On Thu, Jul 10, 2014 at 4:53 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote:
> On Tue, Jul 1, 2014 at 11:58 PM, Brian Smith <br...@briansmith.org> wrote: > > I am interested in discussing what we can do to help more server side > > products get better cipher suites by default, and on deciding whether we > > add support for ChaCha20-Poly130[5]. > > Out of curiosity, what's holding back a decision to implement > ChaCha20-Poly1305? > As you probably know, Google Chrome already ships some ChaCha20-Poly1305 cipher suites. They have a patch that they apply on top of NSS to implement them. I recently asked a couple of our friends on the Chrome team about contributing that patch to NSS proper. Apparently, the implementation of those cipher suites diverges from the current or some expected future draft of the IETF specification. Consequently, it isn't clear that it is a good idea to drop that patch into NSS as-is. And, if we modify the patch to match the current/future IETF documents then Firefox wouldn't be able to interoperate with *.google.com using ChaCha20-Poly1305. So, either we'd have to decide on having Firefox implement an already-obsolete variant of the cipher suites (temporarily, of course) or we'd have to find some partner sites (perhaps still *.google.com) that are willing to speak the new variants of the cipher suites, for it to be useful. This may require updated patches for OpenSSL in order for those servers to even be able to do that. Also, Chromium has a patch on top of NSS that allow the browser to dynamically reorder the cipher suite list presented in the Client Hello message. Chromium uses this in order to put the ChaCha20-Poly1305 cipher suites ahead of the AES-GCM cipher suites on platforms that are lacking AES and/or GCM processor instructions. That is, usually ChaCha20-Poly1305 is ordered ahead of AES-GCM on ARM but AES-GCM is ahead of ChaCha20-Poly1305 on x86. We'd have to decide whether that would be appropriate for Firefox and if so we'd need to add that functionality to NSS. So, what initially looked like a minor amount of effort turned into a more significant effort. If there is somebody interested in taking this on, I would be very happy to help them with it. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
