Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

Eric Rescorla <ekr@rtfm.com> Sat, 03 May 2014 23:32 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D71DF1A013D for <tls@ietfa.amsl.com>; Sat, 3 May 2014 16:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zCRsZXB5ZlqX for <tls@ietfa.amsl.com>; Sat, 3 May 2014 16:32:39 -0700 (PDT)
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by ietfa.amsl.com (Postfix) with ESMTP id 7AE551A013B for <tls@ietf.org>; Sat, 3 May 2014 16:32:39 -0700 (PDT)
Received: by mail-wg0-f52.google.com with SMTP id l18so5125323wgh.35 for <tls@ietf.org>; Sat, 03 May 2014 16:32:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=cAWqGYdFAnpymgbzl71dNRxxe1niXd647sMP0QgMaT4=; b=iVYIQG3ZBdFpiDnM41wZ+JVTajneqh75ZqLSBQsIGqWmVEHDg8Y8KjHo1Ykhf6qX5E nON+yX4c+ff+X7myDKe4/RfAA54ZCWwtRslzMlA6Rljz2aiyjApZxQzNYKvMnW4qpze1 9uk7kS/O7Ru3AU8zcQ/LdbPfipWFMMgBQgT/3GwVhCINIkrL82J7LoExIdieg/hECxEb kVr83UaMz0EeVANGLm++YPSMjyITJPpoOzRsJDes/ExUbclaaSsW25OHBv7pPJHWdYgw 8pnP1X3ai6mR2cZh0JRj3IeGnQVVTVs1/AsK4/GJ2tHIs3x8eMgD14jlAlrG98wlv1/Z inIw==
X-Gm-Message-State: ALoCoQl+oyc+O+MkVjTO9ioXybnla/3Ftz+uj4ylHzH1rQGvWla0sq8Ah0p7+PuCXZBoLKsmh11U
X-Received: by 10.194.90.107 with SMTP id bv11mr20234006wjb.11.1399159956225; Sat, 03 May 2014 16:32:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Sat, 3 May 2014 16:31:56 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <277ABA2E-FA8C-4927-9522-06E8907C28EB@cisco.com>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <277ABA2E-FA8C-4927-9522-06E8907C28EB@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 03 May 2014 16:31:56 -0700
Message-ID: <CABcZeBOb-ym7+TrRmfasuyJJ6BVNbQB96jqqBOGZr+YPG-NBWA@mail.gmail.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Content-Type: multipart/alternative; boundary="047d7beb9ec02cd52b04f887503d"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M5PM-I11b7aWFKCQk-FsBteLNzY
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 May 2014 23:32:42 -0000

The following pull request is intended to execute this change:

https://github.com/tlswg/tls13-spec/pull/37

I'll merge it in on Tuesday. Please let me know before then if
this seems substantially wrong. As usual, minor editorial issues
can be done by pull requests.

Note that we also need to determine a new MTI cipher suite
(https://github.com/tlswg/tls13-spec/issues/32) since the
previous one uses static RSA. I've left that as a TODO for now.

-Ekr








On Sat, Apr 26, 2014 at 8:24 AM, Joseph Salowey (jsalowey) <
jsalowey@cisco.com> wrote:

> The discussion on this list and others supports the consensus in IETF 89
> to remove RSA key transport cipher suites from TLS 1.3.  The Editor is
> requested to make the appropriate changes to the draft on github.
>
> More discussion is needed on both DH and ECDH are used going forward and
> on if standard DHE parameters will be specified.
>
> Joe
> [For the chairs]
> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <
> jsalowey@cisco.com> wrote:
>
> > TLS has had cipher suites based on RSA key transport (aka "static RSA",
> TLS_RSA_WITH_*) since the days of SSL 2.0.   These cipher suites have
> several drawbacks including lack of PFS, pre-master secret contributed only
> by the client, and the general weakening of RSA over time.  It would make
> the security analysis simpler to remove this option from TLS 1.3.  RSA
> certificates would still be allowed, but the key establishment would be via
> DHE or ECDHE.  The consensus in the room at IETF-89 was to remove RSA key
> transport from TLS 1.3.  If you have concerns about this decision please
> respond on the TLS list by April 11, 2014.
> >
> > Thanks,
> >
> > Joe
> > [Speaking for the TLS chairs]
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>