On Fri, Aug 1, 2014 at 12:57 PM, David Mazieres <[email protected]> wrote: > Nico Williams <[email protected]> writes: > >> It's quite fine to want encryption at a lower layer than >> authentication, but if you do that then you'd better either key the >> lower layer from the upper layer, or channel bind the lower layer into >> authentication. > > I strongly oppose keying the lower layer from the upper layer. This is > precisely where people get into problems from poor entropy or forgetting > to bzero key material or messing up forward secrecy. Conversely,
I don't care for keying lower layers from upper layers and wasn't actually proposing it. In general I disagree with your take: upper-keying-lower can certainly be done right, and it has been (e.g., IKE keys ESP, and really, they are different layers, even if we call the whole thing "IPsec"; see also EAP). > channel binding is exactly the kind of minimal yet very expressive > interface that can very cleanly be exposed by a lower layer guaranteeing > forward secrecy. Yes, channel binding is definitely the more elegant way to do it, and the one I prefer (greatly). >> What I'd like to see is ECDH with ephemeral public keys for TCPINC >> with an API by which to extract channel binding data that can be fed >> into an application-layer protocol. (Perhaps even TLS with null >> ciphersuite + TCPINC. Whatever.) > > Obviously I agree. The only thing I would add is that there should also > be an application-aware bit to make things like DANE support transparent > in the future. The API at the very least must NOT preclude or otherwise make DANE difficult, and preferably it should make it easy. Nico -- _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
