Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier
draft-ietf-tls-rfc4492bis-17

A while back Martin Rex noted an editorial error in draft-ietf-tls-rfc4492bis, which is patiently waiting in the RFC editor’s queue.  He noted:

  The last of the "must implement 1 of these 4" list of cipher suites at
  the end of section 6 is not contained in the table at the beginning of
  section 6 above it (instead, it appears in rfc5289 only).

To address this error, the WG has agreed to the following change for the list at the end of s6:

-  o  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+  o  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

[Ballot comment]
I would like to vote Yes on this document, but there are some minor issues with this document which prevent me from doing so:

0) There is some general awkwardness in text talking about allowed points formats, considering that only uncompressed form is now allowed. I don't have recommendations about improving text, other than the following:

If no future formats are expected, it feels almost better to recommend against inclusion of the Point formats extension, as lack of it means uncompressed format anyway.

1) In Section 2.3, last paragraph: Does this paragraph apply only to 2.3 or does it also apply to 2.1 and 2.2? If the latter, then it needs to be moved to section 2.

2) In Section 6:

  Server implementations SHOULD support all of the following cipher
  suites, and client implementations SHOULD support at least one of
  them:

  o  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  o  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  o  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  o  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

GCM ciphers are not listed in the table earlier in the same section. They are defined in RFC 5289. This document doesn't have any reference to RFC 5289 and GCM ciphers are not discussed anywhere else in the document.

[Ballot comment]
Thanks for your work on this draft.  I just have one question:

In section 5.10, I see the following text:
  The default hash function is SHA-1 [FIPS.180-2], and sha_size (see
  Section 5.4 and Section 5.8) is 20.  However, an alternative hash
  function, such as one of the new SHA hash functions specified in FIPS
  180-2 [FIPS.180-2], SHOULD be used instead.

Why are you setting the default to SHA-1 and then recommending that something else should be used?  Why not just start with a different SHA hash function as the default or at least for TLS 1.2?  I do see the prior text about TLS 1.0 and 1.1 using MD5 and SHA-1, but most have recommended to go right to TLS 1.2 with the SSLv3 deprecation.  As such, I'm not clear on why the SHA-1 default.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-tls-rfc4492bis-12.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator has a question about one of the actions requested in the IANA Considerations section of this document.

The IANA Services Operator understands that, upon approval of this document, there are four actions which we must complete.

First, in the Transport Layer Security (TLS) Parameters registry located at:

https://www.iana.org/assignments/tls-parameters/

there are three subregistries called:

- Supported Groups
- EC Point Format
- EC Curve Type

For each of these registries (and for the IANA Matrix), the reference will be changed from RFC 4492 to [ RFC-to-be ]. In addition, the policy for maintenance for these registries will change from IETF Review to Specification Required.

Second, in the Supported Groups Registry subregistry of the Transport Layer Security (TLS) Parameters registry located at:

https://www.iana.org/assignments/tls-parameters/

the temporary values 29 and 30 for:

ecdh_x25519 and
ecdh_x448

will be made permanent and the reference changed to [ RFC-to-be ].

Third, the authors make the following request: " IANA is requested to assign two values from the NamedCurve registry with names ed25519(TBD3) and ed448(TBD4) with this document as reference. To keep compatibility with TLS 1.3, TBD3 should be 0x07, and TBD4 should be 0x08." IANA notes that the former EC Named Curve Registry has been renamed the Supported Groups Registry and that the registration request does not match the entires in that registry.

Question --> In what registry should the names ed25519(TBD3) and ed448(TBD4) be registered?

Fourth, in the TLS HashAlgorithm Registry in the Transport Layer Security (TLS) Parameters registry located at:

https://www.iana.org/assignments/tls-parameters/

the authors request: "assign one value from the "TLS HashAlgorithm Registry" with name Intrinsic(TBD5) and this document as reference. To keep compatibility with TLS 1.3, TBD5 should be 0x08." However the values for the TLS HashAlgorithm Registry are simple decimal numbers and the registry requires an entry for DTLS-OK.

Question --> Is the TLS HashAlgorithm Registry the correct registry for this new entry? If so, is the value to be 8? What should the entry be for DTLS-OK?

The IANA Services Operator understands that these four actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: "Sean Turner" , draft-ietf-tls-rfc4492bis@ietf.org, tls@ietf.org, stephen.farrell@cs.tcd.ie, sean@sn3rd.com, tls-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier) to Proposed Standard


The IESG has received a request from the Transport Layer Security WG
(tls) to consider the following document:
- 'Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
  Security (TLS) Versions 1.2 and Earlier'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-03-03. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes key exchange algorithms based on Elliptic
  Curve Cryptography (ECC) for the Transport Layer Security (TLS)
  protocol.  In particular, it specifies the use of Ephemeral Elliptic
  Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the
  use of Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards
  Digital Signature Algorithm (EdDSA) as authentication mechanisms.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-tls-rfc4492bis/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-tls-rfc4492bis/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc8032: Edwards-Curve Digital Signature Algorithm (EdDSA) (Informational - IRTF Stream)
    rfc7748: Elliptic Curves for Security (Informational - IRTF Stream)
These are already be listed in the acceptable Downref Registry.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This draft is intended for Standards track; this is indicated in the title page header as well as in the data tracker.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This document adds Elliptic Curve Cryptography (ECC) cipher suites to
TLS 1.0-1.2.  These cipher suites have some technical
advantages over the currently defined RSA and DH/DSS cipher suites in
terms of key size and performance.  This document does not entail any
changes to the TLS base specification.

Note that Appendix B lists the changes from RFC 4492.

Working Group Summary

The WG was able to achieve consensus on advancing this
document to Proposed Standard.  Moving RFC 4492 to Standards
Track was the main reason for the draft.  It seemed odd to specify
MTI algorithms based on ECC in TLS1.3 and have the TLS1.0-1.2
RFC for the same algorithms be Informational.

Note that we needed to consult the CFRG on the "use of contexts".
Our thanks to them for contributing to this work.

Document Quality

This is a bis draft so the majority of the draft has been reviewed by
the IETF already.  The -00 version of the individual draft allows easy
diff to what was published as RFC 4492.  Note that more was taken
out than put in.

Personnel

Sean Turner is the Document Shepherd.
Stephen Farrell is the responsible AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

This version of the draft (-12) is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

There are no concerns about the breadth or depth of the reviews.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No portions of the document need review from a particular or from
broader perspective.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

See the answer to #8.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

Yes - the authors have each confirmed that any and all appropriate IPR
disclosures required have been made.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

IPR has not been filed on this document, but IPR was filed on RFC 4492.
The prevailing WG belief is that the previously disclosed IPR has expired.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

This says it all:
https://www.youtube.com/watch?v=2NEbe_brJAQ

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

There are no known threats of appeal.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

Nits reports a lot of DOWNREFs, but our AD will make doubly sure that
only actual DOWNREFs are called out in the IETF LC.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

N/A

(13) Have all references within this document been identified as
either normative or informative?

Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

No, but there are normative references to draft-ietf-curdle-pkix and that draft should be with the IESG on or
about the same time as this draft.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

!!!!-> YES - DOWNREFs are needed to two CFRG RFCs:

RFC 7748
RFC 8032

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

Yes this draft will obsolete 4492 and this is reflected on the title page header.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

Three registries were defined in RFC 4492.  One’s name was altered by
RFC 7919 and this draft reflects that new name.

This draft also reflects the WG consensus to move the registration
policies from IETF Review to Specification Required for all three of
the 4492-defined registries.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

The expert is probably going to be ekr, but the review really just needs
to be limited to whether there’s actually a publicly available specification.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

These extensions are implemented so the Shepherd is confident that the
formal language is a-okay.