Bryan Ford <brynosau...@gmail.com> writes: >We have repeatedly stated several relevant threat models here; you just >don’t seem to be accepting them as threat models for some reason.
That's because they're not actual threat models, just handwringing about vague, undefined bogeymen. Yoav Nir has made a good start, although it's more a wish list than a threat model, or at least a list of desirable properties for the system to have. In crypto terms, it's like stating "I want my cryptosystem to be IND-CPA". The threat there is an adversary being able to encrypt various plaintext messages and being able to distinguish them based on the ciphertext. You can pretty clearly say that against this threat (stage #1 of my list), you need an IND-CPA ciphersystem (stage #2). From there you can decide whether it's worth doing this, stage #3 (OK, any cryptosystem worth its salt had better be IND-CPA, so that's a tautology). OTOH an IND-CPA cryptosystem isn't necessarily secure against an adative chosen ciphertext attack, a different type of threat, so you need to up the defence to an IND-CCA2 secure system. Give me an actual threat model of the type(s) illustrated above, write down the exact capabilities of the attacker so we know what to defend against, and then we can disagree on it. >We have been doing this as well, repeatedly. No, you've just been saying "here's my pet idea, TLS should adopt it" over and over again. I'm happy to keep saying "it doesn't provide the protection you seem to think it does, it restricts TLS to only using AEAD stream ciphers, and it causes serious headaches for implementations" as often as you keep repeating "here's my pet idea, we should use it". Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
