Hi Dan, What you say regarding the NamedCurve/EllipticCurveList is of course right. Whether this constitutes a fundamental change to TLS is debatable. The aim was never to propose this as a cipher suite for general inclusion in a range of supported cipher suites in a browser/server scenario as is pointed out in various places in the draft. The aim was to reuse TLS (a well-known and widely implemented protocol) as a vehicle to support the ECJ-PAKE method and to deliberately constrain the implementation parameters a priori. To me, that does not make this a proprietary protocol and the ease by which existing TLS implementations have been adapted to support TLS-ECJ-PAKE. I guess it does raise the wider question of "what is TLS" though and whether this approach flouts conventional thinking about TLS (which, IMHO, it doesn't).
Robert On 18 July 2016 at 11:06, Dan Harkins <dhark...@lounge.org> wrote: > > Hi Robert, > > This draft moves the NamedCurve/EllipticCurveList into the > ClientHello, and since the client sends X1 and ZKP(X1) in the > ClientHello it means that is going to be a list of 1. It basically > moves the client's key exchange portion from ClientKeyExchange into > ClientHello. So basically, if a client wants to do TLS-ECJ-PAKE > then that's the only thing it can offer and the parameters of > that exchange are all selected by the client, not the server. > > This is a fundamental change to TLS. If it's going to be offered, > it's the only thing that can be offered and therefore the only thing > that can be used. Seems like for a deployment either it's never used > or it's the only thing used and that makes it sort of a proprietary > protocol, not TLS. > > Dan. > > On Thu, June 16, 2016 2:51 am, Robert Cragie wrote: > > I would like to ask the working group for comments on the TLS-ECJ-PAKE > > draft: > > > > https://tools.ietf.org/html/draft-cragie-tls-ecjpake-00 > > > > Some brief notes: > > > > * This intended status is informational. > > * The draft is based on TLS/DTLS 1.2 as the Thread group required basis > on > > existing RFCs wherever possible. For that reason and due to the WGs focus > > on TLS 1.3, I have understood from the chairs that it would not have > > received a great deal of attention from the WG, hence the intended status > > of informational. > > * The draft reflects the current use of the > TLS_ECJPAKE_WITH_AES_128_CCM_8 > > cipher suite in Thread (http://threadgroup.org/). > > * There is an experimental implementation in mbed TLS ( > > https://github.com/ARMmbed/mbedtls) > > * The Thread group would like to get IANA assignments for 4 cipher suite > > values and one ExtensionType value as soon as possible. > > * There are at least four independent implementations, which have been > > used > > in interop. testing over the last 18 months. > > * The security considerations recommend restriction of the use of this > > cipher suite to Thread and similar applications and recommends it should > > not be used with web browsers and servers (mainly due to the long > > discussions regarding the use of PAKEs on this and other mailing lists). > > > > Robert > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
