Re: [TLS] Deprecating more (DSA?) (was Re: Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac))

Tom Ritter <tom@ritter.vg> Tue, 15 April 2014 21:25 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB8F1A0499 for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 14:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.321
X-Spam-Level:
X-Spam-Status: No, score=0.321 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mX0OYTHmbFGW for <tls@ietfa.amsl.com>; Tue, 15 Apr 2014 14:25:13 -0700 (PDT)
Received: from mail-pb0-x22d.google.com (mail-pb0-x22d.google.com [IPv6:2607:f8b0:400e:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 463B21A0488 for <tls@ietf.org>; Tue, 15 Apr 2014 14:25:13 -0700 (PDT)
Received: by mail-pb0-f45.google.com with SMTP id uo5so10007315pbc.18 for <tls@ietf.org>; Tue, 15 Apr 2014 14:25:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=msR2qCyM12jTbjMxNUyYbeXRtW4ZTtTN+NK724rp26E=; b=Y/cnJEzSLXVqtYG8rkoTaNhGIAii8BkE92jq5KChu/S0FnpqoDYWTXo49AXRCwVlme VxAY9ko1pu0gwSlmyz0g98uIAHXDKIN6RquR26GJhJiRdsTjVgC5RYno75274ds+ALD9 9eme15+ZKMkLpUYw2h8mxcUfG6AyZuEKAvlF4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=msR2qCyM12jTbjMxNUyYbeXRtW4ZTtTN+NK724rp26E=; b=aceq5JFuw0wNKujf4hGAtYxSI/K8aKCZAhHxiTSOkr2YuUm3z5bH4r8+8eYQrIIUG7 fyF5NoST/GcefFqWSK2n4n5PIL4gs4xqCN759Abnwm9A+YoZm5NXGT1q19AoNcaG0t6y Srp9eIY8S7h11MYTVY6ApwO65XcdP6E1YRWw8k9uqph8rwy2jwfSkgafWQ5NHlJTrWBF 2TvACzohPcKvea2nY3BpvHhHCzK3V//K2oiG3weHkq4fJnUr8IXrwHa+Ygk15Qotj0Sn g0LBj9TEnLSz6iCJfsf7wdvkmHlAPamdnkcc1s+bpDPnkJ2/RXKb/oO/FkCQjRo4gMcy KO+A==
X-Gm-Message-State: ALoCoQmAvK+eYVD0YqSINZAAVSYQa00vrcsIalZ7+Tpbn9xBXjNiWcOJH5fDKOgB2qOokVkkVmMB
X-Received: by 10.68.132.68 with SMTP id os4mr4348309pbb.129.1397597110364; Tue, 15 Apr 2014 14:25:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.198.68 with HTTP; Tue, 15 Apr 2014 14:24:50 -0700 (PDT)
In-Reply-To: <20140415210255.62e9fc65@hboeck.de>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com> <20140415153435.7f82b3a0@hboeck.de> <500CA3F0-86D2-4C60-8762-4481C1400479@gmail.com> <20140415160327.7dd88945@hboeck.de> <534D772F.5020908@fifthhorseman.net> <20140415210255.62e9fc65@hboeck.de>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 15 Apr 2014 17:24:50 -0400
Message-ID: <CA+cU71nRATUs8rq-E4dCb1yyo7FMpzdQAj6cDpiKwfns9E3mtQ@mail.gmail.com>
To: Hanno Böck <hanno@hboeck.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/GNEMZYQdNGbWWXOuCJQYKP-cPOA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating more (DSA?) (was Re: Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 21:25:17 -0000

On 15 April 2014 15:02, Hanno Böck <hanno@hboeck.de> wrote:
> But basically, the whole discussion about DSA's security is missing the
> point. It's probably possible to implement DSA in a secure way. But
> what I really want to achieve is getting TLS simpler.
> I think there's wide agreement that DSA if done correctly has a
> security comparable to RSA. However, in TLS everyone uses RSA, nobody
> uses DSA.
> And I think unused code is dangerous. Because nobody cares, nobody
> tests it, nobody looks at it but it still can bite you when it comes to
> security. That I think is a lesson we should've learned from
> Heartbleed. And therefore I think we should identify unused parts of
> the TLS spec and deprecate it.

I think that's a reasonable approach.  I have no problems with
removing DSA (but keeping ECDSA around).  I also have a strong
preference to saying that any implementation of DSA/ECDSA MUST use
deterministic DSA.

I would love to get NIST* or whatever other standard body we need to
bless it so that people will accept that recommendation.  (And to be
clear, I don't want them to just bless it, I want them to poke and
prod at it and try and figure out if they can come up with any
attacks, and then bless it.)

-tom

* I hope that people's distrust of NIST would not go so far as to say
that an algorithm developed by a community contributor and blessed by
NIST is no longer trustworthy.  If so, the new tool of the NSA would
be to have NIST bless all the secure algorithms leaving us with just
insecure ones ;)