IETF Logo Mail Archive

Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

mrex@sap.com (Martin Rex) Tue, 29 April 2014 17:25 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F751A07A6 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:25:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYbaVJMSbXWC for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:25:32 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id A07D91A085A for <tls@ietf.org>; Tue, 29 Apr 2014 10:25:31 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s3THPRUC002060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Apr 2014 19:25:27 +0200 (MEST)
In-Reply-To: <277ABA2E-FA8C-4927-9522-06E8907C28EB@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Date: Tue, 29 Apr 2014 19:25:26 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140429172526.EC5211ACE8@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0jcUj3lnhc5aEL4e7C_s2PxqXHI
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:25:33 -0000

Joseph Salowey (jsalowey) wrote:
>
> The discussion on this list and others supports the consensus in IETF 89
> to remove RSA key transport cipher suites from TLS 1.3.

You probably meant TLS cipher suites with the (static) RSA key exchange
method.

> 
> More discussion is needed on both DH and ECDH are used going forward
> and on if standard DHE parameters will be specified.

(static) DH/ECDH key exchange needs to be addressed seperately from 
(ephemeral) DHE/ECDHE key exchange.

Is there any deployment of Server certificates with static DH/ECDH at all?
Is it at all possible to build a regular PKCS#10 certification request
(i.e. one with a proof-of-posession signature) for static DH/ECDH
keys in server certificates?


Personally, I don't think it is reasonable to completely remove from TLSv1.3
*ALL* of the stuff that will be necessary for interop with the installed base.

There also exist small devices with weak random number generators that
could be used with an offline generated RSA server keypair.  I don't see
any value in _not_ supporting static RSA for these.  With a preloaded
strong (EC)DHE keypair, they're worse off that with a static RSA key
(slower and no forward secrecy), and they have difficulties generating
strong ephemeral keys on their own.


The additional code footprint of ECC and the overall brittleness
of ECC crypto is another concern.  Currently, ECC is a mere option,
and a very dangerous one due to the overall brittleness of ECC,
even for implementations of TLSv1.2


-Martin

v2.23.0 | Report a Bug | By Email