IETF Logo Mail Archive

Re: [TLS] Deprecating more (DSA?)

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Wed, 16 April 2014 23:34 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769E31A0420 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.573
X-Spam-Level:
X-Spam-Status: No, score=-13.573 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSxpJG2Dj7Iv for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:33:58 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 11E5B1A0422 for <tls@ietf.org>; Wed, 16 Apr 2014 16:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6037; q=dns/txt; s=iport; t=1397691235; x=1398900835; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=sG7E28IMgw/rQCM1KQi/MmVY+jhQHaaCXA4UhItWNJc=; b=X4+Hsz4f46D2cOGf5ZaWbktwWo/R2HqU17OIAjcWuYBpOj8+lPYb57ze 3WAjBfVz2eaq5gRUy6YOZ12tuPaMJACweDmdkuh62t1DVM6+vEZZJAQ69 evFguML0y6qjmwNvTzFdSq9cG0Wqx+AKT6rxDT6s9CHmhkBK1yoMe3Iod g=;
X-Files: signature.asc : 495
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAEcST1OtJV2Y/2dsb2JhbABZgwY7V7t/hziBIRZ0giUBAQEDAQEBARpRCwULAgEIDgouJwslAgQOBQ6HZggNyXwTBIk9hSUHgySBFASQZ4E2hkmSSYMxgiuBAQEBBA
X-IronPort-AV: E=Sophos; i="4.97,875,1389744000"; d="asc'?scan'208"; a="318126293"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 16 Apr 2014 23:33:54 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s3GNXs4w027687 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Apr 2014 23:33:54 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.100]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0123.003; Wed, 16 Apr 2014 18:33:54 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Alyssa Rowan <akr@akr.io>
Thread-Topic: [TLS] Deprecating more (DSA?)
Thread-Index: AQHPWcRK8V34rxwfJE2oz5iBRqYbFJsVOOgA
Date: Wed, 16 Apr 2014 23:33:52 +0000
Message-ID: <C26BBD5C-C990-43B3-9466-9224897D2AD6@cisco.com>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com> <20140415153435.7f82b3a0@hboeck.de> <534F05DD.5010906@akr.io>
In-Reply-To: <534F05DD.5010906@akr.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.220]
Content-Type: multipart/signed; boundary="Apple-Mail=_5A7F7FCD-179F-4BD5-B1E4-F2E472F32861"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0DRR4_v7k48UqGVlbiyZo0JyYYI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating more (DSA?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 23:34:00 -0000

I'm not to crazy about deprecating DSA in the same fashion as RC4.  I'd be fine with leaving DSA/DSS out of TLS 1.3 if there is support for that.  I like the list below, some comments inline:

On Apr 16, 2014, at 3:36 PM, Alyssa Rowan <akr@akr.io> wrote:

> Signed PGP part
> It looks like RC4 is rapidly heading for the chopping block, with
> basically unanimous consensus. Good.
> 
> In the meantime...
> 
> On 15/04/2014 14:34, Hanno Böck wrote:
> 
> > What other algorithms exist in the TLS spec that should see
> > deprecation? […] E.g. what about deprecating DSA?
> 
> I actually favour, for reasons of complexity and weakness, potentially
> deprecating pretty much everything that falls in the following lists,
> if of course it isn't already deprecated, subject to discussion:
> 
> • Anything with NULL anything
>   - An accident waiting to happen (on purpose).
> 

[Joe] Many cipher suites with NULL encryption have been added in the recent past.   I think we'll need to have more discussion on that.  I don't not currently have data on how widely they are used. 

> • Anything EXPORT
>   - Bad old days. Kill them with fire. TLSv1.1 deprecated them but
>     didn't forbid them in TLSv1.0; if they're not already a MUST NOT
>     somewhere, I think they should be.
> 

[Joe] yup.  

> • DES is already deprecated. [RFC5469]
>   - What about 3DES now?
> 

[Joe] not sure about this one.  I think the argument in keeping 3DES around is as a fallback to AES.  Not sure I buy into this, especially if we have a better alternative, perhaps CHaCha.  

> • IDEA's already deprecated. [RFC5469]
>   - Little traction in the wild, due to the (now-expired) patents.
> 
> • Anything using MD5
>   - Collided. Kill it off. I'd feel highly uncomfortable keeping this
>     around.
> 
> • Anything using DSS/DSA certs
>   - The Nonce Problem. RFC 6979 fixes this, but...
>   - A live DSA certificate, now, in 2014, that isn't ECDSA? Really? ¬_¬
> 

[Joe] yes to the above.  Perhaps there still is DSS in use, but I really would expect that to move to ECDSA.  

> • ECDSA without RFC6979?
>   - Because of The Nonce Problem.
>   - Remember to avoid timing attacks in RFC6979.
>   - I don't know where that stands regarding FIPS-compliance, for those
>     that need it: but as far as I'm concerned, if FIPS is incompatible
>     with RFC6979, FIPS needs fixing because it's encouraging extremely
>     fragile implementations.
>   - ECDSA makes me uneasy now. It shares DSA's characteristics of being
>     fragile as hell. I can't help but worry it was intentionally
>     designed that way.
>   - We will need a new scheme soon; EdDSA or a very similar
>     Schnorr-style derivative? I'd like EdDSA swapping SHA-256 for
>     SHA-3, perhaps? A discussion for the future (and/or CFRG, etc).
> 

[Joe] I think I'd like to bring ECDH and ECDSA into the core spec in 1.3.  We could make some of these changes as part of that.  

> • Anything using SHA-1?
>   - Already deprecated by NIST, and by CAs and vendors in certificates
>     due to ~2^61 being expensive but practical.
>   - An attack is harder in a MAC scenario - but it's only a matter of
>     time; it's downhill all the way from here.
>   - Thoughts?
>   - Forbid negotiation in TLSv1.3, maybe, but allow in TLSv1.2 and down?
> 

[Joe] yup

> • DH_anon?
>   - Subject to thoughts about possible opportunistic encryption,
>     although this definitely isn't the way you _want_ to do that.
> 

[Joe]  Why not? 


> • Do we really want to keep DH|ECDH as opposed to DHE|ECDHE? Why?
> 

[Joe] Not sure.  

> • RSA without forward security
>   - Seems like we're heading broadly in the direction of requiring
>     forward-security, which means deprecating plain old RSA in TLSv1.3
>     negotiations? Thoughts?
> 

[Joe] I didn't see much objection to removing plain old RSA in the call for consensus. 

> • DHE
>   - Given the complexities noted surrounding DHE parameters and lack of
>     ability to negotiate them, would we be better off dropping
>     conventional DHE for TLSv1.3?
>   - Favour ECDHE over secp256r1 and/or Curve25519 (where the latter
>     is not forbidden by FIPS-compliance, with 25519 being preference)
>     as baseline instead?
> 

[Joe]  So, at this point I'd rather see 1.3 have a way to negotiate parameters than deprecate DHE entirely.  I'm not sure that I have a really good reason to keep DHE around other than I'm more comfortable with it.  

> I do realise that's a strongly aggressive proposed unused-feature or
> not-best-practice cull, largely for reasons of complexity reduction.
> Perhaps others will be able to moderate my opinions. :-)
> 
> --
> /akr
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email