Re: [TLS] Question on draft-ietf-tls-deprecate-obsolete-kex-01.txt
Nimrod Aviram <nimrod.aviram@gmail.com> Sat, 04 March 2023 11:12 UTC
Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5309AC14CEFC for <tls@ietfa.amsl.com>; Sat, 4 Mar 2023 03:12:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXGTIKyxeQVI for <tls@ietfa.amsl.com>; Sat, 4 Mar 2023 03:12:53 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B164C14CEE3 for <tls@ietf.org>; Sat, 4 Mar 2023 03:12:53 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id u9so20127487edd.2 for <tls@ietf.org>; Sat, 04 Mar 2023 03:12:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677928372; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LkFnSis9Y95E7XRbf89TJNrRq+VSwU91quCqN0Odb+Q=; b=edlyCqhxQY4W42i0B7oQ8eRyLtQsab9gYWwOvtugqHLVsxGTjA8DZfugU7b0VA0zPG y6s32wOF08p7u6jVFT/wJfbIU1ry+cBrXN5bvheUtC9G1BAxX6svwFoxIAOfqT9xx0FJ RufVCOTfWHVhqavmfmyy+aAhjOe/qGwy7X/wg2yr2kZddUkcoI97VKuuGbHpp2EeTVZZ RpcYc1BFHcYC94bd37S6EdmwBbLCmu9otLqQ1gm0iECh1fXz+xzXVmMOBdO0a1Q+9Hb5 5jhRMS5H3HLtub3iLnbOZHSKVrEU9dd20A43wgmXsYMnQRb4/54A1Kx5z9OKMPSg+5mm 7IRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677928372; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LkFnSis9Y95E7XRbf89TJNrRq+VSwU91quCqN0Odb+Q=; b=lKVoai14BOMiQbAZGc0/EiJu+XA7HDFUNaaJXWWn5ZXm6jJUeKkc+JTZQguTTatiVt LyCMl7WDM+Ct19X8xJA6zdHnl2KFjqglL7BJABzRUo/dEW0VOuNKHsLP5TQpOwJU/lWQ Wro0V47irioSIVio59Lyk44JQz8bUGiB462rf5cZ1M98bErs52V/zSZtwUKQnsJUyYgc zbsaJTL2VnebNueRz9f75Hpfg2Ze2bHDhH2w1yPS4EPRt8UNiLEVF0fvlQgE4dtZv6Oo MjLr+8/vvfQhEhkoxrfGGSE4kW2+VsYaXXuCMWl8oJhdnZbDw8j3mWInIFTxT3NTDWvr TDng==
X-Gm-Message-State: AO0yUKVlnUphLPP/gVPd0mYS6iyv0TApCj1vJg+uYmDQy0uRgRquKcMC j/FOx8GKiruqQadxzmz8GW5Jdno63Jxtq7O8lzZU4aLKpq8=
X-Google-Smtp-Source: AK7set+ucDMbl1IlxisqZn3VDeZXKps1tdhJuWSQpLSYwsMXpd3dhdkvsYo7C6BxNSS/GbL2EFV52re/8Hpgp5X2yrk=
X-Received: by 2002:a50:d5d6:0:b0:4af:70a5:5609 with SMTP id g22-20020a50d5d6000000b004af70a55609mr2442674edj.1.1677928371953; Sat, 04 Mar 2023 03:12:51 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPXNFnyueVjZz1Pp7zb592iJ=+=RzwJr4fs92Yf1mO0Qg@mail.gmail.com> <CABiKAoS3PN-gQ-Qd-rG7d8AJfkovqUrXhraxsnvtGBkO0bp9NA@mail.gmail.com> <CABcZeBOVxL=YnDzUO6KDrzgejpExoUNXdJv+v24bsE6hr2FJJQ@mail.gmail.com>
In-Reply-To: <CABcZeBOVxL=YnDzUO6KDrzgejpExoUNXdJv+v24bsE6hr2FJJQ@mail.gmail.com>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Sat, 04 Mar 2023 13:12:40 +0200
Message-ID: <CABiKAoRzTf7+_Q0U0WUzUuNx8_EcR7FTZ88R+MpMsGxEDL2aYQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000091a3ab05f61124dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-C53-JbvqaLf5bJfKNRveBN3ECU>
Subject: Re: [TLS] Question on draft-ietf-tls-deprecate-obsolete-kex-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2023 11:12:54 -0000
Ah, I understand your question now :-) Sure, the document seems inconsistent/unclear about this at the moment. Once we settle on a decision regarding FFDHE I'll fix this. best, Nimrod On Fri, 3 Mar 2023 at 19:35, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Fri, Mar 3, 2023 at 9:21 AM Nimrod Aviram <nimrod.aviram@gmail.com> > wrote: > >> Hi Eric and Everyone, draft coauthor here. >> >> Appendix C lists "DHE Cipher Suites Refered to by This Document", not >> ones which are deprecated. >> > The intention of the current text is to permit fully ephemeral DHE over a >> finite field (FFDHE) with sufficient group size. >> > > That's what I got from the title of Appendix CA, but then what does this > text > mean: > > "All the cipher suites that do not meet the above requirements are > listed in the table in Appendix C." > > Because, as you say, some of the suites in C meet this requirement. > > > >> >> However, we also have an unresolved consensus call regarding whether/to >> what extent to permit FFDHE when this document (hopefully) becomes an >> official RFC: >> https://mailarchive.ietf.org/arch/msg/tls/iZGV0kKHfbV5MrO-owB8mFwfffw/ >> so at any rate, the current text around FFDHE is mostly a placeholder. >> I do hope to present at the upcoming WG meeting and resolve this issue, >> which should be the last one (famous last words, I know). >> >> Happy to answer further questions, or generally get a discussion going on >> here before the meeting. >> > > OK, so we don't need to spend too much time on this, but I'd still like to > understand > the intent :) > > -Ekr > > >> >> best, >> Nimrod >> >> >> >> >> On Thu, 2 Mar 2023 at 23:19, Eric Rescorla <ekr@rtfm.com> wrote: >> >>> Hi folks, >>> >>> I was just reading draft-ietf-tls-deprecate-obsolete-kex-01.txt >>> and the combination of Section 3 and Appendix C is confusing >>> to me. >>> >>> Specifically, the text says: >>> >>> Clients and servers MAY offer fully ephemeral FFDHE cipher suites in >>> TLS 1.2 connections under the following conditions: >>> >>> 1. Clients and servers MUST NOT reuse ephemeral DHE public keys >>> across TLS connections for all existing (and future) TLS >>> versions. Doing so invalidates forward secrecy properties of >>> these connections. For DHE, such reuse may also lead to >>> vulnerabilities such as those used in the [Raccoon] attack. See >>> Section 6 for related discussion. >>> >>> 2. The group size is at least 2048 bits. >>> >>> ... >>> >>> All the cipher suites that do not meet the above requirements are >>> listed in the table in Appendix C. >>> >>> >>> And then Appendix C lists, for instance: >>> >>> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 >>> >>> Which as I understand it, can be used with the above requirements >>> as long as you use a suitable group, so this makes me think maybe >>> I don't understand the text. What cipher suites is this intended >>> to permit in TLS 1.2? >>> >>> -Ekr >>> >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>
- [TLS] Question on draft-ietf-tls-deprecate-obsole… Eric Rescorla
- Re: [TLS] Question on draft-ietf-tls-deprecate-ob… Nimrod Aviram
- Re: [TLS] Question on draft-ietf-tls-deprecate-ob… Eric Rescorla
- Re: [TLS] Question on draft-ietf-tls-deprecate-ob… Nimrod Aviram