IETF Logo Mail Archive

Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document

Filippo Valsorda <filippo@ml.filippo.io> Tue, 16 April 2024 11:27 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57072C14F6E4 for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 04:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b="Cq8kra5I"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="KsGEmFG8"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhi8139FqaIa for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 04:27:25 -0700 (PDT)
Received: from fhigh5-smtp.messagingengine.com (fhigh5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B922AC14F5F9 for <tls@ietf.org>; Tue, 16 Apr 2024 04:27:25 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id E7F0D1140141 for <tls@ietf.org>; Tue, 16 Apr 2024 07:27:24 -0400 (EDT)
Received: from imap53 ([10.202.2.103]) by compute1.internal (MEProxy); Tue, 16 Apr 2024 07:27:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1713266844; x=1713353244; bh=wv5uEYij8g aDOomTOpFsA/Le19V8PRSpExDduyxG2b0=; b=Cq8kra5I5E3YsZVMsqApvWs5xO WkSmIfmCHtyM5qxiXPTZ5/4yROy53tBfRk49Vt5muW4AWaVZT4Bd8W4o6wRBJ+kH G0IwxJD4pSDYaJM0zAmSsvLvZ3xKtS7oZ4phfvjYVaJg9iYrtJ2ogh5Me8ap9YyD tfv9DAfpkcEosUqkilG9XmqRJCWIlIVUJL/9BnSDm+d89ktaBfMTTx3GKDXh0UrV HjZGaYR2kzFQg1/Wt/2T2GIAbjFEarzU9u+XB2uI8zHPsG7oWkeTKzqoLf+fOpw5 6kKgPxyfjMqc/CzTeCsBM52IswXl5Ucaqpn+zi1NI0WD3WDwLEy0qWkp6PYA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1713266844; x=1713353244; bh=wv5uEYij8gaDOomTOpFsA/Le19V8 PRSpExDduyxG2b0=; b=KsGEmFG8LMkDe6gsecGxOEMlP6L16n+5V71olj01a33q GwAoX9uL7pLzasEr1Dj7OmGS/lGCLxH/y8pzYCY6H20BPC7MJEqowzs/nGRxGfB6 AUp2Js6yDO5zw2O6V/cYY4GD35p4INYJ2GESAtDEueZz7dF6A1mEP/bczc03y7RJ ZF2OXiiHjiCBgxlnBKvBFbFNpuLcZi0vRzjBrJNDTDfeOD/m7yjPQ5XD2asIxcaR o8/Hpbxp+kUbc3jCznZybPD/XwrN0QTqHBsy+qkhaIKL7pxUn7h8DwxUc3wVPu+2 Ya8W1RVtui30fbI3GEBAiH+TTj6+zmn2JQLqmdGOSA==
X-ME-Sender: <xms:nGAeZuqO-duMe8l045x6g-eugv9Z12XYwEa-XNFFrPzFYxjdoApZEw> <xme:nGAeZsoxVtM6KjG9idgkl8OqCeboo2b9kiOHE7shcnT3G-aplc-GyRtghziLCYJ2p g9sIWcH6xtyQW4nkA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejhedgudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedfhfhilhhiphhpohcugggrlhhsohhruggrfdcuoehfihhl ihhpphhosehmlhdrfhhilhhiphhpohdrihhoqeenucggtffrrghtthgvrhhnpeegtdevle eftdejkeeflefgieegudeiudellefgvefgkeeikeeitdelffekkeeutdenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehfihhlihhpphhosehmlh drfhhilhhiphhpohdrihho
X-ME-Proxy: <xmx:nGAeZjMHB3b7l47DWzjfW8uIQwMflu21Pzc54kjsLe8wSLFfQQcufQ> <xmx:nGAeZt5OXbMeDXVcOf_CqPI9T2XDqlICeKkgZPbPXKCWfN7Z2mFGBg> <xmx:nGAeZt7MgaibZ3YDLNzLbE_t9R5gr2oP-r-CJPkUeUlkFi3wrj6tGw> <xmx:nGAeZthK4j65kInAGr2sbAAcb6627ulNW66bkqI7PZDxOV7yXJ8JMg> <xmx:nGAeZqi3DHT9D8pVAKkGCZjMCMcejUxysLcBxFJOTbzbFU1Ch3Ck5ego>
Feedback-ID: i2e91459c:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 958473640073; Tue, 16 Apr 2024 07:27:24 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-379-gabd37849b7-fm-20240408.001-gabd37849
MIME-Version: 1.0
Message-Id: <abd8ab0d-4747-4952-b3d1-3f22a6404a43@app.fastmail.com>
In-Reply-To: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
References: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
Date: Tue, 16 Apr 2024 13:27:04 +0200
From: Filippo Valsorda <filippo@ml.filippo.io>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="61f909ac85e14fd797a720c3be474f5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8CocPzwPj7oEn4mMu0CYv8-ZFxc>
Subject: Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 11:27:30 -0000

2024-04-15 20:14 GMT+02:00 Joseph Salowey <joe@salowey.net>:
> Should the draft deprecate these ClientCertificateTypes and mark the entries (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh) as 'D' discouraged?

Oh, yes.

v2.23.0 | Report a Bug | By Email