Re: Proposal for doing unauthenticated encryption inside of HTTP/2 from Paul Hoffman on 2013-12-03 (ietf-http-wg@w3.org from October to December 2013)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Tue, 3 Dec 2013 10:25:29 -0800
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPik8yZ3M0=n=19zUiK9=E+DKHKr-RpJQ8nt+WwZon_6n6cvDA@mail.gmail.com>

On Tue, Dec 3, 2013 at 9:44 AM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 3 December 2013 09:32, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> > Because the goal is to "encrypt more", and there is disagreement about
> what
> > "more" means. The WG seemed more wedged on how to encrypt than what to
> > encrypt. I trust the WG to resolve the latter if they figure out the
> former.
>
> You are far more trusting than I :)
>
> The reason I asked this question was not because I wanted you to stick
> your neck out that much further.  I really wanted to get some of the
> more difficult questions answered with respect to how the keying
> material was applied.

Once the parties have an agreed-to encryption algorithm and shared secret
keys, there details of how to apply them are fairly trivial. Documents
about how to do this for S/MIME, TLS, and IPsec are usually about two pages
of real material and then a bunch of fluff. The fact that MUE will re-use
known encryption algorithms (like AES-GCM) should make such documents
trivially short.

> Sequence numbers, IVs, all that sort of muck.
> Maybe that's just an inherent aversion to hand-waving over the
> details.
>

They are details that need to be worked out, but not until the WG decides
if it likes the advantages of MUE more than the advantages of
upgrade-to-TLS. That decision should absolutely be based on "which style
makes more sense", not "which early proposal had more details".

> >> Why did you choose to invent a new security protocol and not repurpose
> >> something like DTLS?
> >
> > DTLS assumes a transport layer after the negotiation is done. DTLS takes
> > many more round trips. DTLS has the concept of authenticating the server
> > mostly built-in. If the WG wants DTLS, I would strongly suggest using TLS
> > instead.
>
> Yes, that's the unasked question.  What's wrong with TLS exactly?
>

I was about to say "it's in the document" and now see that the
Markdown-to-XML converter ate that. <sigh>. Please see Section 6 in the -01
draft (
http://tools.ietf.org/html/draft-hoffman-httpbis-minimal-unauth-enc-01)
just published for a recap of the pros and cons of what people have said on
the list.

--Paul Hoffman

Received on Tuesday, 3 December 2013 18:25:56 UTC