Return-Path: X-Original-To: tls@ietfa.amsl.com Delivered-To: tls@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9BE12D580 for ; Sat, 27 Aug 2016 06:27:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.748 X-Spam-Level: X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnNKl8fGWoP3 for ; Sat, 27 Aug 2016 06:27:24 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53A8E12D579 for ; Sat, 27 Aug 2016 06:27:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1472304444; x=1503840444; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=crNqxH0GaCBvjQZMnEWDjEAATu8H1YM1c0KEcOkyJV0=; b=MYhpb/B+VflRkF3kunuTmUt6dXjNtwTlCQxLPlDBBqHd29ajkr9bW443 5IT5BLxV3+hzK4AENLNxzkI8E2Ff7t2e6PCJXR1WKyltmssvBkOV0lvQn 4ZMc/mfiUOfoeEQSPKaAWSSGWPMtc40tgLHz0QyccY6/rnUdiBwtxMjbg 6rrFqQy59xVr1lIejVNW+YyHaSyNSEdywn5KfD9Hb0jBFfp7DGMVFMOt/ yERjhvD6QLDZ8Rigj5v68q7YUY+MTaLzM+ortDlTk407IlW8tAVOo2GWT v3I6xMo7yZ7NnSeltl6JqE84adWzACxT4g52iDaskhSVg9a6xoYPxLqd4 w==; X-IronPort-AV: E=Sophos;i="5.28,586,1464609600"; d="scan'208";a="103687333" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 28 Aug 2016 01:27:15 +1200 Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.93]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0266.001; Sun, 28 Aug 2016 01:27:15 +1200 From: Peter Gutmann To: David Benjamin , Geoffrey Keating Thread-Topic: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) Thread-Index: AQHR+kiDZXbZlYKpgUOnaUdD5zLR56BP1VcAgA0Cxf4= Date: Sat, 27 Aug 2016 13:27:15 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4D04810@uxcn10-5.UoA.auckland.ac.nz> References: <9A043F3CF02CD34C8E74AC1594475C73F4CF009C@uxcn10-5.UoA.auckland.ac.nz> <20160816145548.GQ4670@mournblade.imrryr.org> <9A043F3CF02CD34C8E74AC1594475C73F4CF1AC9@uxcn10-5.UoA.auckland.ac.nz> <9A043F3CF02CD34C8E74AC1594475C73F4CF416C@uxcn10-5.UoA.auckland.ac.nz> , In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.6.2.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "tls@ietf.org" Subject: Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) X-BeenThere: tls@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2016 13:27:26 -0000 David Benjamin writes:=0A= =0A= >TLS 1.3 will resolve this with the new cipher suite negotiation, but I agr= ee=0A= >this makes the specification basically undeployable with TLS 1.2. This iss= ue=0A= >also got brought up here:=0A= >https://www.ietf.org/mail-archive/web/tls/current/msg18697.html=0A= =0A= Hmm, good point. So reading between the lines of the various comments on t= his=0A= issue, the feeling seems to be "ignore this RFC". That more or less answer= s=0A= my question, I'll leave it out of TLS-LTS apart from mentioning it as anoth= er=0A= source of DH groups.=0A= =0A= >Barring unforeseen problems, Chrome will also lose DH in the next release.= =0A= =0A= Which will be yet another headache for people working with SCADA devices, w= ho=0A= are seeing themselves locked out more and more from being able to admin the= ir=0A= systems when browser vendors arbitrarily decide to deprecate long-establish= ed=0A= mechanisms. I know of operators who are running IE 6 in XP VMs because tha= t's=0A= the only thing that'll still talk to some devices they use (OK, old version= s=0A= of FF and Chrome will do it too if you can find them, but then they always= =0A= want to update themselves to less old versions that stop working again). = =0A= =0A= Couldn't Chrome include an optional legacy mode that just works with existi= ng=0A= systems, perhaps triggered by access to a device at an RFC 1918 address?=0A= There really is, in some cases, nothing available any more that will talk t= o=0A= entire families of SCADA devices because browsers assume the only thing tha= t=0A= matters is the public WWW and won't accommodate anything that isn't.=0A= =0A= (At some point someone's going to figure out they can make a lot of money b= y=0A= taking Firefox 3.0, rebranding it, and selling it as an embedded device=0A= management solution, because it'll talk to all the things that current=0A= browsers won't any more).=0A= =0A= Peter.=