IETF Logo Mail Archive

[TLS] Re: AD review of draft-ietf-tls-hybrid-design-12

Eric Rescorla <ekr@rtfm.com> Wed, 28 May 2025 00:30 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 91A4F2D9AA76 for <tls@mail2.ietf.org>; Tue, 27 May 2025 17:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXVTWGCJUzI3 for <tls@mail2.ietf.org>; Tue, 27 May 2025 17:30:40 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E8DB62D9AA54 for <tls@ietf.org>; Tue, 27 May 2025 17:30:39 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-e731a56e111so3115949276.1 for <tls@ietf.org>; Tue, 27 May 2025 17:30:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1748392239; x=1748997039; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TqWY7j9GZTFF41RiAGIy7HPFglYkLmP0ntxMHqS9C7w=; b=hhaxzuBggvCRsNuK76swrYiCkUSMwAuFz49nwnQvF0taOJ+RqdnGmm/XGGBPqZ+7df x879jm2isuG/3Zuz5lwJ5DxlWDLH0/K0erCYkuBEDCUFK0KsmEhIemuhLDcYJOXOOENI GEsXWv/ipOdD2jPPjx7BpQXRCAJcszxpVp3sH6WMTTtXrVUfU959qtJBV3OMmP3Zcl27 61w1rJQT8SlaBPI+e/1EHXjddaOt+BmwPlVnI7lUTKCEILKyytxbs9QylwxODBfm8ZH1 oXUJ4XbZZTu2dWXZVRHF8u9a03g2iNUWY5U+vTOlK666qtOskn16ANNmIkKql6QEHdXm n8cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748392239; x=1748997039; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TqWY7j9GZTFF41RiAGIy7HPFglYkLmP0ntxMHqS9C7w=; b=fpgkdtA1lFrTQDfG5KPgFzUY+qIPwTytEZ5CyxfOVmlM8NwO8mMnO8l+VhH9gYefHx wi9SCZ1bdkYo86/3X40IsZbYpQ2sP1cnH+/ZZEEPXamA8tT/cCayxwTXHZAl2Yy7F/En EuXTgmRkRYI5P42QAWBQFDTmci8yuuYCzkTRfrm3GQ7qV+hVemOMg0TElk7Ws7HJ6mHc a77blcvLGrfTZ8BdiUzyttziXTkyYeQjXm9aQ5/4YBkDW4CrVNZJwM6ZzI8ym4clFJME 7Z7LClHB/bmUUiAQfsxmKNd5XG0qWhdhjNdpaXu/J1d3v365+CyzQDIo3gYAn6kFSiNX TgNQ==
X-Gm-Message-State: AOJu0YzKxCqxIo3YR7ATpkMpZ9xfyPTTl/QG/wsguFPk9AyYBGh4NpoZ 8i+Mja42y/pmN1Hyv1OR+l7ESje5JLT4Zg+qt8krcWtBCOAyMrfzwH/Oarodp7sMor4Q9l05YC2 R8EKJcH5ERSTGt4m093oviCaUaLpqmUprER5+f/9Vfw==
X-Gm-Gg: ASbGncvIjAsOYuJTmhKQNT8+KGSRj5uYLWzk+QQG3yHGIRAo4rY/a3YD4lp1YW9E+tn ZXsCl9Vp1PJ/cYNgGV3irwD560OivwlSykiC/X/xfkT2SGQMbbLJfmxcZovWaTBFT8K+2iN0XtI fDUOyMyeKHa41+/J1zgZT2g3+YuPyh9Obn4qA=
X-Google-Smtp-Source: AGHT+IEaBkCXYs76l9uW68UY0EAuAWIP8sqq6GvjjbhLFA376HzgxDR9Jb1wK/9ufUUKHYZivLBDmKgSaUjkAcvwUMU=
X-Received: by 2002:a05:6902:705:b0:e7d:9fa6:5fbd with SMTP id 3f1490d57ef6-e7d9fa661d8mr14919032276.30.1748392239354; Tue, 27 May 2025 17:30:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL5yWY4EK00tJPhmtoFqVT4mmp=jUH5dZQ9YNwDRfR8QgPH2A@mail.gmail.com>
In-Reply-To: <CAGL5yWY4EK00tJPhmtoFqVT4mmp=jUH5dZQ9YNwDRfR8QgPH2A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 May 2025 17:30:02 -0700
X-Gm-Features: AX0GCFsNJa4NeRGWEe1Z0L11mGvGnn1Q8tzFGjMCOqa6JESFUHvZgQcL6ctmEGk
Message-ID: <CABcZeBOGNJt=aC4mdfzFJOA1EyesPHZb7wXM6VAvEiwJoWdZYg@mail.gmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005ae7090636274a38"
Message-ID-Hash: TFJEY2PMJIRW3TLTQGGX54VWANCVCL5D
X-Message-ID-Hash: TFJEY2PMJIRW3TLTQGGX54VWANCVCL5D
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>, dstebila@uwaterloo.ca, shay.gueron@gmail.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: AD review of draft-ietf-tls-hybrid-design-12
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-weK9BAYbwoJS5KAXaIkzGXjlrQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, May 27, 2025 at 3:27 PM Paul Wouters <paul.wouters=
40aiven.io@dmarc.ietf.org> wrote:
>    Can we note that Finite-field DH is however, being deprecated in
>    draft-ietf-tls-deprecate-obsolete-kex. Or perhaps just not even mention
>    finite-field groups anymore?

The terminology is a bit confusing here, because sometimes people use
"FFDH" to mean static and ephemeral and sometimes they say "FFDH" for
static and "FFDHE" for ephemeral. In any case,
draft-ietf-tls-deprecate-obsolete-kex does not deprecate FFDHE for
TLS 1.3:

   3.  Ephemeral Finite Field Diffie Hellman

      Clients MUST NOT offer and servers MUST NOT select FFDHE cipher
      suites in TLS 1.2 connections.  This includes all cipher suites
      listed in the table in Appendix C.  (Note that TLS 1.0 and 1.1 are
      deprecated by [RFC8996].)  FFDHE cipher suites in TLS 1.3 do not
      suffer from the problems presented in Section 1; see
      [I-D.ietf-tls-rfc8446bis].  Therefore, clients and servers MAY offer
      FFDHE cipher suites in TLS 1.3 connections.

This draft is registering FFDHE groups:

             ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
             ffdhe6144(0x0103), ffdhe8192(0x0104),

I haven't really formed an opinion one way or the other about whether
we should specify ML-KEM/FFDHE cipher suites, but I don't think that
this draft is inconsistent with other WG decisions.

-Ekr

v2.39.1 | Report a Bug | By Email | System Status