IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 24 October 2014 11:32 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F93B1A8A96 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 04:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNes1SVTm9-4 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 04:32:41 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3061B1A8993 for <tls@ietf.org>; Fri, 24 Oct 2014 04:32:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1414150361; x=1445686361; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=2Zf5JVprgrFLpQDpdyglSPjqNgBYFTaUgggNFPLf10g=; b=LTrnEDo79ETzDu0WVEhGjqdKdyeqxE9VQSD7WatqL0iKB+10BjEBkPpR bvasJ7Pfog1j/wUjtt0ko1GG6SLyaj1Qas9Hb7wRny7AglNpOJfCJGrf8 pWSAB0SA6iav7Ij16YiAlitgrGgCd0L5pM14ibD21QLGdEsmqnAkD6mQH Y=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="285555534"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 25 Oct 2014 00:32:37 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.15]) by uxchange10-fe3.UoA.auckland.ac.nz ([130.216.4.125]) with mapi id 14.03.0174.001; Sat, 25 Oct 2014 00:32:36 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "dkg@fifthhorseman.net" <dkg@fifthhorseman.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Thread-Index: Ac/vfjU+F32OZ2ncSo2nWThJw8zdLQ==
Date: Fri, 24 Oct 2014 11:32:35 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9D7684@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Fw40vAt3tf763N_d8-umboCan7U
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 11:32:46 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>yes, and that's a deliberate choice, as documented (perhaps not well enough?)
>in the draft under "Choice of Groups".

The reasons given aren't very convincing, it's just "they're too widely used".
On the one hand that could be a problem, but it's also a huge advantage,
you're just documenting existing practice rather than forcing everyone to
switch to an entirely new set of groups they've never seen before.  If I'm
using OpenSSL (which it seems two thirds of the planet is) I just call
get_rfc2409_prime_1024() or get_rfc3526_prime_2048() or whatever, for pretty
much any version of OpenSSL in current use, and it works.  Apache already uses
these parameters by default (or did, I haven't checked recently).  If you want
to invent new, nonstandard parameters then by all means feel free to do so,
but don't lock out the existing ones that have been in widespread use for
years.

>Some of the MODP groups (768, 1024, 1536 at least) are also smaller than we
>should be explicitly supporting in updated tools, so i don't think re-
>blessing them into another standard is a good idea.

Shorter groups are still required for embedded devices. You're not "blessing"
them, you're just giving people the option to use them.  If you require the
use of large groups as the current draft does then you're automatically
excluding it from being used by many embedded devices.

>One counterargument i'm aware of is that systems that want to support both
>sets of groups would need to have a larger table of known moduli. So perhaps
>the argument is that extremely memory-constrained devices running both TLS
>and IPSec (or TLS with SRP) could share a table of known moduli to reduce RAM
>consumption?  

Constrained devices won't be using 2K+ bit groups anyway so in a sense this
isn't a problem, but "solving" things by excluded whole classes of users
doesn't seem like a good approach to things.

>We had a discussion about the use of e-derived safe primes instead of pi-
>derived safe primes in Toronto, and no one seemed to think that the groups
>currently proposed were any worse than the MODP groups.

They're not worse, but they're also both completely different from the de
facto standard groups and can't be used by whole classes of users.  As I
mentioned earlier, if you want to introduce fancy new groups then by all means
go ahead, but don't lock out existing uses and users.

Peter.

v2.23.0 | Report a Bug | By Email