IETF Logo Mail Archive

Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document

Nimrod Aviram <nimrod.aviram@gmail.com> Fri, 19 April 2024 14:40 UTC

Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2CFC151069 for <tls@ietfa.amsl.com>; Fri, 19 Apr 2024 07:40:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGzZzxF0C00I for <tls@ietfa.amsl.com>; Fri, 19 Apr 2024 07:40:42 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B46EC14F6F4 for <tls@ietf.org>; Fri, 19 Apr 2024 07:40:42 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id e9e14a558f8ab-36b30909b01so8227575ab.2 for <tls@ietf.org>; Fri, 19 Apr 2024 07:40:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713537641; x=1714142441; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yC7KJzL4Q+VzkL6tcX/jk9Xi3Vke9uGHFQ2pl9WlNt0=; b=JSP+h/WjH1A3/6WQmGaxW0e7a3PLa0lj8jdNuqMby6QPtZQxRA2O8nwypf2s0ZqDQc v0TpjWfJoBpPg3Qs0FleLzEV/Gl8r6A58aCkpREG8gT9rwe18MOnM/cGbQ2YNb52oIMJ mDFctxrdgmo7nFSpT9bjpCpjX4G8Y4+oYnNUSyWSBHtoNT0Q+XdYZ7Vq4HgtwC6RXLt1 CPChqOuOafG/0dwJ8NuMBPQHvnpbxycOM01EXPuoNhY6+xwXsQS29ajehNYuxZh9z02N XjgYCF1Nq6wusGIbVfT/AXd/od54VpPTqK+X04kwJSZ69aMUhBmC8E6DqMaIFBWU86u7 87ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713537641; x=1714142441; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yC7KJzL4Q+VzkL6tcX/jk9Xi3Vke9uGHFQ2pl9WlNt0=; b=Ijx+xiWtSGyYxQlDmtfB29kCsG2devZDvjdzGx2uO/TQog2VYm6vGSu1r10Aj5efaB O1GoRhXSM+0VIzy+ZsXr+nnU81+9GDIoNrzAKIJwlPenL8JZIVDI5Fxs/hW2B9rgm6n7 koAh3o/VQmA82CEgE9AyjCDuxNYqesJmGPEmyDpq7wl+tDpfRP0/6oAviu0NhTawmLPN 4SsyTvbWAetOk9hUp2mBu0Pp2RgECd+ZiuI3e4b1lfzUNthP4cWwx7eLUgfM7/sRPKv+ niFP9AWQ0vVvxvtM69K2j5Q7ObFiFWAo96m0MGSDyt+fceygPOGfvi9LHgbbKTt9sGlE ChXQ==
X-Gm-Message-State: AOJu0YyrqX/V/bvbQJSO4IIMa5/OZ0EDDDkbNVDralhe2I//NXjYfVBk eMk5KeHMK2jGRli8N1ruPuy9Y9LwOvyl634bCEmXnU+SuvEhgfX8LchNYLzU6m0lTE+IMpFh4jf MS3Gxv/CVpg1JJrP/8cnZU6F71yiyOm8q
X-Google-Smtp-Source: AGHT+IEFTwoOLBcB+ZxKhQ5DfqU+vOADL7SNj/QVr5ojIwA9lzUBgh8PmTIpxIcpTrQrgYCnW91JLVoVXBfgL7WYKMk=
X-Received: by 2002:a05:6e02:2141:b0:36a:3515:b82d with SMTP id d1-20020a056e02214100b0036a3515b82dmr2878200ilv.13.1713537641047; Fri, 19 Apr 2024 07:40:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
In-Reply-To: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Fri, 19 Apr 2024 17:40:28 +0300
Message-ID: <CABiKAoR0-8GMbv4THVUq+-iZSxosYpsfkmvqxcDTqgft4r9C5w@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006774b306167412b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HMKWN-tVU6xRmU4A_9duY8GNbok>
Subject: Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2024 14:40:46 -0000

Yes.
(Draft coauthor here. FWIW, I'm not sure how much bandwidth I'll have to
continue moving the draft forward. Regardless, this sounds like a good idea
to me.)


On Mon, 15 Apr 2024 at 21:14, Joseph Salowey <joe@salowey.net> wrote:

> At IETF 119 we had discussion that static DH certificates lead to static
> key exchange which is undesirable.  Although the current draft deprecates
> static DH ciphersuites, it seems that RFC 5246 allows the client to provide
> a certificate with a static DH keypair to provide static parameters in
> (EC)DHE in TLS 1.2 (I don't know of any implementations that do this).
>
> Should the draft deprecate these ClientCertificateTypes and mark the
> entries (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, ecdsa_fixed_ecdh) as
> 'D' discouraged?
>
> Please respond with any comments on this proposal by April 30,2024.
>
> Thanks,
>
> Sean, Deirdre and Joe
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email