This seems like a good approach. -Ekr
On Sun, Oct 11, 2015 at 6:46 AM, Watson Ladd <watsonbl...@gmail.com> wrote: > On Sun, Oct 11, 2015 at 8:17 AM, Ilari Liusvaara > <ilariliusva...@welho.com> wrote: > > On Sun, Oct 11, 2015 at 09:25:10AM +0200, Rick van Rein wrote: > >> > *From:* internet-dra...@ietf.org > >> > > >> > Name: draft-vanrein-tls-kdh > >> > Revision: 00 > >> > >> Hello TLS WG, > >> > >> I would like to propose new CipherSuites for TLS. The cryptography is > >> founded on Kerberos authentication and DH encryption, cryptographically > >> bound together. The mechanism uses mutual authentication, although > >> clients may use anonymous tickets. > >> > >> Any feedback that you may have (technical, or WG-procedural) is kindly > >> welcomed. I will also send this to the Kitten WG. > > > > Some quick comments: > > - The signed DH share does not look to be bound to anything (crypto > > parameters negotiation, randoms, server key exchange, etc..). I can't > > offhand say what that would lead to, but it looks even worse than > > TLS ServerKeyExchange, which has known vulernabilities due to > > lack of binding to things like ciphersuite. > > - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC > > (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. > > - Even use of DH is questionable. > > I would suggest piggybacking on the PSK mode, using the key Kerberos > provides at both ends as the PSK key. This would address all of these > issues in TLS 1.3 > > Sincerely, > Watson > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
