Re: [Uta] Extended Master Secret as a MUST in 7525bis
On Sun, Jun 19, 2022 at 08:38:26PM +0300, Ilari Liusvaara wrote: > > Of course both EMS and EtM MUST be a MUST. > > I think EtM is only MUST if blockmode (CBC) cipher is supported. And > clients SHOULD NOT send EtM if not sending any blockmode cipher suites > (as it is not possible to successfully negotiate EtM). Though, sure, the server will not be able to reciprocate EtM given: https://datatracker.ietf.org/doc/html/rfc7366#section-3 Note from the GenericBlockCipher annotation that this only applies to standard block ciphers that have distinct encrypt and MAC operations. It does not apply to GenericStreamCiphers or to GenericAEADCiphers that already include integrity protection with the cipher. If a server receives an encrypt-then-MAC request extension from a client and then selects a stream or Authenticated Encryption with Associated Data (AEAD) ciphersuite, it MUST NOT send an encrypt-then-MAC response extension back to the client. and yet perhaps the client should still be free to send a "futile" EtM, even when it offers no "standard block ciphers". Sure it should no longer be obligated to do so. Such freedom potentially simplifies implementations that won't need client-side logic to conditionally elide EtM. Is there a compelling reason for "SHOULD NOT", rather than "MAY"? -- Viktor. ___ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
Re: [Uta] Extended Master Secret as a MUST in 7525bis
On Sun, Jun 19, 2022 at 09:16:48AM +, Peter Gutmann wrote: > Yaron Sheffer writes: > > >Ben Kaduk asked why we only added TLS 1.2 Extended Master Secret > >support as a SHOULD, and we tend to agree (given widespread support > >of this feature) that is needs to be a MUST [1]. We would appreciate > >the group’s input before we make this change. > > This, alongside MUST EtM for the same draft, is like asking "should > having brakes and safety belts in cars be a MUST, or do you think a > SHOULD will be OK?", it's such a no-brainer that I'm surprised there's > a need to ask. > > Of course both EMS and EtM MUST be a MUST. I think EtM is only MUST if blockmode (CBC) cipher is supported. And clients SHOULD NOT send EtM if not sending any blockmode cipher suites (as it is not possible to successfully negotiate EtM). There actually are TLS libraries that do not support blockmode at all (the needed code does not exist), which makes it impossible to negotiate EtM under any conditions. -Ilari ___ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
Re: [Uta] Extended Master Secret as a MUST in 7525bis
Yaron Sheffer writes: >Ben Kaduk asked why we only added TLS 1.2 Extended Master Secret support as a >SHOULD, and we tend to agree (given widespread support of this feature) that >is needs to be a MUST [1]. We would appreciate the group’s input before we >make this change. This, alongside MUST EtM for the same draft, is like asking "should having brakes and safety belts in cars be a MUST, or do you think a SHOULD will be OK?", it's such a no-brainer that I'm surprised there's a need to ask. Of course both EMS and EtM MUST be a MUST. Peter. ___ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
