Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 23 September 2013 06:38 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A741621F9E02 for <tls@ietfa.amsl.com>; Sun, 22 Sep 2013 23:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJbRGkk5BnhF for <tls@ietfa.amsl.com>; Sun, 22 Sep 2013 23:38:41 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id 13BDF21F9DD6 for <tls@ietf.org>; Sun, 22 Sep 2013 23:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1379918321; x=1411454321; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=5ZKUt55FVjvj3zYPsZ6o6a8W0tTKvlaOu39HKBiD8WY=; b=B/UtP5UkHDS34s033lz+wC7sXtL14qzWmX3HX4LahZlHRXp0QSCFoRYT pPR/Ms+8pvgSaX18uZdNiTw5fRZT0XZG90nww4CRLpZuC8ZRZ/QT+AIFx Md8DakefEKJOVcXpZN45hmfPRa+6o+sHTg8VXx88jHDWCfYtgl65n+Evx M=;
X-IronPort-AV: E=Sophos;i="4.90,960,1371038400"; d="scan'208";a="213641460"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 23 Sep 2013 18:38:40 +1200
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.158]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.02.0318.004; Mon, 23 Sep 2013 18:38:39 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Thread-Index: Ac64J4nFQU7WNIrxTjaI1+yfnBwiuQ==
Date: Mon, 23 Sep 2013 06:38:39 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C7355675958@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 06:38:46 -0000

Patrick Pelletier <code@funwithsoftware.org>; writes:

>So, my interpretation is that the 1024-bit limit only applies to DSS in IE.

That would make sense, since FIPS 186 for many years limited DSS to 1024 bits
it wasn't possible to go over that size anyway.

>This is in contrast to the Java situation, where Java will offer DHE_RSA, the
>server will choose it, and then Java will bail because it doesn't support the
>DH length.

Since anyone running Java is pretty much pre-0wned out of the box, I don't
know if this one is that critical :-).

Peter.