Re: [TLS] DHE key derivation

Daniel Kahn Gillmor <> Fri, 27 September 2013 15:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64E3111E8101 for <>; Fri, 27 Sep 2013 08:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lQkOKcu8c+5z for <>; Fri, 27 Sep 2013 08:40:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6DB1011E80D5 for <>; Fri, 27 Sep 2013 08:40:48 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 755E1F983 for <>; Fri, 27 Sep 2013 11:40:43 -0400 (EDT)
Message-ID: <>
Date: Fri, 27 Sep 2013 11:40:42 -0400
From: Daniel Kahn Gillmor <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130821 Icedove/17.0.8
MIME-Version: 1.0
References: <> <> <op.w30xbev03dfyax@killashandra.invalid.invalid> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2SJERQFROUUOGTEBFBTJD"
Subject: Re: [TLS] DHE key derivation
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "" <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Sep 2013 15:40:53 -0000

On 09/27/2013 11:21 AM, Michael D'Errico wrote:
> In DHE_RSA, RSA is used in signature mode to sign the DH parameters.
> It is not recommended to use the same RSA key for both signing and
> key encipherment.

I hear this recommendation a lot, and I think it makes sense, but i'm
wondering if there is a "canonical" reference for it.  It seems to be
violated far more often than it is honored.

There are many RSA X.509 certificates in use on the web today that
indicate both "key encipherment" and "digital signatures" in their
X.509v3 "key usage" extensions.

Just picking a random example (not trying to name-and-shame, since this
practice is so widespread), the 2048-bit RSA end-entity key used on port
443 of is marked in its certificate both key usages, and is
used regardless of whether you negotiate a DHE cipher suite or a non-PFS

Do we need to address this as well, perhaps by encouraging server
operators to use distinct keys/certificates depending on whether the
negotiated cipher suite is PFS or not?