Re: [TLS] DSA should die

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

<no-hats-except-the-330+-ciphersuites-is-crap-hat>

Here's a suggestion: why pick 'em off one by one? How about
creating a new registry that only includes stuff we think is
really good for TLS1.3?

Personally, I'd go further and argue that the new registry
only specify the TLS 1.3 MTIs, but that's a different question:-)

I'd even argue that that new registry be defined so it only
has space for two of anything - in other words maybe structure
the new registry like the nice list in the MTI mail thread, [1]
and then say how to map that to the old registry that has all
330+ ciphersuites including the good, the bad and the downright
ugly.

</no-hats-except-the-330+-ciphersuites-is-crap-hat>

S.

[1] https://www.ietf.org/mail-archive/web/tls/current/msg15774.html

On 02/04/15 01:26, Viktor Dukhovni wrote:
> On Wed, Apr 01, 2015 at 08:12:21PM +0200, Hanno B?ck wrote:
> 
>> Mozilla just removed DSA support from Firefox. It seems the use of
>> (non-ecc) DSA in TLS is pretty much nonexistent. Still the TLS 1.3 draft
>> contains DSA.
>>
>> Proposal: DSA should go away and not be part of TLS 1.3.
> 
> I'm in.  This also helps to shrink the ClientHello cipherlist zoo.
> 
> OpenSSL has (SRP, EXPORT and single-DES excluded):
> 
>     DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256)   Mac=AEAD
>     DHE-DSS-AES256-SHA256     TLSv1.2 Kx=DH Au=DSS Enc=AES(256)      Mac=SHA256
>     DHE-DSS-AES256-SHA        SSLv3 Kx=DH   Au=DSS Enc=AES(256)      Mac=SHA1
>     DHE-DSS-CAMELLIA256-SHA   SSLv3 Kx=DH   Au=DSS Enc=Camellia(256) Mac=SHA1
>     DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128)   Mac=AEAD
>     DHE-DSS-AES128-SHA256     TLSv1.2 Kx=DH Au=DSS Enc=AES(128)      Mac=SHA256
>     DHE-DSS-AES128-SHA        SSLv3 Kx=DH   Au=DSS Enc=AES(128)      Mac=SHA1
>     DHE-DSS-CAMELLIA128-SHA   SSLv3 Kx=DH   Au=DSS Enc=Camellia(128) Mac=SHA1
>     EDH-DSS-DES-CBC3-SHA      SSLv3 Kx=DH   Au=DSS Enc=3DES(168)     Mac=SHA1
>     DHE-DSS-SEED-SHA          SSLv3 Kx=DH   Au=DSS Enc=SEED(128)     Mac=SHA1
> 
> Which can all go.  Speaking of house-cleaning, on my deprecation wish list
> are also (pardon the OpenSSL nomenclature):
> 
>     DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
>     DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
>     DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
>     DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
>     ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
>     SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
>     IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
>     RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
>     EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
>     EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
>     DH-RSA-DES-CBC-SHA      SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(56)   Mac=SHA1
>     DH-DSS-DES-CBC-SHA      SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(56)   Mac=SHA1
>     ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
>     DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
> 
> and exotic key agreement schemes with static DH certificates (some of which
> appear above):
> 
>     DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
>     DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
>     DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
>     DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
>     DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
>     DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
>     DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
>     DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
>     DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
>     DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
>     DH-RSA-DES-CBC-SHA      SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(56)   Mac=SHA1
> 
>     ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
>     ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
>     ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
>     ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
>     ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
>     ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
>     ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
>     ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
>     ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
> 
>     ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
>     ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
>     ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
>     ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
>     ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
>     ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
>     ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
>     ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
>     ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
>