Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
draft-ietf-tls-negotiated-ff-dhe-10

[Ballot comment]
Thank you for your work on this draft, it is very well written, easy-to-read, while solving an important problem.  Thanks for the detailed security considerations as well.

[Ballot comment]
The intended status in the document text does, indeed, need to be changed to "Standards Track".  The last call was issued as "Proposed Standard", and the IESG ballot is set up for that, so I think we're OK -- please just fix the text in the next document rev.

[Ballot comment]
Not issue on the technical content and the publication of this document, but https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/ and the write-up mention "Standard Track" while the draft status is Informational, as spotted by Linda in her OPS-DIR review below:

This document is on the Informational Track to specify ways for client and server to establish common finite-field DH parameters with known structure and a mechanism for
peers to negotiate support for these groups.
The document is well written and very clear.
A couple questions:
1)    Why this document is not standard track?
2)    Several sections requests range in reference of p, e.g.  “p-1” or p (Section 5). But there are so many numbers that can be “p” (page 17). What is the significance of the range?

[Ballot comment]
Not issue on the technical content, but https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/ and the write-up mention "Standard Track" while the draft status is Informational, as spotted by Linda in her OPS-DIR review below:

This document is on the Informational Track to specify ways for client and server to establish common finite-field DH parameters with known structure and a mechanism for
peers to negotiate support for these groups.
The document is well written and very clear.
A couple questions:
1)    Why this document is not standard track?
2)    Several sections requests range in reference of p, e.g.  “p-1” or p (Section 5). But there are so many numbers that can be “p” (page 17). What is the significance of the range?

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-tls-negotiated-ff-dhe-08. Please see below and report any inaccuracies as soon as possible.

IANA's reviewer has the following comments:

IANA understands that, upon approval of this document, there is a single action that IANA must complete.

In the EC Named Curve Registry in the Transport Layer Security (TLS) Parameters registry at

https://www.iana.org/assignments/tls-parameters/

A note will be added to the registry indicating that values from 256-511 (inclusive) are set aside for "Finite Field Diffie-Hellman groups," and that all other entries in the registry are "Elliptic curve groups." This document will be listed as an additional reference for the registry itself.

In addition, the four highest codepoints in the Finite Field Diffie-Hellman group range (508-511, inclusive) will be marked "Reserved for Private Use."

Finally, five new registration will be added the registry (along with the PRIVATE USE restriction) as follows:

+---------------------+-------------+---------+-----------------+
| Value | Description | DTLS-OK | Reference |
+---------------------+-------------+---------+-----------------+
| 256 | ffdhe2048 | Y | [ RFC-to-be ] |
| 257 | ffdhe3072 | Y | [ RFC-to-be ] |
| 258 | ffdhe4096 | Y | [ RFC-to-be ] |
| 259 | ffdhe6144 | Y | [ RFC-to-be ] |
| 260 | ffdhe8192 | Y | [ RFC-to-be ] |
| 508-511 (inclusive) | Reserved for Private Use | - | [ RFC-to-be ]  |
+---------------------+-------------+---------+-----------------+

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS) to Proposed Standard


The IESG has received a request from the Transport Layer Security WG
(tls) to consider the following document:
- 'Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-04-17. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  Traditional finite-field-based Diffie-Hellman (DH) key exchange
  during the TLS handshake suffers from a number of security,
  interoperability, and efficiency shortcomings.  These shortcomings
  arise from lack of clarity about which DH group parameters TLS
  servers should offer and clients should accept.  This document offers
  a solution to these shortcomings for compatible peers by using a
  section of the TLS "EC Named Curve Registry" to establish common
  finite-field DH parameters with known structure and a mechanism for
  peers to negotiate support for these groups.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/ballot/


No IPR declarations have been submitted directly on this I-D.

1. Summary

This most excellent draft addresses a number of security, interoperability, and efficiency shortcomings that arise from the lack of clarity about which DH group parameters TLS servers should offer and clients should accept in their TLS handshakes.  This draft is bound standards track not only because it’s describing protocol bits but it’s also updating existing standards track RFCs.

Please note this draft applies to all version of TLS prior to 1.3.  TLS 1.3 is going to also going to adopt this work directly into its draft.

Sean Turner is the document shepherd and Stephen Farrell is our über Area Director!

2. Review and Consensus

This draft (previous names include draft-gillmor-tls-negotiated-dl-dhe and draft-ietf-tls-negotiated-dl-dhe) has been discussed on the mailing list and at numerous TLS f2f meetings (regularly scheduled IETF meets and TLS interims).  It’s been amended numerous times based on WG feedback and it accurately reflects the WG consensus.  The WGLC was also forwarded to the CFRG.

3. Intellectual Property

[Confirming this as of 2015-03-13]

The shepherd has confirmed the author's direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79.

4. Other Points

***DOWNREF ALERT *** There is a DOWNRF to http://datatracker.ietf.org/doc/draft-bmoeller-tls-falsestart/.  The WG will shortly be asked whether it is willing to adopt this draft.  Seems quite likely it will be adopted.

IANA Considerations: Note that this draft reuses/expands an existing registry to set aside a handful of specific codepoints for FFDHE groups, and a small "private use" range, but explicitly sets aside the entire range 0x0100 → 0x01FF exclusively for FFDHE (and indicates that no FFDHE will appear outside that range).  The WG was queried numerous times about this point and they were okay with this approach.  So, an IESG request to not reuse this existing registry is going to be meet with some pretty heavy opposition.  The IANA considerations are clearly noted in the draft.