On Thu, Jul 23, 2015 at 07:10:30PM +0200, Eric Rescorla wrote:
> On Thu, Jul 23, 2015 at 7:06 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie>
> wrote:
>
> > A suggestion - could we remove mention of anything that
> > is not a MUST or SHOULD ciphersuite from the TLS1.3 document
> > and then have someone write a separate draft that adds a
> > column to the registry where we can mark old crap as
> > deprecated?
> >
> > Not sure if it'd work though.
> >
>
> I'm starting to lean towards this. I don't generally think of TLS 1.3 as a
> vehicle
> for telling people how to configure use of TLS 1.2, and I think it might be
> better
> to move all that stuff out.
The MUST/SHOULD list is presumably:
{ECDHE_RSA,ECDHE_ECDSA,PSK}*{AES-128-GCM,AES-256-GCM,Chacha20-Poly1305}?
(9 ciphersuites)? Or are there some others there as well (of course, if
new signatures appear and get their own ciphersuites, then three of those
too)?
Then what to mark as deprecated? Everything that doesn't work with TLS
1.3 is pretty obvious candidate. Which would mean deprecating TLS 1.0 and
1.1, as all ciphersuites for those get deprecated.
Then I made this table of ciphersuites that work with TLS 1.3:
+---------------+-------+-------+-------+-------+
| |AESGCM |VANITY |AESCCM |CHACHA |
+---------------+-------+-------+-------+-------+
|DHE_RSA |Y |Y |Y |P |
|DHE_DSS |Y |Y |Y |- |
|DHE_PSK |Y |Y |- |- |
|DHE_anon |Y |Y |Y |- |
|ECDHE_RSA |Y |Y |- |P |
|ECDHE_ECDSA |Y |Y |Y |P |
|ECDHE_PSK |P |- |P |P |
|ECDHE_anon |- |- |- |- |
|ECDHE_ECIDSA |- |- |- |- |
|PSK |Y |Y |Y |P |
+---------------+-------+-------+-------+-------+
Legend: - => No active proposal,
P => active I-D proposes these,
Y => In registry
AES-GCM => AES-GCM ciphers
VANITY => ARIA and CAMELLIA (GCM). SEED doesn't have AEAD.
AES-CCM => AES-CCM ciphers
CHACHA => Chacha20-Poly1305.
Comments on some methods:
- DHE_RSA: Uses FFDHE, problematic especially on 1.2 and older.
- DHE_DSS: Virtually nobody uses this or will use this (already removed
from two major browsers.
- DHE_PSK: IoT type, but I don't think IoT appriciates FFDHE.
- DHE_anon: Anonymous.
- ECDHE_RSA: ECC certs are still much harder to get than RSA.
- ECDHE_anon: Should add if not deprecating anonymous.
- ECDHE_ECIDSA: New signature scheme. Or try merging this with
ECDHE_ECDSA (requires bit of bending of 1.2 rules).
- PSK: Needed for resumption in TLS 1.3.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
