IETF Logo Mail Archive

Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document

Martin Thomson <mt@lowentropy.net> Tue, 16 April 2024 01:55 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF9BC151083 for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 18:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="cR0rMRCV"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="aQjUInln"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6W4bJExY3uj for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 18:55:17 -0700 (PDT)
Received: from wfhigh4-smtp.messagingengine.com (wfhigh4-smtp.messagingengine.com [64.147.123.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D32C1C14F5F2 for <tls@ietf.org>; Mon, 15 Apr 2024 18:55:17 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id 9ADC8180006D for <tls@ietf.org>; Mon, 15 Apr 2024 21:55:14 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Mon, 15 Apr 2024 21:55:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1713232514; x=1713318914; bh=6GckoREx9l HH+GbjSBJiOTrotlRdmjE6isJUjeFr+0A=; b=cR0rMRCVUgEutkefUb6yEI2D7k qhTLTWgPnk8NJEVJOD7TPGM5p25Ksf6/gO71Qn5EwoaQiU5bj1+uNYHo0bdwAotM EUyLhbwGLMQDvctWYNw9S0OQvjA17eiq8be+eXQjeznDmXWnHlKDpxwemSVqzky1 6Qt7jVar2+voxjZAcmdU7KhmSZhbHLdzvkmQIYcEx1NYJtJSTLd9lQYgT5W4QyAj Orbktx9zfLZzgtk0hZ0h8TTFMFioURvuhOB9VsO+cdM/FczkXChbJSE1+8b6/T7Q SY/7QyjelKV2ODPQFpEwBQ9ZUsuVCqtvO8QNvBSLRYatWGmMfqhAvV09nntA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1713232514; x=1713318914; bh=6GckoREx9lHH+GbjSBJiOTrotlRd mjE6isJUjeFr+0A=; b=aQjUInlnwsEYSRvh7FmPwQv9JWyxPP3E6bTJg01Qp3gq P40MiIDEJCwgng/1SksmE2QM6zeIfEBf5LotD3hwoT6uJqfwFUYUB9Q+txOr/PvN BCkDXXLD+IJhX/t8UxwdhYmbgcuAIah9G2VxtTvrDd9Eq6SlMDaDKjk5eBuNkEZd VhS8I+GrCYRO+o+Ks5da3ZmpwE3pF1JmFJZHr1bL1UMqNOP7aFithnuSLPWaOTeP 49KHhdDWB6Z3rk6Zl1VAzTM+BTLWJBTMdyr4TwruHEACJu2drk4jjaaD/xJJ39PR AS0kKQlKXPD71SWgjdGUE4OR3XHUdi4GZy7+lUWIkQ==
X-ME-Sender: <xms:gtodZuIJnkwkaJSNq-QU8fBqRssPpqg7_tccZrqZ70dpOCZmrzhvPg> <xme:gtodZmJdefzvMZtBrsOT2dIKLnBSuVZ245p3Z39JnXp31mmNH6hp2JLqUTwuYWEvO lo-ztXyTk36TZhmPRI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejfedgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:gtodZusmS5OXTXWhcBifidoSlAmtBVH4o3vaLhTQ3nbOwxTW5V3HvA> <xmx:gtodZjYgfive_40rfxq1u0UIFg6Ume1lHW8fuW8y65xk0WE2k6g25g> <xmx:gtodZlb_r5c0YVV-zlypUQW6ehVHXlo-qPQSmKDxEFwUfFTSdxKJ4g> <xmx:gtodZvCXhS38O3Z5pKTfGCnAJ_ru1qPurQjc9aC9Z3JhkV5I7MOBGw> <xmx:gtodZmAWIGfabhOPO2vuN81ZnKW9csqP61woHnqyw1PZSZm-Sg5qnWEh>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0C8FA2340080; Mon, 15 Apr 2024 21:55:14 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-379-gabd37849b7-fm-20240408.001-gabd37849
MIME-Version: 1.0
Message-Id: <20895cae-8f86-428d-a09c-995e90fa2ec6@betaapp.fastmail.com>
In-Reply-To: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
References: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
Date: Tue, 16 Apr 2024 11:54:53 +1000
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-JVUyLhwCMcgTfsZ6J3urSdwlN8>
Subject: Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 01:55:22 -0000

On Tue, Apr 16, 2024, at 04:14, Joseph Salowey wrote:
> Should the draft deprecate these ClientCertificateTypes and mark the 
> entries (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh) 
> as 'D' discouraged?

Yes.

v2.23.0 | Report a Bug | By Email