Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Sat, 26 April 2014 15:24 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447A41A06A1 for <tls@ietfa.amsl.com>; Sat, 26 Apr 2014 08:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.773
X-Spam-Level:
X-Spam-Status: No, score=-9.773 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9d1AJP-j0RYN for <tls@ietfa.amsl.com>; Sat, 26 Apr 2014 08:24:48 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC311A0693 for <tls@ietf.org>; Sat, 26 Apr 2014 08:24:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1311; q=dns/txt; s=iport; t=1398525882; x=1399735482; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2Ws3+BKjMfVVrWcn4b24OV4wktNw69qELzFh4Pr7N00=; b=Re+9ktJPlqN+2ipEG8PjeuJZsUFpGE0ycRmta6tWV6+/0DGJAxzoHlID Kwm30e782aJpOcWiL9VthFtK924sBvuye7lU3VsBJPUb12dVupvJhCbEO HjgvOpvK8AAOGLPo/laMQpBM/acXkhTsvIa7saCssh4GndUJzKv7eXKmL I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtQFAOnOW1OtJA2J/2dsb2JhbABZgwZPSwEBCr0hhzmBCxZ0giUBAQEDAQEBATc0CwULAgEINhAnCyUCBA4FiDkIDcoCEwSNdjAzB4MkgRUEmQySXoMxgis
X-IronPort-AV: E=Sophos;i="4.97,933,1389744000"; d="scan'208";a="39012116"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-8.cisco.com with ESMTP; 26 Apr 2014 15:24:41 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s3QFOfxi010784 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <tls@ietf.org>; Sat, 26 Apr 2014 15:24:41 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.100]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0123.003; Sat, 26 Apr 2014 10:24:41 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Thread-Topic: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
Thread-Index: AQHPYWOkH+R/q97eyEeI9DhvY7dbHQ==
Date: Sat, 26 Apr 2014 15:24:41 +0000
Message-ID: <277ABA2E-FA8C-4927-9522-06E8907C28EB@cisco.com>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com>
In-Reply-To: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.85.164.213]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6B93E3486FEE844E9601F4AB36DEE632@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Ex3RQtqcM-YN2CND_VGHrczQwt8
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 15:24:50 -0000

The discussion on this list and others supports the consensus in IETF 89 to remove RSA key transport cipher suites from TLS 1.3.  The Editor is requested to make the appropriate changes to the draft on github.

More discussion is needed on both DH and ECDH are used going forward and on if standard DHE parameters will be specified.

Joe
[For the chairs]
On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <jsalowey@cisco.com>; wrote:

> TLS has had cipher suites based on RSA key transport (aka "static RSA", TLS_RSA_WITH_*) since the days of SSL 2.0.   These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time.  It would make the security analysis simpler to remove this option from TLS 1.3.  RSA certificates would still be allowed, but the key establishment would be via DHE or ECDHE.  The consensus in the room at IETF-89 was to remove RSA key transport from TLS 1.3.  If you have concerns about this decision please respond on the TLS list by April 11, 2014.
> 
> Thanks,
> 
> Joe
> [Speaking for the TLS chairs]
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls