Re: [TLS] Does anyone still want dh_rsa and dh_dss?
Watson Ladd <watsonbladd@gmail.com> Sun, 29 June 2014 20:55 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A19921A0032 for <tls@ietfa.amsl.com>; Sun, 29 Jun 2014 13:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VRhxp3t0A6j for <tls@ietfa.amsl.com>; Sun, 29 Jun 2014 13:55:08 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D063A1A0025 for <tls@ietf.org>; Sun, 29 Jun 2014 13:55:07 -0700 (PDT)
Received: by mail-yk0-f169.google.com with SMTP id 79so4149581ykr.14 for <tls@ietf.org>; Sun, 29 Jun 2014 13:55:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MR58lnRiQRsvRpiuo1CZ0H+exT0RsW8t19Guued9JU4=; b=WMpn3N3nVSOkPuxr4Iok9IpfcbM1pekYGxdIDDNwJ6KguQS7ZR94fnlYPphZxVHnxi cYR79EzkthYtT3LFsuJ/41bA5HPct0v7sUG9VOh2heYtpOzjgBvT52cysLcTPwoxgAl2 8lSWpYVNu8BK0FHOSKRrsXVxbR7G4jPccRU1np37P4SCILZ7MSGpKrZPI+wlhEXmeioQ trlMbZOIpGugpFudUbaReNs/JTK+6iB/giiZ6VeK3ZO2CFQ31fGwpINcLEdw/vK5Hml6 zRU3l7BURoLn5C8tBJ+2P/m7IUhEPKZV+zLVUsZBf6MfcE0P//HgLDvyy6umTAZTJFwq SnSQ==
MIME-Version: 1.0
X-Received: by 10.236.103.135 with SMTP id f7mr6306708yhg.102.1404075307101; Sun, 29 Jun 2014 13:55:07 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Sun, 29 Jun 2014 13:55:07 -0700 (PDT)
In-Reply-To: <53B07AE5.5090304@nthpermutation.com>
References: <CABcZeBMcG3ppe-Z0vgJTBMCf+kNwrzsHzv9-O2Wre0DAT8TF8Q@mail.gmail.com> <53B07AE5.5090304@nthpermutation.com>
Date: Sun, 29 Jun 2014 13:55:07 -0700
Message-ID: <CACsn0ckO4SBd_nz1GeEm3MSwCT6rKyF+ooDNbbRFVEMnDzbFVA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/55PBe1HltXBgYFdDMpUC9fgyRiI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Does anyone still want dh_rsa and dh_dss?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jun 2014 20:55:09 -0000
On Sun, Jun 29, 2014 at 1:45 PM, Michael StJohns <msj@nthpermutation.com> wrote: > On 6/26/2014 12:14 PM, Eric Rescorla wrote: > > We've already removed static RSA for TLS 1.3 but we didn't > emove dh_rsa and dh_dss (as opposed to dhe_rsa and > dhe_dss). It seems like the arguments for removing static > RSA apply even more strongly here. > > Is there any reason to retain these in TLS 1.3? > > > Would it be more appropriate to ask this in a more crypto-neutral manner? > E.g. We've removed Public Key Transport as a valid mechanism for pre-master > setup. So instead maybe ask this as "Should we remove all non-ephemeral key > agreement mechanisms?" > > Or is there some reason to retain non-ephemeral ECDH vice non-ephemeral DH? Yes, there is potentially. With DH on genus 0 we need to restrict parameter choices. Existing certificates probably don't fit into that framework, so won't work. However, I do think we should chuck both out because they are not forward secure. Sincerely, Watson Ladd > > Mike > > > > -Ekr > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Does anyone still want dh_rsa and dh_dss? Eric Rescorla
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Yoav Nir
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Adam Langley
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Dan Brown
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Michael StJohns
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Eric Rescorla
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Watson Ladd
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Bodo Moeller
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Steve Checkoway
- Re: [TLS] Does anyone still want dh_rsa and dh_ds… Juho Vähä-Herttua