Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 03 September 2013 12:47 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8130B21E812D for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9BY+dLOdR2V for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:47:28 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id B521B21E8128 for <perpass@ietf.org>; Tue, 3 Sep 2013 05:47:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 78C2CBE5C; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBgU668f-NRJ; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 550F7BE58; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Message-ID: <5225DA5F.4000505@cs.tcd.ie>
Date: Tue, 03 Sep 2013 13:47:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yakov Shafranovich <yakov-ietf@shaftek.org>
References: <mailman.904.1378168674.3384.perpass@ietf.org> <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org> <CAPQd5oT=2SFwkZOv5AvGg5FbmZaqMefTy1BKJhZ2dZC8DjjHDg@mail.gmail.com>
In-Reply-To: <CAPQd5oT=2SFwkZOv5AvGg5FbmZaqMefTy1BKJhZ2dZC8DjjHDg@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org, Patrick Pelletier <code@funwithsoftware.org>
Subject: Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 12:47:33 -0000
Hiya, On the non-PFS topic: On 09/03/2013 01:11 PM, Yakov Shafranovich wrote: > The CA/browser forum has begun some steps in this direction by > lowering validity of SSL server certificates to 18 months. Is there a > place for a discussion on recommending a lower time period for key > rotation with the ensuing implications for those who do not want/can > not use PFS? This list is a fine place for discussing that if you think that a shorter RSA key rollover duty cycle would impact on pervasive monitoring. I'm not clear as to how it would though. Have you some scenario in mind? There are however plenty of other good reasons for rotating RSA keys more frequently. For the web, I guess the wpkops wg [1] would be a good place to discuss that, but that list has been quiet recently. And that doesn't cover other uses of TLS either, so discussing it here is fine for now. If we start to approach some conclusion then we can find the right venue then. S. [1] http://tools.ietf.org/wg/wpkops
- [perpass] TLS/SSL Perfect Forward Secrecy and Key… Yakov Shafranovich
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Patrick Pelletier
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Stephen Farrell
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Yakov Shafranovich
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Stephen Farrell
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Patrick Pelletier