Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
Alyssa Rowan <akr@akr.io> Thu, 27 March 2014 12:27 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6414A1A0690 for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:27:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.398
X-Spam-Level:
X-Spam-Status: No, score=0.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8w3GHnmUR2ew for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:27:23 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id B38731A068A for <tls@ietf.org>; Thu, 27 Mar 2014 05:27:23 -0700 (PDT)
Received: from [10.103.236.114] (94.197.120.139.threembb.co.uk [94.197.120.139]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id E6B8C600FE for <tls@ietf.org>; Thu, 27 Mar 2014 12:27:20 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <20140327115551.GA24503@randombit.net>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de> <20140327115551.GA24503@randombit.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Mar 2014 12:27:17 +0000
To: tls@ietf.org
Message-ID: <6f43d6c5-b70f-4a80-98e6-f653011317c7@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3CSfk7pjZ4eKMNDIlWMoD-iWl5M
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 12:27:25 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Mar 27, 2014 at 09:55:27AM +0100, Hanno Böck wrote: > Appart from the other issues, I think it would make a lot of sense to > change DHE handling in TLS 1.3 away from "server can have arbitrary > parameters". I'm wondering: why even keep DHE around at all? Let's face it: traditional DHE runs like an absolute dog compared to ECDHE using secp256r1, or especially curve25519 (which we have a live draft for now: I'm ready to start driving deployment almost as soon as we get a curve number!). Speed is why people were reluctant to deploy PFS, and in many cases in the wild, advised increasing TLS server performance by disabling it (which is bad for everyone). ECDHE eliminates that problem. Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead? Suggestion: remove static RSA *and* traditional DHE and mandate ECDHE for key exchange in TLS 1.3. I propose, curve25519 as mandatory-to-implement and secp256r1 as recommended-to-implement [? Also mandatory, maybe?], both in constant time, which is comparatively easy, especially for 25519. That would simplify the protocol considerably (decreasing the code and protocol surface to audit), increase its baseline security well above 2048-bit DH, to ~3072-bit (ish) levels, reduce the size of the exchanges and massively reduce the CPU load on both servers and clients. That seems to me like a win for every one of the good guys and none of the bad guys: TLS 1.3 gets both simpler, easier to audit, more secure *and* faster - and that's the kind of thing that'll drive 1.3 adoption in my opinion. Thoughts? - -- /akr -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI3BAEBCgAhBQJTNBkkGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE jtkWi2t67zwQAL0qda+2JX6ODJLzhuvKI6v82ng4cWvNh/OnVZ7CNKKq2JR/AdBj CftYldhG/8ETi4chPhie3q4ovc+uo3NtP1W95zo696s1wPKDYI7/d60SrxvycdSA zStYAmSxK39cXDvm9iyNNGTVPdvwbZAkiQjFGh+pXIN0c8SP4L11FtDaVhe/7/Ee 4Fn2cpSe9FojMbB7XYqO9QIeLsUzeEgfNBdL58P9ZbpkBK7SsHzu9u5LSSh+vtsF ejbgwuvaPxDuRVGgKffI3lSUC4GCm0krqgou1eDM2uWMKoBydSOC4JMFbZDWrMrC 1CHDpnyhgU9a6dnBbI6W3mf/vrIddHeN2PAQHyAC7aRhMrMgLqNN7SuXo4ifFmco tbSNCyiTguYE1juOMsxwMSRGjd0AMM3TSkY85COduWiEjvekfVyuT540CClqrar/ JqHgdo69SjNDT24sGfcMpji/5Hklg+pkUPX/pX9yVzZPUvfER6bRhnb2FaHFvvx0 rPBO/VOgTIP+0DRPYcSNVrkSymFSNs2wBwf8D3FrPa+6gKfByFIelLDY68nDs9O8 v2r+iiNIKKp97CNYJPvzx2srR7IDJF908ZA7U5v5fmUs3+JEV1VxRONwtxj+hJj4 qbQSdOwF/n8uRRsEZ+Z8vAbdo35j8v0DHCnn8T3DxE1qE1ymLFH9XqiK =g6eK -----END PGP SIGNATURE-----
- [TLS] Confirming Consensus on removing RSA key Tr… Joseph Salowey (jsalowey)
- [TLS] On axing DHE (was: Re: Confirming Consensus… Rene Struik
- Re: [TLS] Confirming Consensus on removing RSA ke… Trevor Perrin
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Santosh Chokhani
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Hanno Böck
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Jack Lloyd
- Re: [TLS] Confirming Consensus on removing RSA ke… Alyssa Rowan
- Re: [TLS] Confirming Consensus on removing RSA ke… Paul Bakker
- Re: [TLS] Confirming Consensus on removing RSA ke… Alyssa Rowan
- Re: [TLS] Confirming Consensus on removing RSA ke… Hanno Böck
- Re: [TLS] Confirming Consensus on removing RSA ke… Johannes Merkle
- Re: [TLS] Confirming Consensus on removing RSA ke… Paul Bakker
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Salz, Rich
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Salz, Rich
- Re: [TLS] Confirming Consensus on removing RSA ke… Andy Lutomirski
- Re: [TLS] Confirming Consensus on removing RSA ke… Marsh Ray
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- [TLS] Negotiated Discrete Log DHE revision [was: … Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Michael D'Errico
- Re: [TLS] Negotiated Discrete Log DHE revision Michael D'Errico
- Re: [TLS] Negotiated Discrete Log DHE revision Henrick Hellström
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision Daniel Kahn Gillmor
- Re: [TLS] Negotiated Discrete Log DHE revision Samuel Neves
- Re: [TLS] Negotiated Discrete Log DHE revision Watson Ladd
- Re: [TLS] Negotiated Discrete Log DHE revision Samuel Neves
- Re: [TLS] Negotiated Discrete Log DHE revision Liz meeks
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Fedor Brunner
- Re: [TLS] Negotiated Discrete Log DHE revision [w… Fedor Brunner
- Re: [TLS] Confirming Consensus on removing RSA ke… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on removing RSA ke… Martin Rex
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Kurt Roeckx
- Re: [TLS] Confirming Consensus on removing RSA ke… Daniel Kahn Gillmor
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Kurt Roeckx
- Re: [TLS] Confirming Consensus on removing RSA ke… Eric Rescorla
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on removing RSA ke… Viktor Dukhovni
- Re: [TLS] Confirming Consensus on removing RSA ke… Watson Ladd
- Re: [TLS] Confirming Consensus on removing RSA ke… Nikos Mavrogiannopoulos