Re: [TLS] draft-sheffer-tls-bcp: DH recommendations (Martin Rex) Thu, 19 September 2013 02:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ECA7811E8170 for <>; Wed, 18 Sep 2013 19:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.196
X-Spam-Status: No, score=-10.196 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MWIXxZ8zJQtv for <>; Wed, 18 Sep 2013 19:06:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8A4B211E80D7 for <>; Wed, 18 Sep 2013 19:06:52 -0700 (PDT)
Received: from by (26) with ESMTP id r8J26gIE020554 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 19 Sep 2013 04:06:43 +0200 (MEST)
In-Reply-To: <>
Date: Thu, 19 Sep 2013 04:06:42 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Cc: "" <>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Sep 2013 02:06:57 -0000

Following up to myself:

> The TLS WG could have easly provided an adequate PFS solution
> many years ago that could be trivially enabled for all existing
> implementations.  Ephermeral RSA.  99% of the code is already
> present in all implementations, because this is used in the
> RSA_EXP cipher suites.
> (EC)DHE is a mess, because both, servers and clients will regularly
> have to regenerate new keys, and there are going to be severl 
> different keys necessary for the preferences of various servers
> and sometimes, the client-side key generation will have to be
> performed inline.  How many different keys will clients need
> for ECDHE?
> With Ephemeral RSA, only the server has to generate the temporary
> RSA keypair, and can *ALWAYS* generate the ephemeral RSA keypair out-of-band.

What I had not remembered from the past discussion, and just
found in a later reply from EKR:

was the design "feature" (I believe it is a defect), that
the ephemeral key exchange in the server key exchange handshake
message exists only in a an exteremely paranoid variant, requiring
an additional private key operation for every handshake.

It would really help if client and server could negotiate the use
of alternative "signed parameters format" for ephemeral (RSA) keys
that do not require a seperate signature (=private key operation)
for each handshake, but where the signed parameters could be reused
for several hours, maybe using a time-based indicator for the
freshness of the ephemeral keypair.