[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] PRF proposal

To: <tls@xxxxxxxx>
Subject: RE: [TLS] PRF proposal
From: "Blumenthal, Uri" <uri.blumenthal@xxxxxxxxx>
Date: Mon, 20 Nov 2006 09:51:57 -0500
Cc:
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: AccMre79MbTu6mNxRWmosKX29MV6xwABNtNw
Thread-topic: [TLS] PRF proposal

It is a good proposal. I'm for it.

I've one question. People are working on a better hash and PRF now.
Practically speaking, there is no way to retrofit such a new hash/etc to
the older already-existing/deployed cipher-suites, correct?


-----Original Message-----
From: Pasi.Eronen@xxxxxxxxx [mailto:Pasi.Eronen@xxxxxxxxx] 
Sent: Monday, November 20, 2006 9:13 AM
To: tls@xxxxxxxx
Subject: [TLS] PRF proposal

Hi,

We had a rather complicated discussion about the PRF issue in San
Diego, and in the end we did not take a humm because it was not quite
clear what the alternatives we would be choosing from really are (or
whether the proposed alternatives really were different at all).

Here's a strawman proposal that tries to capture the comments
made in San Diego:

o  Future documents that define ciphersuites must explicitly say 
   either that (1) "the ciphersuites defined in this document use 
   the default PRF for the negotiated TLS version", or (2) "the 
   ciphersuites defined in this document use the following PRF: 
   (details of the PRF)".

   Especially documents that use something better than SHA-256 for
   integrity protection should use the latter choice (presumably
   defining a PRF based on the algorithm it considered "better
   than SHA-256"). Other documents might prefer choice 1 since 
   that  would avoid updating them if someday we define TLS 1.3 
   or something.

o  In 4346bis, define the "default PRF for TLS 1.2" as P_SHA256.

o  In 4346bis, specify that all ciphersuites defined in old 
   documents predating the above-mentioned requirement use 
   choice 1 ("the default PRF for the negotiated TLS version").
   (Already implied by the earlier decision.)

o  Specify that all ciphersuites defined in 4346bis use choice 1.

Would this be satisfactory to everyone? Any other comments?

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] PRF proposal
  - From: Bodo Moeller

Prev by Date: RE: [TLS] Truncated HMAC
Next by Date: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Previous by thread: [TLS] PRF proposal
Next by thread: Re: [TLS] PRF proposal
Index(es):
- Date
- Thread