IETF Logo Mail Archive

Re: [saag] Algorithm agility

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 02 May 2014 20:05 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800241A6FFD for <saag@ietfa.amsl.com>; Fri, 2 May 2014 13:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.688
X-Spam-Level: ****
X-Spam-Status: No, score=4.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwC-V_7DO4PQ for <saag@ietfa.amsl.com>; Fri, 2 May 2014 13:05:44 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id D20431A6FF1 for <saag@ietf.org>; Fri, 2 May 2014 13:05:43 -0700 (PDT)
Received: from [10.70.10.85] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 22A55F984 for <saag@ietf.org>; Fri, 2 May 2014 16:05:39 -0400 (EDT)
Message-ID: <5363FA94.9050608@fifthhorseman.net>
Date: Fri, 02 May 2014 16:05:40 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: saag@ietf.org
References: <53603BDD.2080109@iang.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130742BFB0@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140502000517.0bbd7058@resistor.net> <2A0EFB9C05D0164E98F19BB0AF3708C7130742C118@USMBX1.msg.corp.akamai.com> <6.2.5.6.2.20140502073618.0b2fafe8@elandnews.com> <20140502173830.GJ27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130742C370@USMBX1.msg.corp.akamai.com> <201405021944.PAA28445@Chip.Rodents-Montreal.ORG>
In-Reply-To: <201405021944.PAA28445@Chip.Rodents-Montreal.ORG>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iugNwSI87A7COU2bPtk7XHV0A1qb4CDrR"
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/WH7_3p292aJRP_jo-sENXxyMuZo
Subject: Re: [saag] Algorithm agility
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 20:05:45 -0000

On 05/02/2014 03:44 PM, Mouse wrote:
>>> GnuTLS tackles this problem by giving names to collections of ciphersuites $
>> I encourage the user of cipher profiles, but name them after features, which$
>> That is, pfs-ciphers, not 'strong-ciphers.'
> 
> "pfs-ciphers" doesn't really do what you want, because there may
> someday be many ways to get PFS, even if today there's only one.

Technically, there's two: traditional discrete log DHE and there's
ECDHE.  But if we're nit-picking on the terminology, it's not the cipher
that determines PFS at all, but rather the key exchange part of the
negotiated cryptographic suite.  (PFS suites use the same ciphers as
non-PFS suites)

Recent versions of GnuTLS have a priority string "PFS" that selects only
suites that have forward-secret key exchange mechanisms.

	--dkg

v2.8.7 | Report a Bug | By Email