IETF Logo Mail Archive

Re: [TLS] DSA should die

Michael StJohns <msj@nthpermutation.com> Thu, 02 April 2015 23:33 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AE11A8792 for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 16:33:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQV2QynczVmc for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 16:33:30 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 782731A038A for <tls@ietf.org>; Thu, 2 Apr 2015 16:33:30 -0700 (PDT)
Received: by qgfi89 with SMTP id i89so209371qgf.1 for <tls@ietf.org>; Thu, 02 Apr 2015 16:33:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=tDHRLPVgf+EanYXTG3OySVY6uH3FvJEsT92iWtAzsyY=; b=BOoUkWEXStT4k2EG2qMef9DjE1aoFhNMzrN/aJGtljVCB77mYTPcECE1oCUEXGMkSW SLClFAU3y7qmsrxQtKNNyK3K9JGH5DXPTzxUtF9/M6sPWoVqQEQYZdbhXV+oK+KjNjj7 Sh5BF9f3BDEY+Fyf3hBrmLkBbpFyad9OywkT7ia98bzQSIRVUW//mjjtgKO3kKqimZK4 cxKNvC10vr8LXo8jsUZPz2lkObCK56TwCqZrDOPe5D7RXhwF88/3xOnF9EDZrlNE9i4a nemrC2r5BGDXA9d/bz/f4NgOc8y9E+Fx6UOhMagiCK58Qn28fJNvz2VxDHwwhJY/8pmC jsRw==
X-Gm-Message-State: ALoCoQn7IGJT8hNWbn1EtFlPscrp0lKV2lrDmKj8jgDpmqSrIHj1Rl0rzKIR58+x9okLeBCZYlNB
X-Received: by 10.140.84.164 with SMTP id l33mr62448427qgd.11.1428017609615; Thu, 02 Apr 2015 16:33:29 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:f827:63cf:7b05:550e? ([2601:a:2a00:84:f827:63cf:7b05:550e]) by mx.google.com with ESMTPSA id h34sm4516683qkh.34.2015.04.02.16.33.28 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Apr 2015 16:33:28 -0700 (PDT)
Message-ID: <551DD1CC.1040502@nthpermutation.com>
Date: Thu, 02 Apr 2015 19:33:32 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <20150401201221.163745c2@pc1.fritz.box>
In-Reply-To: <20150401201221.163745c2@pc1.fritz.box>
Content-Type: multipart/alternative; boundary="------------060902030403030002000605"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DnLxB05ufQmMAFpFym2Eae8gfTI>
Subject: Re: [TLS] DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 23:33:32 -0000

On 4/1/2015 2:12 PM, Hanno Böck wrote:
> Hi,
>
> Mozilla just removed DSA support from Firefox. It seems the use of
> (non-ecc) DSA in TLS is pretty much nonexistent. Still the TLS 1.3 draft
> contains DSA.
>
> Proposal: DSA should go away and not be part of TLS 1.3.
To translate the above, its basically asking that DHE_DSS and DH_DSS be 
removed as key exchange mechanisms.

I've watched the discussion and mostly this is a don't care for me except:

This is a cipher suite issue and nothing else.   E.g. its an 
implementation decision rather than a protocol decision and vendors 
should be free to offer this if they think they have a market.  The rest 
of us should gleefully remove this from the set of cipher suites we 
offer or accept.

I would deprecate the older suites (e.g. anything less than <112 bits of 
strength) on general principles, but I would leave the choice whether or 
not to implement these to those who will charge what they need to charge 
when these are specified in RFPs as necessary.

So for the base question - no.   The section on DHE_DSS and DH_DSS in 
the TLS1.3 document should be unchanged from the TLS1.2 document AFAICT 
so there shouldn't be any additional work leaving it.

Mike

>
> Reasons to remove DSA:
> * DSA with 1024 bit is considered weak and DSA with more than 1024 bit
>    is widely unsupported.
> * DSA has comparable security to RSA (it using same keysize) which is
>    the de-facto-default. Given that everybody uses RSA and nobody uses
>    DSA having the latter only adds unneccessary complexity.
> * DSA can fail badly with bad random number generators.
>
> Some numbers:
> In the 2013 https ecosystem scan there were 17 DSA keys on public IPs,
> none of them CA-trusted:
> http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
>
> I think it's safe to say nobody will care if DSA is removed.
>
> cu,
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email