Re: [TLS] Deprecating more (DSA?)
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Wed, 16 April 2014 23:34 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769E31A0420 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.573
X-Spam-Level:
X-Spam-Status: No, score=-13.573 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSxpJG2Dj7Iv for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:33:58 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 11E5B1A0422 for <tls@ietf.org>; Wed, 16 Apr 2014 16:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6037; q=dns/txt; s=iport; t=1397691235; x=1398900835; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=sG7E28IMgw/rQCM1KQi/MmVY+jhQHaaCXA4UhItWNJc=; b=X4+Hsz4f46D2cOGf5ZaWbktwWo/R2HqU17OIAjcWuYBpOj8+lPYb57ze 3WAjBfVz2eaq5gRUy6YOZ12tuPaMJACweDmdkuh62t1DVM6+vEZZJAQ69 evFguML0y6qjmwNvTzFdSq9cG0Wqx+AKT6rxDT6s9CHmhkBK1yoMe3Iod g=;
X-Files: signature.asc : 495
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAEcST1OtJV2Y/2dsb2JhbABZgwY7V7t/hziBIRZ0giUBAQEDAQEBARpRCwULAgEIDgouJwslAgQOBQ6HZggNyXwTBIk9hSUHgySBFASQZ4E2hkmSSYMxgiuBAQEBBA
X-IronPort-AV: E=Sophos; i="4.97,875,1389744000"; d="asc'?scan'208"; a="318126293"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 16 Apr 2014 23:33:54 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s3GNXs4w027687 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Apr 2014 23:33:54 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.100]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0123.003; Wed, 16 Apr 2014 18:33:54 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Alyssa Rowan <akr@akr.io>
Thread-Topic: [TLS] Deprecating more (DSA?)
Thread-Index: AQHPWcRK8V34rxwfJE2oz5iBRqYbFJsVOOgA
Date: Wed, 16 Apr 2014 23:33:52 +0000
Message-ID: <C26BBD5C-C990-43B3-9466-9224897D2AD6@cisco.com>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com> <20140415153435.7f82b3a0@hboeck.de> <534F05DD.5010906@akr.io>
In-Reply-To: <534F05DD.5010906@akr.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.220]
Content-Type: multipart/signed; boundary="Apple-Mail=_5A7F7FCD-179F-4BD5-B1E4-F2E472F32861"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0DRR4_v7k48UqGVlbiyZo0JyYYI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating more (DSA?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 23:34:00 -0000
I'm not to crazy about deprecating DSA in the same fashion as RC4. I'd be fine with leaving DSA/DSS out of TLS 1.3 if there is support for that. I like the list below, some comments inline: On Apr 16, 2014, at 3:36 PM, Alyssa Rowan <akr@akr.io> wrote: > Signed PGP part > It looks like RC4 is rapidly heading for the chopping block, with > basically unanimous consensus. Good. > > In the meantime... > > On 15/04/2014 14:34, Hanno Böck wrote: > > > What other algorithms exist in the TLS spec that should see > > deprecation? […] E.g. what about deprecating DSA? > > I actually favour, for reasons of complexity and weakness, potentially > deprecating pretty much everything that falls in the following lists, > if of course it isn't already deprecated, subject to discussion: > > • Anything with NULL anything > - An accident waiting to happen (on purpose). > [Joe] Many cipher suites with NULL encryption have been added in the recent past. I think we'll need to have more discussion on that. I don't not currently have data on how widely they are used. > • Anything EXPORT > - Bad old days. Kill them with fire. TLSv1.1 deprecated them but > didn't forbid them in TLSv1.0; if they're not already a MUST NOT > somewhere, I think they should be. > [Joe] yup. > • DES is already deprecated. [RFC5469] > - What about 3DES now? > [Joe] not sure about this one. I think the argument in keeping 3DES around is as a fallback to AES. Not sure I buy into this, especially if we have a better alternative, perhaps CHaCha. > • IDEA's already deprecated. [RFC5469] > - Little traction in the wild, due to the (now-expired) patents. > > • Anything using MD5 > - Collided. Kill it off. I'd feel highly uncomfortable keeping this > around. > > • Anything using DSS/DSA certs > - The Nonce Problem. RFC 6979 fixes this, but... > - A live DSA certificate, now, in 2014, that isn't ECDSA? Really? ¬_¬ > [Joe] yes to the above. Perhaps there still is DSS in use, but I really would expect that to move to ECDSA. > • ECDSA without RFC6979? > - Because of The Nonce Problem. > - Remember to avoid timing attacks in RFC6979. > - I don't know where that stands regarding FIPS-compliance, for those > that need it: but as far as I'm concerned, if FIPS is incompatible > with RFC6979, FIPS needs fixing because it's encouraging extremely > fragile implementations. > - ECDSA makes me uneasy now. It shares DSA's characteristics of being > fragile as hell. I can't help but worry it was intentionally > designed that way. > - We will need a new scheme soon; EdDSA or a very similar > Schnorr-style derivative? I'd like EdDSA swapping SHA-256 for > SHA-3, perhaps? A discussion for the future (and/or CFRG, etc). > [Joe] I think I'd like to bring ECDH and ECDSA into the core spec in 1.3. We could make some of these changes as part of that. > • Anything using SHA-1? > - Already deprecated by NIST, and by CAs and vendors in certificates > due to ~2^61 being expensive but practical. > - An attack is harder in a MAC scenario - but it's only a matter of > time; it's downhill all the way from here. > - Thoughts? > - Forbid negotiation in TLSv1.3, maybe, but allow in TLSv1.2 and down? > [Joe] yup > • DH_anon? > - Subject to thoughts about possible opportunistic encryption, > although this definitely isn't the way you _want_ to do that. > [Joe] Why not? > • Do we really want to keep DH|ECDH as opposed to DHE|ECDHE? Why? > [Joe] Not sure. > • RSA without forward security > - Seems like we're heading broadly in the direction of requiring > forward-security, which means deprecating plain old RSA in TLSv1.3 > negotiations? Thoughts? > [Joe] I didn't see much objection to removing plain old RSA in the call for consensus. > • DHE > - Given the complexities noted surrounding DHE parameters and lack of > ability to negotiate them, would we be better off dropping > conventional DHE for TLSv1.3? > - Favour ECDHE over secp256r1 and/or Curve25519 (where the latter > is not forbidden by FIPS-compliance, with 25519 being preference) > as baseline instead? > [Joe] So, at this point I'd rather see 1.3 have a way to negotiate parameters than deprecate DHE entirely. I'm not sure that I have a really good reason to keep DHE around other than I'm more comfortable with it. > I do realise that's a strongly aggressive proposed unused-feature or > not-best-practice cull, largely for reasons of complexity reduction. > Perhaps others will be able to moderate my opinions. :-) > > -- > /akr > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Matt Caswell
- [TLS] Deprecating RC4 (was: draft-ietf-tls-encryp… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Kurt Roeckx
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Daniel Kahn Gillmor
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Peter Yee
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Andrei Popov
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Checkoway
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Geoffrey Keating
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Jim Schaad
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Manuel Pégourié-Gonnard
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Johannes Merkle
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Farrell
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Richard Hartmann
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Warren Kumari
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Watson Ladd
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Bill Frantz
- [TLS] Deprecating more (DSA?) (was Re: Deprecatin… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Yoav Nir
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Daniel Kahn Gillmor
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Tom Ritter
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Joseph Salowey (jsalowey)
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Johannes Merkle
- Re: [TLS] Deprecating more (DSA?) Brian Sniffen
- Re: [TLS] Deprecating more (DSA?) Bill Frantz
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Samuel Neves
- Re: [TLS] Deprecating more (DSA?) Bill Frantz