Re: Ciphersuites (was Re: Mandatory to implement cipher suites)

On Sat, Jul 19, 2014 at 12:33 PM, Brian Smith <brian@briansmith.org> wrote:

> Also, I am
> concerned that encouraging or mandating any TLS_DHE_* cipher suites
> may cause complications for the 1-RTT and/or 0-RTT handshakes in TLS
> 1.3. In particular, I am concerned that it may be too inefficient to
> presumptuously generate ephemeral DHE keypairs for use in the
> ClientHello, especially in addition to one or more ECDHE keys that
> will have to be presumptuously generated too.


Responding just to this point:
The current TLS 1.3 draft [0] does not require clients to provide DHE
shares for every possible key exchange mechanism, nor would I expect
us to require that. Therefore, making DHE mandatory would not require
clients to optimistically generate DHE shares. Clients can simply select
the groups they believe represent the best tradeoff between correct
guessing and CPU cost (or bandwidth cost, which seems to be more
serious).

Of course, it's possible that if we make a number of different groups
MTI, that there will be disjoint sets of server support and that therefore
clients will have to send a lot of shares or run the risk of multiple
round trips. However, I don't think that's made much more likely
by specifying integer DHE.

-Ekr

[0] http://tools.ietf.org/html/draft-ietf-tls-tls13-02

Received on Saturday, 19 July 2014 21:17:58 UTC