AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS
draft-mcgrew-tls-aes-ccm-ecc-08
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2014-05-22
|
08 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2014-05-07
|
08 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2014-04-24
|
08 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2014-04-07
|
08 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2014-04-04
|
08 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2014-03-14
|
08 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2014-03-04
|
08 | Amy Vezza | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2014-03-04
|
08 | (System) | RFC Editor state changed to EDIT |
2014-03-04
|
08 | (System) | Announcement was received by RFC Editor |
2014-03-04
|
08 | (System) | IANA Action state changed to In Progress |
2014-03-04
|
08 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed |
2014-03-04
|
08 | Amy Vezza | IESG has approved the document |
2014-03-04
|
08 | Amy Vezza | Closed "Approve" ballot |
2014-03-04
|
08 | Amy Vezza | Ballot approval text was generated |
2014-03-04
|
08 | Amy Vezza | Ballot writeup was changed |
2014-02-12
|
08 | David McGrew | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2014-02-12
|
08 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-08.txt |
2014-01-31
|
07 | Sean Turner | Changed consensus to Yes from Unknown |
2013-12-13
|
07 | Sean Turner | Ballot writeup was changed |
2013-12-13
|
07 | Sean Turner | Ballot writeup was changed |
2013-10-31
|
07 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Donald Eastlake. |
2013-10-24
|
07 | Cindy Morgan | State changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2013-10-24
|
07 | Meral Shirazipour | Request for Telechat review by GENART Completed: Almost Ready. Reviewer: Meral Shirazipour. |
2013-10-24
|
07 | Gonzalo Camarillo | [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo |
2013-10-23
|
07 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2013-10-23
|
07 | Ted Lemon | [Ballot comment] The document describes these cipher suites as being useful for constrained nodes, but needed on other nodes so that they can interoperate with … [Ballot comment] The document describes these cipher suites as being useful for constrained nodes, but needed on other nodes so that they can interoperate with constrained nodes that use it. This implies to me that a node that is not constrained might want to use a different algorithm. I don't have enough of a clue about ciphers to know if this means that this cipher suite is weaker, but that's what I'm tempted to assume. If in fact it is weaker, then the encouragement to implement it on non-constrained nodes ought to be accompanied by an admonishment never to volunteer to use it when the communicating partner supports a better cipher suite. Is the fact that I don't see this admonition because it is felt to be obvious, or is made in some other document, or am I just mistaken about the reason behind recommending this cipher suite specifically for constrained nodes? |
2013-10-23
|
07 | Ted Lemon | [Ballot Position Update] New position, No Objection, has been recorded for Ted Lemon |
2013-10-23
|
07 | Richard Barnes | [Ballot comment] Like Spencer, I'm confused by the requirement in Section 2 that "the server's certificate SHOULD contain a suitable ECC public key, SHOULD be … [Ballot comment] Like Spencer, I'm confused by the requirement in Section 2 that "the server's certificate SHOULD contain a suitable ECC public key, SHOULD be signed with a suitable ECC public key". Section 2.2 of RFC 4492 has the following requirement for ECDHE_ECDSA ciphersuites: "In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA- capable public key and be signed with ECDSA." Isn't that the same as what's in this document, only stronger? The Security Considerations refers to "The IV construction in Section 2...", but Section 2 refers to the "nonce input". Should probably change "IV" to "nonce" to align with Section 2 and RFC 6655. |
2013-10-23
|
07 | Richard Barnes | Ballot comment text updated for Richard Barnes |
2013-10-23
|
07 | Richard Barnes | [Ballot comment] Like Spencer, I'm confused by the requirement in Section 2 that "the server's certificate SHOULD contain a suitable ECC public key, SHOULD be … [Ballot comment] Like Spencer, I'm confused by the requirement in Section 2 that "the server's certificate SHOULD contain a suitable ECC public key, SHOULD be signed with a suitable ECC public key". Section 2.2 of RFC 4492 has the following requirement for ECDHE_ECDSA ciphersuites: "In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA- capable public key and be signed with ECDSA." Isn't that the same as what's in this document, only stronger? |
2013-10-23
|
07 | Richard Barnes | [Ballot Position Update] New position, No Objection, has been recorded for Richard Barnes |
2013-10-23
|
07 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2013-10-23
|
07 | Stephen Farrell | [Ballot comment] - While I hate to see more TLS ciphersuites being added to the zoo, these will be used as the algs are baked … [Ballot comment] - While I hate to see more TLS ciphersuites being added to the zoo, these will be used as the algs are baked in various bits of h/w. - The write up talks about existing implementations. Are the codepoints really still ok for IANA to pick or has the horse really left the barn? I'm not asking to encourage naughtiness, but it'd be a shame if some zigbee stuff was out there already and wasn't going to be changed. - The "cert SHOULD be signed with ECC" seems like an odd SHOULD, I think you mean its more likely to work in more environments if you use ECC all the way up and don't have any RSA, but if so, it'd maybe be better to say that. - A reference to the brainpool curves in TLS RFC in appendix A would probably be useful. |
2013-10-23
|
07 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2013-10-23
|
07 | Benoît Claise | [Ballot comment] Not the expert on that topic. No feedback. |
2013-10-23
|
07 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2013-10-23
|
07 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2013-10-22
|
07 | Spencer Dawkins | [Ballot comment] This might not even be a comment, but a question. In Section 1. Introduction, This document describes the use of Advanced Encryption … [Ballot comment] This might not even be a comment, but a question. In Section 1. Introduction, This document describes the use of Advanced Encryption Standard (AES) [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS ciphersuites. AES-CCM provides both authentication and confidentiality and uses as its only primitive the AES encrypt operation (the AES decrypt operation is not needed). This makes it ^^^ ^^^ ^^^^^^^ ^^^^^^^^^ ^^ ^^^ ^^^^^^ amenable to compact implementations, which is advantageous in constrained environments. Of course, adoption outside of constrained environments is necessary to enable interoperability, such as that between web clients and embedded servers, or between embedded clients and web servers. My first interactive programming language was APL, often described as a http://en.wikipedia.org/wiki/Write-only_language ("I can write any program in APL, I just can't read them"), so this made me curious. I can imagine an implementation for a constrained environment that only encrypts sensor information, and never receives control information, so doesn't need to include decryption, but is it obvious to everyone but me how the encrypted information is used, if there is no defined decrypt operation? Or is this a missing reference to some other specification that describes what you do with the authenticated and encrypted zeros and ones? I'm looking at Implementations of these ciphersuites will interoperate with [RFC4492], but can be more compact than a full implementation of that RFC. in section 2 - is that related? But I'm just guessing. If this is a stupid question, I apologize for interrupting, of course. Please carry on. Also in section 2, o The server's certificate SHOULD contain a suitable ECC public key, ^^^^^^ SHOULD be signed with a suitable ECC public key, and the elliptic curve and hash function SHOULD be selected to ensure a uniform security level; guidance on acceptable choices of hashes and curves that can be used with each ciphersuite is detailed in Section 2.2. I'm not questioning any other SHOULD in the document, but if the server's certificate doesn't contain a suitable ECC public key, can you still do something useful? |
2013-10-22
|
07 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2013-10-22
|
07 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2013-10-19
|
07 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2013-10-18
|
07 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2013-10-17
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Meral Shirazipour |
2013-10-17
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Meral Shirazipour |
2013-10-15
|
07 | Sean Turner | My one concern about this cipher suite draft is the additional stipulations found in s2. Other TLS cipher suites do not provide these, they just … My one concern about this cipher suite draft is the additional stipulations found in s2. Other TLS cipher suites do not provide these, they just list the ciphers period. I pointed this out to the TLS WG and no one objected. You should not that they are reasonable, at least in my mind. Further Appendix A was originally in the mainbody of the draft but it was moved at my request to an appendix because no other draft ECC TLS cipher suite draft mandates a particular curve or set of curves. |
2013-10-15
|
07 | Sean Turner | Ballot has been issued |
2013-10-15
|
07 | Sean Turner | [Ballot Position Update] New position, Yes, has been recorded for Sean Turner |
2013-10-15
|
07 | Sean Turner | Created "Approve" ballot |
2013-10-15
|
07 | Sean Turner | Ballot writeup was changed |
2013-10-15
|
07 | Sean Turner | State changed to IESG Evaluation from Waiting for Writeup |
2013-10-10
|
07 | Meral Shirazipour | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Meral Shirazipour. |
2013-10-10
|
07 | Cindy Morgan | Note field has been cleared |
2013-10-10
|
07 | (System) | State changed to Waiting for Writeup from In Last Call (ends 2013-10-10) |
2013-10-08
|
07 | Sean Turner | Placed on agenda for telechat - 2013-10-24 |
2013-09-24
|
07 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2013-09-24
|
07 | Amanda Baber | IESG/Authors/WG Chairs: IANA has reviewed draft-mcgrew-tls-aes-ccm-ecc-07. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon … IESG/Authors/WG Chairs: IANA has reviewed draft-mcgrew-tls-aes-ccm-ecc-07. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon as possible. IANA's reviewer has the following comments/questions: IANA understands that, upon approval of this document, there is a single action which IANA must complete. In the TLS Cipher Suite Registry in the Transport Layer Security (TLS) Parameters page at http://www.iana.org/assignments/tls-parameters/ four new cipher suites are to be registered as follows: Value Description DTLS-OK Reference -------------+------------------------+----------------+------------- [TBD-at-registration] TLS_ECDHE_ECDSA_WITH_AES_128_CCM Y [ RFC-to-be ] [TBD-at-registration] TLS_ECDHE_ECDSA_WITH_AES_256_CCM Y [ RFC-to-be ] [TBD-at-registration] TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 Y [ RFC-to-be ] [TBD-at-registration] TLS_ECDHE_ECDSA_WITH_AES_1256_CCM_8 Y [ RFC-to-be] IANA understands that this is the only action required to be completed by IANA upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. |
2013-09-19
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2013-09-19
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2013-09-12
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Meral Shirazipour |
2013-09-12
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Meral Shirazipour |
2013-09-12
|
07 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2013-09-12
|
07 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Sender: Subject: Last Call: (AES-CCM ECC Cipher Suites for TLS) … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Sender: Subject: Last Call: (AES-CCM ECC Cipher Suites for TLS) to Informational RFC The IESG has received a request from an individual submitter to consider the following document: - 'AES-CCM ECC Cipher Suites for TLS' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-10-10. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This memo describes the use of the Advanced Encryption Standard (AES) in the Counter and CBC-MAC Mode (CCM) of operation within Transport Layer Security (TLS) to provide confidentiality and data origin authentication. The AES-CCM algorithm is amenable to compact implementations, making it suitable for constrained environments. The ciphersuites defined in this document use Elliptic Curve Cryptography (ECC), and are advantageous in networks with limited bandwidth. The file can be obtained via http://datatracker.ietf.org/doc/draft-mcgrew-tls-aes-ccm-ecc/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-mcgrew-tls-aes-ccm-ecc/ballot/ The following IPR Declarations may be related to this I-D: http://datatracker.ietf.org/ipr/1352/ http://datatracker.ietf.org/ipr/1443/ |
2013-09-12
|
07 | Amy Vezza | State changed to In Last Call from Last Call Requested |
2013-09-12
|
07 | Sean Turner | Last call was requested |
2013-09-12
|
07 | Sean Turner | Ballot approval text was generated |
2013-09-12
|
07 | Sean Turner | Ballot writeup was generated |
2013-09-12
|
07 | Sean Turner | State changed to Last Call Requested from AD Evaluation::AD Followup |
2013-09-12
|
07 | Sean Turner | Last call announcement was generated |
2013-08-30
|
07 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2013-08-30
|
07 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-07.txt |
2013-06-20
|
06 | Cindy Morgan | Document shepherd changed to Robert Cragie |
2013-06-20
|
06 | Sean Turner | Document shepherd changed to (None) |
2013-06-20
|
06 | Sean Turner | Document shepherd changed to (None) |
2013-06-20
|
06 | Sean Turner | Changed document writeup |
2013-05-21
|
06 | Sean Turner | This draft is needed by both the COAP WG and the Zigbee Alliance. The only issue with this draft was whether the draft should include … This draft is needed by both the COAP WG and the Zigbee Alliance. The only issue with this draft was whether the draft should include MTI curve. I queried the TLS WG and there was definitely support for the conservative curves chosen but not that much support for keeping the curves in the draft. I've instructed the authors to remove the curves from the draft and checked informed the COAP & Zigbee folks that they need to make sure the curves are in their drafts. Turns out the Zigbee folks already had the curves in and the COAP authors seem amenable to incorporating the same MTI curve. All good. Waiting on a revised version. |
2013-05-21
|
06 | Sean Turner | State changed to AD Evaluation::Revised I-D Needed from AD is watching |
2013-02-22
|
06 | Sean Turner | State changed to AD is watching from Dead |
2013-02-01
|
06 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-06.txt |
2013-01-17
|
05 | (System) | Document has expired |
2013-01-17
|
05 | (System) | State changed to Dead from AD is watching::Revised ID Needed |
2013-01-02
|
05 | Sean Turner | State changed to AD is watching::Revised ID Needed from AD is watching |
2013-01-02
|
05 | Sean Turner | Notification list changed to : mcgrew@cisco.com, dbailey@rsa.com, mcampagna@certicom.com, rdugal@certicom.com, draft-mcgrew-tls-aes-ccm-ecc@tools.ietf.org, robert.cragie@gridmerge.com, rdroms.ietf@gmail.com |
2013-01-02
|
05 | Sean Turner | Note added 'Robert Cragie (robert.cragie@gridmerge.com) is the document shepherd.' |
2012-07-18
|
05 | Sean Turner | Whoops hit the wrong button when I put it in AD Evaluation. |
2012-07-18
|
05 | Sean Turner | State changed to AD is watching from AD Evaluation |
2012-07-18
|
05 | Sean Turner | State changed to AD Evaluation from Dead |
2012-07-18
|
05 | Sean Turner | State Change Notice email list changed to mcgrew@cisco.com, dbailey@rsa.com, mcampagna@certicom.com, rdugal@certicom.com, draft-mcgrew-tls-aes-ccm-ecc@tools.ietf.org, rdroms@cisco.com from mcgrew@cisco.com, dbailey@rsa.com, mcampagna@certicom.com, … State Change Notice email list changed to mcgrew@cisco.com, dbailey@rsa.com, mcampagna@certicom.com, rdugal@certicom.com, draft-mcgrew-tls-aes-ccm-ecc@tools.ietf.org, rdroms@cisco.com from mcgrew@cisco.com, dbailey@rsa.com, mcampagna@certicom.com, rdugal@certicom.com, draft-mcgrew-tls-aes-ccm-ecc@tools.ietf.org |
2012-07-16
|
05 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-05.txt |
2012-07-09
|
04 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-04.txt |
2012-05-31
|
03 | David McGrew | New version available: draft-mcgrew-tls-aes-ccm-ecc-03.txt |
2012-04-20
|
02 | (System) | Document has expired |
2012-04-20
|
02 | (System) | State changed to Dead from AD is watching::Revised ID Needed |
2012-02-08
|
02 | Sean Turner | State changed to AD is watching::Revised ID Needed from AD is watching. |
2012-02-08
|
02 | Sean Turner | Draft added in state AD is watching |
2012-02-08
|
02 | Sean Turner | Setting stream while adding document to the tracker |
2012-02-08
|
02 | Sean Turner | Stream changed to IETF from |
2011-10-18
|
02 | (System) | New version available: draft-mcgrew-tls-aes-ccm-ecc-02.txt |
2011-07-25
|
02 | (System) | Document has expired |
2011-01-19
|
01 | (System) | New version available: draft-mcgrew-tls-aes-ccm-ecc-01.txt |
2010-11-02
|
(System) | Posted related IPR disclosure: Certicom Corp. Statement about IPR Related to draft-mcgrew-tls-aes-ccm-ecc-00 | |
2010-07-06
|
(System) | Posted related IPR disclosure: Certicom's Statement of IPR relating to draft-mcgrew-tls-aes-ccm-ecc-00 | |
2010-07-05
|
00 | (System) | New version available: draft-mcgrew-tls-aes-ccm-ecc-00.txt |