receiving a ClientHello and a client_version indicating > >(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from > >this document in ClientHello.cipher_suites can safely assume that > > the > >client supports TLS 1.2 and is willing to use it. The server MUST > >NOT negotiate these cipher suites with TLS protocol versions earlier > >than TLS 1.2. Not requiring clients to indicate their support for > >TLS 1.2 cipher suites exclusively through ClientHello.client_hello > >improves the interoperability in the installed base and use of TLS > >1.2 AEAD cipher suites without upsetting the installed base of > >version-intolerant TLS servers, results in more TLS handshakes > >succeeding and obviates fallback mechanisms. > > > > This is a major technical change from -03, which, AFAIK, prohibited > > the server from negotiating these algorithms with TLS 1.1 and below > > and maintained the usual TLS version 1.2 negotiation rules. > > This change _still_ prohibits the server from negotiating these algorithms > with TLSv1.1 and below. > Could you elaborate a little on where and why you see a problem with this? > For starters, TLS 1.3 has already designed a completely independent mechanism for doing version negotiation outside of ClientHello.version, so doing another seems pretty odd. In any case, it's not something you do between IETF-LC and IESG approval. As this changes tries to explain, had such a text been used for all > TLSv1.2 AEAD cipher suite code points, then browsers would have never > needed any "downgrade dance" fallbacks, POODLE would have never > existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid > would not been needed, either. > I'm not sure this is true, because there were also servers which did not understand extensions. -Ekr > -Martin > ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
It seems I had a typo in the new text. Martin Rex wrote: > Eric Rescorla wrote: >> draft-ietf-tls-ecdhe-psk-aead-04: Discuss >> >> -- >> DISCUSS: >> -- >> >> The following text appears to have been added in -04 >> >>A server receiving a ClientHello and a client_version indicating >>(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from >>this document in ClientHello.cipher_suites can safely assume that >> the >>client supports TLS 1.2 and is willing to use it. The server MUST >>NOT negotiate these cipher suites with TLS protocol versions earlier >>than TLS 1.2. Not requiring clients to indicate their support for >>TLS 1.2 cipher suites exclusively through ClientHello.client_hello That line should say through ClientHello.client_version >>improves the interoperability in the installed base and use of TLS >>1.2 AEAD cipher suites without upsetting the installed base of >>version-intolerant TLS servers, results in more TLS handshakes >>succeeding and obviates fallback mechanisms. >> >> This is a major technical change from -03, which, AFAIK, prohibited >> the server from negotiating these algorithms with TLS 1.1 and below >> and maintained the usual TLS version 1.2 negotiation rules. > > This change _still_ prohibits the server from negotiating these algorithms > with TLSv1.1 and below. > > Could you elaborate a little on where and why you see a problem with this? > > As this change tries to explain, had such a text been used for all > TLSv1.2 AEAD cipher suite code points, then browsers would have never > needed any "downgrade dance" fallbacks, POODLE would have never > existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid > would not have been needed, either. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Eric Rescorla wrote: > draft-ietf-tls-ecdhe-psk-aead-04: Discuss > > -- > DISCUSS: > -- > > The following text appears to have been added in -04 > >A server receiving a ClientHello and a client_version indicating >(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from >this document in ClientHello.cipher_suites can safely assume that > the >client supports TLS 1.2 and is willing to use it. The server MUST >NOT negotiate these cipher suites with TLS protocol versions earlier >than TLS 1.2. Not requiring clients to indicate their support for >TLS 1.2 cipher suites exclusively through ClientHello.client_hello >improves the interoperability in the installed base and use of TLS >1.2 AEAD cipher suites without upsetting the installed base of >version-intolerant TLS servers, results in more TLS handshakes >succeeding and obviates fallback mechanisms. > > This is a major technical change from -03, which, AFAIK, prohibited > the server from negotiating these algorithms with TLS 1.1 and below > and maintained the usual TLS version 1.2 negotiation rules. This change _still_ prohibits the server from negotiating these algorithms with TLSv1.1 and below. Could you elaborate a little on where and why you see a problem with this? As this changes tries to explain, had such a text been used for all TLSv1.2 AEAD cipher suite code points, then browsers would have never needed any "downgrade dance" fallbacks, POODLE would have never existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid would not been needed, either. -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)
Eric Rescorla has entered the following ballot position for draft-ietf-tls-ecdhe-psk-aead-04: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/ -- DISCUSS: -- The following text appears to have been added in -04 A server receiving a ClientHello and a client_version indicating (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from this document in ClientHello.cipher_suites can safely assume that the client supports TLS 1.2 and is willing to use it. The server MUST NOT negotiate these cipher suites with TLS protocol versions earlier than TLS 1.2. Not requiring clients to indicate their support for TLS 1.2 cipher suites exclusively through ClientHello.client_hello improves the interoperability in the installed base and use of TLS 1.2 AEAD cipher suites without upsetting the installed base of version-intolerant TLS servers, results in more TLS handshakes succeeding and obviates fallback mechanisms. This is a major technical change from -03, which, AFAIK, prohibited the server from negotiating these algorithms with TLS 1.1 and below and maintained the usual TLS version 1.2 negotiation rules. This is a very material technical change. I don't consider it wise, but in any case it would absolutely need WG consensus, which I don't believe that it has given the recent introduction. The discussion of dictionary attacks here seems inferior to that in 4279. In particular, you only need to actively attack one connection to capture the data you need for a brute force attack despite the text there referring to trying "different keys". Please correct that. -- COMMENT: -- The citations to TLS 1.3 still seem pretty muddled. I think you should just stop referencing and discussing 1.3. S 2. I'm not sure that the discussion of the PRF is helpful here in mandating the non-use of these cipher suites with TLS 1.1 and below. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls