On Wed, Jul 22, 2015 at 02:16:43AM -0700, Martin Thomson wrote: > On 22 July 2015 at 01:50, Kyle Rose <kr...@krose.org> wrote: > > I'd like to see the bits of the cipher suite associated entirely with > > ephemeral data tied together roughly by security margin > > I've seen this argument several times, but there are reasons why you > might want a non-homogenous strength profile. > > The argument for consistency is appealing, but given that the design > of TLS is historically[1] vulnerable to the weakest *supported* > algorithm as opposed to the weakest *used* algorithm, I am not > concerned about ensuring consistency.
Furthermore, comparing the strengths of kex, auth, ciphering and PRF seems like comparing apples, orangles, pears and kumquants. Even if the nominal strengths are the same, the scaling of strengths is going to be different (e.g. the quadric vs. linear sub-treshold scaling for ECDH vs. symmetric). > > The one thing I'm having trouble pinning down is PSK. I fear it's not > > a separate dimension, because it replaces both signature and KEX. > > Yes, this is a problem. I like to think of PSK as KEX with null auth. I think TLS has currently four non-obsolete key exchanges: - GDHE_CERT - GDHE_PSK - GDHE_anon - PSK (I couple things here because I think that decoupling those would lead to unacceptable interop problems). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
