Here’s the draft minutes for today’s interim. Please post corrections to the list.
Should we remove SSLv3 from the session hash draft? Various points about why SSLv3 is either not being used, or in devices that aren’t being updated. One more update to remove SSLv3, some other cleanups, and then go to WG LC. Sean will try to force out any issues for discussion in Hawaii.
Bodo slides are at https://github.com/tlswg/wg-materials/blob/master/20141021_interim/TLS_FALLBACK_SCSV_IETF_TLS_Interim_Oct_2014.pdf Based on list feedback, going to add some clarifications (no changes to the mechanism). False start I-D needs to be updated since attacker can force a version; Bodo to do that. Discussion of distinguishing between TCP reset (in FF) and version intolerance. Discussion of when to ‘guess’ failure is transient or version intolerance. Need to add some guidance to the I-D: mixing SCSV and version-intolerant servers will cause a pain. Sean went through issues raised on mailing list.
What is status of false-start? Was held back by Google for interop concerns. MSFT always tries based on cipher-suite (says MT); others do it conditional on NPN or ALPN and a modern cipher like a DH. It’s in wide use. Bodo will update the draft and ask the WG to adopt
Dkg on named groups. No longer an extension; allocating points within the namedcurve list, they are finite-field groups. Interacts with cipher-suite list. Discussion about adding ordering semantics between the two lists. Change: clients that wish to express an ordering may order the curves/groups in their order of preference.
Discussion of RC4 draft. Andrei via phone. Room strongly supports prohibiting RC4. Discussion about being able to address concerns raised by a few. Chair will close discussion and move it forward. Sean to include text about “just upgrade to TLS 1.2” as we considered alternatives and rejected them in his shepard notes or equivalent. Mention that youtube encodes video streams using RC4 only.
Return to DH named groups. Dkg prefers not-using IKEv2 primes, so that national-scale adversaries workload doubles. We’ll ask CFRG “do you have a problem with these groups?” Decided that SRP re-use of IKEv2 groups is not an issue. Discussion of sizes. Sean going to straw poll the list for 2048 or 2432, will work with dkg to draft the message. Proposed sizes 20xx 3032 4096 8192. Discussion of having server return the full key. Dkg to come back to the mailing list. Discussion of how to do PSK with PFS; neat hack/thought, treat it like a resumption.
Compressed points. Certicom says no IPR coverage any more. Likely to drop uncompressed points (and their negotiation) from TLS 1.3 ekr to do a straw poll on the mailing list.
Principal Security Engineer, Akamai Technologies
IM: rsalz <at> jabber.me Twitter: RichSalz