IETF Logo Mail Archive

[TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting

Nimrod Aviram <nimrod.aviram@gmail.com> Thu, 28 July 2022 14:41 UTC

Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC06AC13C22C for <tls@ietfa.amsl.com>; Thu, 28 Jul 2022 07:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUns4IxtjNeF for <tls@ietfa.amsl.com>; Thu, 28 Jul 2022 07:41:39 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1905C13630A for <tls@ietf.org>; Thu, 28 Jul 2022 07:41:38 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id j22so3556097ejs.2 for <tls@ietf.org>; Thu, 28 Jul 2022 07:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=JHVKXaX+EXefoIoYFwjFmbIHR2d72qQXQc6AIctdSro=; b=KjXDMFIZ5J4Ps2uUllgWYd5Hmv8QD3Kt4Ikpk3vRBu8LhdLUOnniRRHhbbQnJThWTF AmqjEzwKKIyJWHT/cY1mcsA79RNrLGbD0Lz/zfpYnflKVNfH8h4Pa+SltZYyeSzTnhim 4dD8ZQVhmezXI0Dng2KQbVnE5iUDkYjgreUozep2zLUFOXqg/r9Jx8Rc3xEXcIJl8zrl kPJDFeR2Ijk2SK2aLJdTQxyws+bZXCI91sNDVqsZ9ZWCQx4xj5FTYd9VMUdnjoGTAcGP hvKbjOS+PqL5mqIrB3srIv8yhio+uQ55a8CjSBB6o5Vpurlcl+jUvGias+qyQOyjYJGt xTXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JHVKXaX+EXefoIoYFwjFmbIHR2d72qQXQc6AIctdSro=; b=FXgwXuTtR+NoyVWKNm0ZIiBbMEN45+OLDL0AhnM6VgH1EsMbgqb/gIy990QUa5kgei L6txOR41FZTww5AnsSX00hAeLOfdTyLpWLymvp6G0scfyJQeFpy1SQZkwt83QBYJ3gxr 1IVMmhMy3HlPlI1s2cYvKwx4fwvwbQJjA98Tf5K9bARH3kylh+XRiVxZsypKPAseXitV dHFWycYsOO30Kttv7XS44+wRK+b3rS1UfRpNo71si6hUG7xpF1FIxTm2QzFjFd4IYESu v1THYyTSHTdnhNrDF/bnMSbGj0w4Ra3Cg0F4sM6f/+O1KX5oGsg/hNbJWyMM68tnl2tj 4uag==
X-Gm-Message-State: AJIora+3lXsI7g538r1KWbyI65kTZT/1E1ueRCjT5EQmFGEbSy9/q04w cyvA0NZdMzW87uBMKkcA+3Upk4un+/7a7K9OuxW21sano2JhUQ==
X-Google-Smtp-Source: AGRyM1sNPJ14PrIPVAU5003zjb6o6a/AGyFixJk2CDDW43E3B7iUEKTDegvzX7/LpMCt8V76SLDyu3V181JAsU5qrjk=
X-Received: by 2002:a17:907:3d89:b0:72f:18b7:9035 with SMTP id he9-20020a1709073d8900b0072f18b79035mr22208174ejc.13.1659019296968; Thu, 28 Jul 2022 07:41:36 -0700 (PDT)
MIME-Version: 1.0
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Thu, 28 Jul 2022 17:41:25 +0300
Message-ID: <CABiKAoSvJqewOs=pqS+ggyWBCasoQYU9GoGMMOq6V4HZqmUH+Q@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df136f05e4de87d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ITHoJYlBCF6MAt0k8ChYkeRC4m0>
Subject: [TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 14:41:40 -0000

Hi Everyone,

Thank you for chiming in with comments and suggestions regarding
draft-deprecate-obsolete-kex :-)

I've tried to summarize everyone's comments below, hopefully grouped by
subject.
Apologies in advance if I missed anything (or misspelled names...), please
do reply to this thread :-)

My intent here is only to make sure we have a good record of the comments
made. I hope to follow up soon with a suggested way forward for the draft.

thanks,
Nimrod
===============
Scott Fluhrer: We can only check for group structure if it's a safe prime,
and even for a safe prime it's too expensive. Suggest limiting groups to a
safelist.
Mike Ounsworth: Automated scanning tools routinely flag standardized FFDHE
groups.
Daniel Kahn Gillmor and Thom Wiggers: This is because of the Logjam paper
and precomputation. But they missed that the advice to generate your own DH
params was for 1024 bit parameters for sofware that didn't support anything
else.
Daniel Kahn Gillmor: Would be good to discourage non-standard groups, while
acknowledging the original argument for non-standard groups and explaining
why it doesn't motivate non-standard groups today.

Viktor Dukhovni: Postfix is far from the only one with non-standardized,
built-in default groups. Even for Postfix there are several groups,
depending on the version. Would be hard to build a list of widespread
groups.
Ben Kaduk: Can we start a registry for safe, widespread groups?

Martin Thomson: We tried using a safelist (that included only 7919 groups?
- Nimrod) but people use weird groups, and we couldn't turn that on.
David Benjamin: Agree, better to turn off FFDHE entirely.
The deployability issue with 7919 is also documented in
https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo/
https://mailarchive.ietf.org/arch/msg/tls/DzazUXCUZDUpVgBPVHOwatb65dA/

Uri Blumenthal: We should neither recommend or discourage non-standard
groups. Leave it to each operator to decide for themselves, they likely
know what they're doing.
Jonathan Hoyland and Martin Thomson: The pen-testing comment provides a
counterargument.

Uri Blumenthal: The draft is unnecessarily strict, from both deployment and
security points of view. Examples of stuff that should be retained: RSA,
FFDHE. PQ implications: all the NIST PQC winners and finalists are KEMs,
not KA - aka, similar to RSA rather than DH.

v2.23.0 | Report a Bug | By Email