IETF Logo Mail Archive

Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe

Watson Ladd <watsonbladd@gmail.com> Wed, 10 March 2021 01:16 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 751CD3A150C for <tls@ietfa.amsl.com>; Tue, 9 Mar 2021 17:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0DDs0EEEp9i for <tls@ietfa.amsl.com>; Tue, 9 Mar 2021 17:16:03 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88E443A150B for <tls@ietf.org>; Tue, 9 Mar 2021 17:16:03 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id bd6so24507333edb.10 for <tls@ietf.org>; Tue, 09 Mar 2021 17:16:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=LgXWHyU7QViGFvpXHEbPPj3r0Fp19/eNVPTF2dpizvM=; b=pFtefcA6spJq7yeqczEMvUdJl+Ry5Mai5zRgZAyTdMvGmsJaMng5NgzW4U3rfZOc8P h7C/g9UCEHR7yBipYpvTQ0IVfFQF40unzrtGdMPFgpBtLGtQNdgaXHS7l2q/6yzyJnjK yU+QRx87OwZFdunLO8dBYXVmlU9MbYlnn+RhZsxZVHLyv7GpDoDAtkwjW1rT10jK51bJ 5IQQa842bff3rPDqXYub1AfzZZ64aYRpdeaBn581+ZtvInMlYL3g/TSSX+O9hRgG5TBb QzlOoF7/5v0/veXH7gaW8+mmY8kXjNvw6Yc2kli+5FQGQcNt7M7ZFEmaO0Qrzuy85stJ 5ucQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=LgXWHyU7QViGFvpXHEbPPj3r0Fp19/eNVPTF2dpizvM=; b=kFTOYkPY0f26SVPHC1JXIA6iKb6XhSFtq6C0X8r/jzTcRIdpHLuCTtSzLfkKbASrO9 mhVlEl/NpdIKBdDjMykiXRPce7YQWVSXDFCs+572KeR80hI8mKwaadXvAJcen+gdX9ut ZO9s2vvP1VPV6vKMXAxLaG4N5m7sd/G+wwbTDZMzmoQp7C5DsFxgF5ONMOxzqiXu8Xkr b4IZVm4Wq7Yg90WHxXS4qIYnCG1j3Aa2GA83mwS3wZ7q7rUHm0wf7S9qqiIwKavQFSOt cxGGtqb8KCG0/xLmhDpYi8jE8RzUqfe5JUhK0EqBYHqKFChHLJa2rdRq+R93itPbcyd2 ArKw==
X-Gm-Message-State: AOAM530XUfiPKtCmBsSp2DT9s1tUKzZPNtoJ1zhAnoKjHkaiIrp7W/5g RiY1yEuey6iPCsGZrJPt67K4gD44mc7ULT7YmWaK/5mPQS4=
X-Google-Smtp-Source: ABdhPJxHyAWF302jt0fca8gcND7NS+jeFJR5akQWQHSnPQvsgCouyjOZnULB8YTBSzXeepxnOWnDJ1Eqm/9GYTwcCfM=
X-Received: by 2002:a05:6402:1115:: with SMTP id u21mr407775edv.383.1615338960080; Tue, 09 Mar 2021 17:16:00 -0800 (PST)
MIME-Version: 1.0
References: <426843f6-9cc8-4807-b4f7-79c0685fd140@www.fastmail.com> <CAFewVt7=6GJbc6pA0ALwZWgL407haWYyokTv4yK8LkSMySkTTw@mail.gmail.com> <CAFewVt5cy1KZtGFS5Xy5k-0wRXQ+c8kercd1xEn=b3Svf-k8Tw@mail.gmail.com> <50A1E31D-75C7-4179-B085-BB0661ACDED5@icloud.com> <YEbyH1o2Lr9vfVTE@straasha.imrryr.org> <D9752940-5E68-415B-BEAA-8688D18564C5@icloud.com> <YEfi+btdiqeQ6wru@straasha.imrryr.org>
In-Reply-To: <YEfi+btdiqeQ6wru@straasha.imrryr.org>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 09 Mar 2021 17:15:48 -0800
Message-ID: <CACsn0ckemS=nJTdgtPzUt13_aWxHRWscH2XBefiw=YTvAE0Bog@mail.gmail.com>
To: TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GpBpnfWQT46JxPCbFnLjpl6LT_0>
Subject: Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 01:16:06 -0000

On Tue, Mar 9, 2021 at 1:05 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>
> On Tue, Mar 09, 2021 at 11:29:40AM -0800, Carrick Bartle wrote:
>
> > > Because there are still many TLS (non-web) implementations that don't
> > > do ECDHE.
> >
> > I'm confused: if those implementations don't do ECDHE, what's wrong
> > with prohibiting the way it's used?
>
> The proposal on the table is to deprecate FFDHE.  If the software stack
> has no ECDHE, and only has FFDHE, it would then have to resort to RSA
> key exchange.
>
> > >    * In practice security improves more when you raise the ceiling,
> > >      rather the floor.
> >
> > This sort of suggests that we should never deprecate anything, ever, no?
>
> No, rather it suggests that *before* we deprecate, we first work to get
> everyone to use stronger options, and then, crisis situations aside,
> wait for the long tail to effectively peter out.  Then deprecate, once
> it is clear that it is mostly a formality.

Depreciation is how you get the laggards to replace things.
Depreciation leads, not tails, replacement. Because we depreciated
RC4, PCI stopped being silly about mandating its uses. Had we not done
this, they would have continued as is.

>
> The difficult question is how to handle situations where the long tail
> is mostly invisible to the IETF community, i.e. happens on isolated
> networks, that use (and may be audited against) our standards, but don't
> show up in Internet surveys, ...  It may then be hard to know when to
> declare to declare victory.  I don't have a good answer for that.
> This is where Peter Gutmann et. al., may be able to help.
>
> Deprecation is not always easy, and we don't always the desired outcome.
>
> I hear that in Germany operators of some services are expected to
> operate their systems in accordance with "state of the art" practices
> (I guess BCP).  This may allow a distinction between "tolerable" and
> "best practice", where things we might deprecate would no longer be
> "best practice", but are still within the standard, and expected
> to interoperate if implemented by both (all relevant) parties.

This was already done via the UTA working group.

>
> So short of deprecation, one might say that the legacy algorithms:
>
>     * Are not recommended.
>     * Can't be expected to be widely implemented
>     * Should only be used when the preferred choices
>       are not available.

That is depreciation.

>
> Which is not nearly as strong as "MUST NOT", which is what I take
> deprecation to mean.  Am I wrong about the intended meaning of
> "deprecation"?

There is no protocol police. To the extent that industries want to
ensure that systems are secure, they have to ensure updates for the
life of the system. I think it's reasonable to require implementation
and deployment of 12 year old standards.

Sincerely,
Watson Ladd

>
> --
>    Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



--
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email