Transport Layer Security (TLS) Working Group Minutes Meeting : IETF70, Monday 3 December 2007 Location: Vancouver, Salon 1, 09:00-11:30 Chairs : Eric Rescorla & Pasi Eronen Minutes : Paul Hoffman Version : 1 (2007-12-10) ============================================================== WG summary (by Eric & Pasi) TLS WG Report $Id: tls-saag.txt,v 1.1 2007/12/05 23:22:34 ekr Exp $ TLS WG met 9 AM Monday Dec 3. - TLS 1.2 TLS 1.2 is currently in WGLC. We went over the current LC comments, most of which were editorial. One issue was semi-contentious: what to do with IDEA, should it be SHOULD NOT or MUST NOT. This will go to the list. - Extension definitions This document hasn't seen any significant changes. It turns out there are significant IDN issues. Paul Hoffman agreed to take a look. We discussed hash agility for the SHA-1 in the certificate URL extension but didn't close on it. - RSA-AES-SIV Dan Harkins presented SIV, another AEAD algorithm that is slower than, but more resilient to misuse, than GCM. There was no consenus about whether to adopt this, so it was taken to the list. - ECDHE_PSK Ciphersuites Mohama d Badra presented this. We'll take it to the list. - TLS using EAP Auth Yaron Sheffer presented this. There was a fair amount of discussion, some pro, some con. No progress can be made here until the issue of the EAP applicability statement can be resolved, which is an AD issue. - TLS Extractors There was general enthusiasm for this. Some discussion of extractor label registration policies. Consensus to take this as a WG item. To confirm on the mailing list. ============================================================== Note: contents of slides not duplicated here Document Status --------------- SRP and OpenPGP keys out as RFCs TLS 1.2 is in WGLC TLS 1.2 - Eric Ekr Rescorla --------------------------- Basically done Hash agility finally nailed down Tried to preserve earlier TLS model, but that wasn't possible It is still possible for the client to ask for things that are impossible Pasi asked if it was really OK to make IDEA a MUST NOT do at the current codepoint Russ Housley didn't like the idea Paul Hoffman said that listing untested algorithms causes developers to use them Stefan Santesson said we should leave a holder in Straw poll: SHOULD NOT and MUST NOT got roughly equal support Will take to the list Question of MAY or SHOULD NOT for SSLv2; leave it as it is Discussion of if the server knows the client can do certain hash algorithms Will clarify text about what a server can do Request from the NSA to add more hooks for elliptic curve Would cause normative reference to the EC documents Ekr doesn't want to do this, will add words to say why Request for more comments on the list Extension Definitions - Pasi Eronen ----------------------------------- Question about IDNs in server_name Opera and Firefix are using the Punycode format Spec says UTF-8 Hash agility for URL Tim Polk says there is no need to do other than SHA-1, but maybe want it Eric asked if anyone is using this feature; no one responded Tim said he wouldn't hold up the document without this, but wants it Need to clean this up before WG last call RSA-AES-SIV TLS Ciphersuites - Dan Harkins ------------------------------------------ Modelled on GCM, minus nonce management because it is not needed Big advantage is that there is no nonce reuse issue with SIV If the a nonce is reused, there is no loss of authenticity, but confidentiality is affected if same message is sent Individual submission that he would like as a WG document Tim commented that TLS is the poster child for GCM NIST SP 800-38D text is probably not about TLS Russ was concerned about possible intellectual property issues Dan said that Rogaway submitted this to NIST with an IPR statement Dan thinks there are no know IPR claims against this Rogaway told him there are no IPR issues with SIV Eric said that SIV's advantage over CBC is that it is more compact Dan responded that it is also a combined mode Eric said the combined mode is not so important for TLS in specific Dan thinks that GCM can be misimplented, SIV can save that Tim, wearing his NIST hat, said that SIV hasn't gotten any direct work yet Eric wearing is WG hat asked if we should wait six months for NIST Tim said the WG shouldn't wait for NIST to ask ECDHE_PSK Ciphersuites for TLS - Mohamad Badra ---------------------------------------------- Eric asks if this of value? No response Will take it to the mailing list TLS using EAP Authentication - Yaron Sheffer -------------------------------------------- Talked about motivation and rationale Noted that there is an IPR claim from Nokia on the draft EAP is now prevalent, particularly in 802.nn Mostly for SSL VPNs Currently for thin clients Might later move into browser Eric wants more specificity on what changes are needed Yaron just wants it to be clear Pasi asked what kind of credentials are being considered Passwords and SecureID tokens Eric said he would prefer that IPsec replacement be done in IPsec, not as extension to TLS Pasi noted that we don't use HTTP auth because of poor UI Yaron noted that this could help getting the UI right for TLS Sam Hartman wearing his AD hat: Need to follow the EAP applicability statement Also wants to deal with the lying NAS; needs to have channel binding Yaron says that this proposal follows the applicability statement TLS Extractors - Eric Rescorla ------------------------------- Yaron asked why use an IANA registry Eric said that's the way we do it in TLS Sam and Russ as individuals said we need to do this, even with liberal registration policies Tim Polk agrees, and wants it in the chart. Pasi asked if anyone is opposed; no one was. ======================================================================