OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11] Agenda Item: TLS mechanisms for ECDH-type cipher suites




On 09/11/14 10:46, Robert Relyea wrote:
On 09/10/2014 01:52 PM, Dina Kurktchi wrote:
Hi all,

I'd like to request an agenda item for the next meeting
to discuss adding some new mechanisms in support of other
cipher suites beyond simply 'original' and 'DH' types,
for example:
CKM_TLS_MASTER_KEY_DERIVE
CKM_TLS_MASTER_KEY_DERIVE_DH

We're seeing some confusion in consumers of our PKCS#11
implementation about which to use for ECDH type cipher
suites.

It looks like some have chosen the 'original' to derive
master keys because of the "fixed-length" phrase in
PKCS#11 description. Then others have chosen the 'DH'
type because ECDH is DH-ish, if you will. In those cases,
we have run afoul of a strip-leading-zeroes problem in
some implementations of DH.

The inclination is to create a new family of TLS mechanisms
specifically for ECDH, to avoid the guessing, such as:
CKM_TLS_MASTER_KEY_DERIVE_ECDH
No, We shouldn't do that. CKM_TLS_MASTER_KEY_DERIVE_DH was created
because of differing interpretations about what it means to derive a DH
key.

Unforunately the same issue was mirrored in ECDH implementations. A
CKM_TLS_MASTER_KEY_DERIVE_ECDH would be identical to
CKM_TLS_MASTER_KEY_DERIVE_DH. You can verify this by checking
interoperability against openssl or Microsoft.

In an ideal world there would only be one. We probably should be more
specific in the spec.


I see.  Thanks for the feedback.  What would be written in the spec?
2-3 sentence outline, not looking for any exact wording.

Thanks,
D.



I'd like solicit the group's thoughts on this. Please
feel free to reply and share your opinions. We can
discuss at next meeting possibly.

Thanks,
D.



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]