Re: [TLS] SHA-3 in SignatureScheme

While there seems to be some support for adding SHA-3 to TLS, we're not seeing enough support to add it as part of TLS 1.3. Individual drafts that specify ciphers suites can always be separately considered though. Cheers, J&S On Fri, Sep 9, 2016 at 4:30 AM, Martin Thomson wrote: > On 9 Septem

Re: [TLS] SHA-3 in SignatureScheme

On 9 September 2016 at 20:02, Gilles Van Assche wrote: > My point was technically how to best use FIPS 202 in RSA PSS, and we (as > Keccak team) would be more than happy to help in that area. And I'm more than happy to have the work happen, but I think that we can do things in stages. __

Re: [TLS] SHA-3 in SignatureScheme

I don't mind if this is done in a separate spec. My point was technically how to best use FIPS 202 in RSA PSS, and we (as Keccak team) would be more than happy to help in that area. Kind regards, Gilles On 09/09/16 06:20, Martin Thomson wrote: > On 7 September 2016 at 18:24, Ilari Liusvaara >

Re: [TLS] SHA-3 in SignatureScheme

On 7 September 2016 at 18:24, Ilari Liusvaara wrote: > Therefore I think that this work should be pursued in a separate spec, > not in TLS 1.3 core. I think that Ilari has it here. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo

Re: [TLS] SHA-3 in SignatureScheme

On Tue, Sep 06, 2016 at 01:47:48PM +0200, Gilles Van Assche wrote: > Hello, > > For RSA PSS, I would suggest to consider: > rsa_pss_shake128 > rsa_pss_shake256 > where SHAKE128 (or 256), as an exendable output function (XOF), directly > replaces the mask generating function MGF. > > This would ma

Re: [TLS] SHA-3 in SignatureScheme

+1 On 9/6/16, 7:47 , "TLS on behalf of Gilles Van Assche" wrote: Hello, For RSA PSS, I would suggest to consider: rsa_pss_shake128 rsa_pss_shake256 where SHAKE128 (or 256), as an exendable output function (XOF), directly replaces the mask generating function MGF. This would mak

Re: [TLS] SHA-3 in SignatureScheme

Hello, For RSA PSS, I would suggest to consider: rsa_pss_shake128 rsa_pss_shake256 where SHAKE128 (or 256), as an exendable output function (XOF), directly replaces the mask generating function MGF. This would make RSA PSS simpler and more efficient. Kind regards, Gilles On 01/09/16 19:38, Hub

Re: [TLS] SHA-3 in SignatureScheme

On Mon, Sep 05, 2016 at 10:17:58AM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > > > > > I also am not following why we need to do this now. The reason we > > > defined SHA-2 in > > > > a new RFC was because (a) SHA-1 was looking weak and (b) we

Re: [TLS] SHA-3 in SignatureScheme

> On 5 Sep 2016, at 11:17 AM, Nikos Mavrogiannopoulos wrote: > > On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > I also am not following why we need to do this now. The reason we >>> defined SHA-2 in a new RFC was because (a) SHA-1 was looking weak and (b) we had >>> to make

Re: [TLS] SHA-3 in SignatureScheme

On Fri, 2016-09-02 at 10:04 -0700, Eric Rescorla wrote: > > > I also am not following why we need to do this now. The reason we > > defined SHA-2 in > > > a new RFC was because (a) SHA-1 was looking weak and (b) we had > > to make significant > > > changes to TLS to allow the use of SHA-2. This do

Re: [TLS] SHA-3 in SignatureScheme

> On 2 Sep 2016, at 10:28 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > We have SHA-256 and SHA-384. > > No. By the same token we have AES-128, AES-256, ECDHE over P256, etc. > > I support adding SHA-3 to the core. > > Alternatively, feel free to throw ChaCha out and define it separately

Re: [TLS] SHA-3 in SignatureScheme

On 9/2/16, 15:22 , "TLS on behalf of Eric Rescorla" wrote: But then we have: * AES and ChaCha (two modes for the former one even) * RSA and ECDSA * NIST curves and Bernstein curves * ECDHE key exchange an DHE key exchange only the SHA-2 stands alone... We have SHA-256 and SHA-384. N

Re: [TLS] SHA-3 in SignatureScheme

> But then we have: > * AES and ChaCha (two modes for the former one even) > * RSA and ECDSA > * NIST curves and Bernstein curves > * ECDHE key exchange an DHE key exchange This is a good point to bring up, but I think it can be resolved easily. AES/ChaCha -- if only mobile you'll do chacha else

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 12:21 PM, Hubert Kario wrote: > On Friday, 2 September 2016 21:38:33 CEST Yoav Nir wrote: > > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > > >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: >

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 21:38:33 CEST Yoav Nir wrote: > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: > >>> On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett >>> > >>>

Re: [TLS] SHA-3 in SignatureScheme

On 09/02/2016 12:27 PM, Hubert Kario wrote: > > what would be the reasons not to add it now? > It seems that Yoav was faster than me, but the two main ones I had in mind were: We want the core protocol to be as small as possible while still fulfilling its goals. We already have extension mechani

Re: [TLS] SHA-3 in SignatureScheme

We should not add new "this is [cool|national-standard|strong|emerging]" crypto mechanisms to this spec. Any invention we do here, should be around the protocol, not the crypto. /r$ ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 11:38 AM, Yoav Nir wrote: > > > On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: > >>> On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett >>> > >>>

Re: [TLS] SHA-3 in SignatureScheme

> On 2 Sep 2016, at 8:27 PM, Hubert Kario wrote: > > On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: >> On 09/02/2016 12:04 PM, Eric Rescorla wrote: >>> On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett >> >>> > wrote: >>>On Friday, September 02, 20

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 12:06:55 CEST Benjamin Kaduk wrote: > On 09/02/2016 12:04 PM, Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > > > > wrote: > > On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > > > On Fri, Se

Re: [TLS] SHA-3 in SignatureScheme

On 09/02/2016 12:04 PM, Eric Rescorla wrote: > > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > wrote: > > On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara > mailto:ilariliusva...@welho.c

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 10:04 AM, Eric Rescorla wrote: > > > On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett > wrote: > >> On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: >> > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara < >> ilariliusva...@welho.com> wrote: >> > > I also don't see

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 8:25 AM, Dave Garrett wrote: > On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara < > ilariliusva...@welho.com> wrote: > > > I also don't see why this should be in TLS 1.3 spec, instead of being > > > its own s

Re: [TLS] SHA-3 in SignatureScheme

On Friday, September 02, 2016 07:32:06 am Eric Rescorla wrote: > On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara > wrote: > > I also don't see why this should be in TLS 1.3 spec, instead of being > > its own spec (I looked up how much process BS it would be to get the > > needed registrations: in

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 02, 2016 at 01:29:28PM +, Blumenthal, Uri - 0553 - MITLL wrote: > Speaking of PRF hash, I want to bring up the fact that‎ SHA-3 is a > better PRF by design, as that was one of the explicitly stated > competition requirements (unlike MD*, SHA-1, and SHA-2). Well, the name "prf-hash"

Re: [TLS] SHA-3 in SignatureScheme

: Ilari Liusvaara Sent: Friday, September 2, 2016 06:44 To: Hubert Kario Cc: tls@ietf.org Subject: Re: [TLS] SHA-3 in SignatureScheme On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > The reason I

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 2, 2016 at 3:42 AM, Ilari Liusvaara wrote: > On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > > > The reason I see is that we currently specify exactly one valid hash > > > algorithm (in a variety

Re: [TLS] SHA-3 in SignatureScheme

On Friday, 2 September 2016 13:42:40 CEST Ilari Liusvaara wrote: > On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > The reason I see is that we currently specify exactly one valid hash > > > algorithm (in a varie

Re: [TLS] SHA-3 in SignatureScheme

On Fri, Sep 02, 2016 at 12:08:47PM +0200, Hubert Kario wrote: > On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > > > > The reason I see is that we currently specify exactly one valid hash > > algorithm (in a variety of sizes). The precedent argument is good enough > > for me. I thi

Re: [TLS] SHA-3 in SignatureScheme

On Thursday, 1 September 2016 19:22:18 CEST Dave Garrett wrote: > On Thursday, September 01, 2016 02:30:54 pm Scott Fluhrer (sfluhrer) wrote: > > > On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > > > > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > > > > The SHA-3 standard is a

Re: [TLS] SHA-3 in SignatureScheme

On Thursday, September 01, 2016 02:30:54 pm Scott Fluhrer (sfluhrer) wrote: > > On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > > > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > > > The SHA-3 standard is already published and accepted[1], shouldn't > > > > TLSv1.3 include sign

Re: [TLS] SHA-3 in SignatureScheme

> -Original Message- > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Hubert Kario > Sent: Thursday, September 01, 2016 2:17 PM > To: Benjamin Kaduk > Cc: > Subject: Re: [TLS] SHA-3 in SignatureScheme > > On Thursday, 1 September 2016 12:43:31 CEST Benjami

Re: [TLS] SHA-3 in SignatureScheme

On Thursday, 1 September 2016 12:43:31 CEST Benjamin Kaduk wrote: > On 09/01/2016 12:38 PM, Hubert Kario wrote: > > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > > include signatures with those hashes then? > > Why does it need to be part of the core spec instead of

Re: [TLS] SHA-3 in SignatureScheme

On 09/01/2016 12:38 PM, Hubert Kario wrote: > The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 > include signatures with those hashes then? Why does it need to be part of the core spec instead of a separate document? > 1 - https://www.federalregister.gov/articles/2015/

[TLS] SHA-3 in SignatureScheme

The SHA-3 standard is already published and accepted[1], shouldn't TLSv1.3 include signatures with those hashes then? I think at least the following signature algorithms should be added: ecdsa_secp256r1_sha3_256 ecdsa_secp384r1_sha3_384 ecdsa_secp521r1_sha3_512 rsa_pss_sha3_256 rsa_pss_sha3_384