Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group

Martin Thomson <> Tue, 04 November 2014 21:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 55FCC1A0012 for <>; Tue, 4 Nov 2014 13:37:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WvPkJDfA9G3H for <>; Tue, 4 Nov 2014 13:37:57 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 853F41A0019 for <>; Tue, 4 Nov 2014 13:37:57 -0800 (PST)
Received: by with SMTP id gd6so1652562lab.20 for <>; Tue, 04 Nov 2014 13:37:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aiYNtZdnOEm7+QXG4L66+acGlVhZrSqwL1aPC2keuGU=; b=u1TOKW/1Y3+x4qdbK4Mo9QgaZRYLCllP0kOySArI3a6BbIdLPJdR/OBGPRqNvs7amG LNA6iFxtIgC+uPQs7h0SUdEYCZqE4rTYOHl94KkSYndZeA267z39XRonLKyUR93HRrWU llAAcEVyOMcDo7SrlkJSw3Fn+A28mnYNVkllWpvGgbvqvTr8ZaeDY7pMiQ7L10SjZwMh wm+iyANeqrVWxembbOWOdQY8G6w6ibD5OeEsWATL0QqMvux16Xyhp73MV2vii5/SRj6h yhLIBX9xQPKdWLbQsXWpDLydaOXN2HHCA+FKImD+1GAX92BAzzG5T3QtyXjRZliGTG4r 74WA==
MIME-Version: 1.0
X-Received: by with SMTP id m5mr62422426lbp.11.1415137075768; Tue, 04 Nov 2014 13:37:55 -0800 (PST)
Received: by with HTTP; Tue, 4 Nov 2014 13:37:55 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 04 Nov 2014 13:37:55 -0800
Message-ID: <>
From: Martin Thomson <>
To: Nikos Mavrogiannopoulos <>
Content-Type: text/plain; charset="UTF-8"
Cc: Paul Hoffman <>, " (" <>
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Nov 2014 21:37:59 -0000

On 4 November 2014 11:24, Nikos Mavrogiannopoulos <> wrote:
> That's not a good argument. If in 4 years the 2048-bit certificates
> are broken, we can simply reissue stronger ones with no damage to past
> sessions. If the 2048-bit DH can be broken, all the past sessions could
> be read.

I'm actually not a big fan of the argument from alignment:

A strong ephemeral exchange protects session confidentiality from some
future break or brute forcing (if that's even feasible), outside of
the window where an active attack (impersonation or hijacking) based
on a break might be possible.  If keys are properly ephemeral, an
attacker only has while the session is active (or resumptions of the

A strong authentication key protects a session from MitM attacks at
the time of session creation.  Authentication keys also have an
applicability window, which is limited by the expiration of the
associated certificate (plus the relevant clock skew under the
NTP-style attacks).

There's an argument to be had for stronger ephemeral keys on this basis.

In the end, I don't care particularly.  I'd like to know if anyone
making arguments for either side feels so strongly that they would
strongly object to either.  If we're just assembling preferences, then
it's hard to see a way we can reach consensus on whether number A is
better than number B.

p.s., Clearly 2^521-1 is the best number.  It's not even clear that
there is any point arguing about the minor placings.