IETF Logo Mail Archive

Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 03 September 2013 12:47 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8130B21E812D for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9BY+dLOdR2V for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:47:28 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id B521B21E8128 for <perpass@ietf.org>; Tue, 3 Sep 2013 05:47:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 78C2CBE5C; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBgU668f-NRJ; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 550F7BE58; Tue, 3 Sep 2013 13:47:27 +0100 (IST)
Message-ID: <5225DA5F.4000505@cs.tcd.ie>
Date: Tue, 03 Sep 2013 13:47:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yakov Shafranovich <yakov-ietf@shaftek.org>
References: <mailman.904.1378168674.3384.perpass@ietf.org> <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org> <CAPQd5oT=2SFwkZOv5AvGg5FbmZaqMefTy1BKJhZ2dZC8DjjHDg@mail.gmail.com>
In-Reply-To: <CAPQd5oT=2SFwkZOv5AvGg5FbmZaqMefTy1BKJhZ2dZC8DjjHDg@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org, Patrick Pelletier <code@funwithsoftware.org>
Subject: Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 12:47:33 -0000

Hiya,

On the non-PFS topic:

On 09/03/2013 01:11 PM, Yakov Shafranovich wrote:
> The CA/browser forum has begun some steps in this direction by
> lowering validity of SSL server certificates to 18 months. Is there a
> place for a discussion on recommending a lower time period for key
> rotation with the ensuing implications for those who do not want/can
> not use PFS?

This list is a fine place for discussing that if you
think that a shorter RSA key rollover duty cycle would
impact on pervasive monitoring. I'm not clear as to
how it would though. Have you some scenario in mind?

There are however plenty of other good reasons for
rotating RSA keys more frequently. For the web, I guess
the wpkops wg [1] would be a good place to discuss
that, but that list has been quiet recently. And that
doesn't cover other uses of TLS either, so discussing
it here is fine for now. If we start to approach some
conclusion then we can find the right venue then.

S.

[1] http://tools.ietf.org/wg/wpkops

v2.23.0 | Report a Bug | By Email