Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 01 August 2021 11:42 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC2C03A37EB for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 04:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ce6sNO6FJBZ for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 04:42:33 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D645C3A37E8 for <tls@ietf.org>; Sun, 1 Aug 2021 04:42:32 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2170.outbound.protection.outlook.com [104.47.71.170]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-59-TcnEhP_KO2e2guO4n_7Q4w-1; Sun, 01 Aug 2021 21:42:27 +1000
X-MC-Unique: TcnEhP_KO2e2guO4n_7Q4w-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY2PR01MB2810.ausprd01.prod.outlook.com (2603:10c6:1:18::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.25; Sun, 1 Aug 2021 11:42:23 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%3]) with mapi id 15.20.4373.026; Sun, 1 Aug 2021 11:42:22 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Thread-Index: AQHXhNw9hZMv7zd4Dke27Husna/eB6ta+ZesgADl/wCAAAlpgIAABHuAgAEfznSAADaFgIABRutU
Date: Sun, 01 Aug 2021 11:42:22 +0000
Message-ID: <SY4PR01MB625105EC510E42D398BE0467EEEE9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CAOgPGoARpxr8-FzYJPRcup9XF-DRv875aAnuNZtoLPHM9-6j-w@mail.gmail.com> <4c0aafd3-fc8f-453a-a009-44ecc18dafd7@www.fastmail.com> <YQNLizvBb/xZyxkl@straasha.imrryr.org> <SY4PR01MB6251677071C9EDF4E5149616EEEC9@SY4PR01MB6251.ausprd01.prod.outlook.com> <YQRLcoKm/+lVGwfv@straasha.imrryr.org> <BL3PR11MB5682F0455884BAC742324DD8C1EC9@BL3PR11MB5682.namprd11.prod.outlook.com> <YQRXGUZ/J7YZpzVv@straasha.imrryr.org> <SY4PR01MB6251775C9FD86B52BF71064CEEED9@SY4PR01MB6251.ausprd01.prod.outlook.com>, <YQV2Q5S0iF5bHCms@straasha.imrryr.org>
In-Reply-To: <YQV2Q5S0iF5bHCms@straasha.imrryr.org>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3bc6d3a6-4be1-4902-4b42-08d954e16d52
x-ms-traffictypediagnostic: SY2PR01MB2810:
x-microsoft-antispam-prvs: <SY2PR01MB2810F7BDEA2D441317FA03B9EEEE9@SY2PR01MB2810.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: law4n+8SrlGln+F8OmGXcWKFXV21dP1YFLcU69HJLVCroND62rszpHoptpx5mDHbqD+zYmnwgwSLFqQMmlwfYATR7c6THKYL09Y0KHCCxtXxSWjxpVMy6+mVvGEU3hSIweMOeYFqncVt3oGytP15Y6XNMCUanA4YSlfWdcGooWzwowspqJGfTw+BWS6ZlcJZPYCQt4WK6RstHj2svYrdelCFKqisuie3vsuqE+qvxf+e9ZabKk4fqqnij44ORQldkpVaXULthMDB34AzTkUcyvq8CrNmyJcM//z/IuQs9EbvxSiuROPfRmfYELir4FXwvtk8v4+Xh5W/r0R9a+fzMY/iE6NiNZZZCna68xq6oLl65gAYHPY5jZYyK3NAC41q1rGjSInA1JjM6SaPR9CeKVoZG1rZRpiFdL/6NEjitReg0H2z0vF/COZ+GggwHW6ZCZShY292uGch7Smo5sdChvuhEphDuXO5Iwfx7WbIRF1CxQuvfCLsqQADxigMzerVsGkOAKf7iwtj2wLbnZaY32unNASxkxB7zz8twM2F8Hyh+6wXPDxnrlZQN03rG8XPwaFZHgZ2wt0o92WoCJH6NuVPF2LBVG97UptvN65g/ig2qG2Uh47rKc8WO5YnjCgtZTCbL7uXD/+jxaEdedd6lOSm6va9IU2WA+6ULquhre14FHVVrII/8m6miK1NKeV7QWZVDB99jr9S8oeoFwiXzw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(38070700005)(55016002)(186003)(66446008)(9686003)(66946007)(26005)(508600001)(316002)(8676002)(2906002)(71200400001)(7696005)(122000001)(76116006)(786003)(6506007)(38100700002)(52536014)(4744005)(86362001)(33656002)(6916009)(5660300002)(66476007)(66556008)(8936002)(64756008); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ce3jk4IW6CQSJF/hg1KnyXaR/OFb5lGmjXgLVPV1mAJYM67iTHRXbkK+qOuIZ9DtMo1cvHjZ69M3ndSupqE9p5pD8kj/5S6xSWAmBjqWJbcRmj4qwtMtS2zmcXAkb0e6ZnYvFYLByeaMi6t1a9xT4f8ju3xmqiOnnYtGibqqzSvgftscFX5FiD9b0Sb2hAdCi/5UG2U+u/eshHuJF5nBN4zIjHTOLK4XI0lFBJCb80156e8l01+mygqVXn0eUPRrBzGlyQHsr0zil/h4f0yHkkKu06ORt6K5ZBU2jEoBRsNpK905MhO9CINrI1ipS/+D9UHWWKryP8M2XIhB2bWfwlpNdpECLJFBGQEvK7SZpbbvOKMcpvTcc78iQq/pQcywom0cDNCfOOljdYqoFNB8912gd6RrRL6F5UEhCOrVk6jNIfD5Zomo8Wh9Snl8KtX5NFmhEwLTD+KVI5Qsmzbq0YVafbMItYxtF0OLcBylWZ3kR5qjtfqnf9AvJ111yADgWonIC2xCwY+8YldpSilud7guMztjojYoclgAo+frkavnSWvEXV4jxcI6y4lL8gXLDA+79L+ZwKOh42xHtYKTxV7Ye1Rzno2yf76YlrNn1tMOj80FPC4463uMd7ZC0uuaoEhxChvq9pxB+ihOg6OtVoHoP4PHMI+63Tad9uMu3Zmei0DOQX/4pvktxo+7SIXxY5Se/aqF0fwbToALxdUrlSlYz9otItFYOFHfi410Q8xJdL4U4OorG6UuhZmjlVmr/gUpgnaPLF2/agQC2oCoG4vJKcBla/RjK1itXQwfpc+OqfPMHaPyI6xtIczJQlExE/Fohgij8HcPu3cex81Eie0TKP7cbHqLi13qYyd+Xn+Ak+kLVBFigujlR/V9AwgjeTVO9KqfjU8hK5QRkHkrwenGX2O3sPFP9WTqw9ezk1H+VBd7bpBPIoRAUhhnhPryXU3MQjj8o8svieXknJxDYQtlKUF9zVfN+5Q/tTYLVi6FJopoSPUiKQRlcd9d0Ik/FfdoSxA+V6KLtxAoLqWLkFLcxCjEbDTMQS7TQ22d2kUQwtbt/BjX+iL7kPEr8KO4e858WdKjaIPwSO0xMIG4kSwQrtxIu4wg3O6IdY5vfmIctfn1MwUrEGMrekPeL2RcUiHxjb88iwbSFBl+9Oh3AYxpsTmRqmr7JERNH/k02EFFfChrATuhjDQwg3wBG663QFLX+ZtasJCjnM8XfbAc/YqBhQjsZWxaP7FYnhYjt3KGrBieK+rbsh1NGRFF8P/+w8+dylevtAKxjPsP6pPaWH2yjMwaFKhY0+cJ9qMysOs=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bc6d3a6-4be1-4902-4b42-08d954e16d52
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2021 11:42:22.5501 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nguxSQPSyA2Wye/Y5zApJilR0YloldrdpdP0jRzmDh/5T+asPaUX/FEtFAjFQxJ+VFB51kQ39kO5DW0TF1QdSwb+wn1y9T0Y4/STtw3037I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY2PR01MB2810
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MElP024DoIJZHucSKtEEZiQN1Pk>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 11:42:39 -0000
Viktor Dukhovni <ietf-dane@dukhovni.org> writes: >OK, who goes around bothering to actually generate custom DH parameters, and >with what tools, but then does not use a "strong" (Sophie Germain) prime? That's better :-). That was my thought too, every DH/DLP keygen I've seen generates either Sophie Germain or FIPS 186 primes/parameters, so on the off chance that your server feels like generating custom primes you'd need to go out of your way to generate unsuitable ones, i.e. you'd probably need to write custom code specifically for bad prime generation, and if you're going to do that then all bets are off anyway. Peter.
- [TLS] Adoption call for Deprecating Obsolete Key … Joseph Salowey
- Re: [TLS] Adoption call for Deprecating Obsolete … Salz, Rich
- Re: [TLS] Adoption call for Deprecating Obsolete … Martin Thomson
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Scott Fluhrer (sfluhrer)
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Nimrod Aviram
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Carrick Bartle
- Re: [TLS] Adoption call for Deprecating Obsolete … Ilari Liusvaara
- Re: [TLS] Adoption call for Deprecating Obsolete … Carrick Bartle
- Re: [TLS] Adoption call for Deprecating Obsolete … Loganaden Velvindron
- Re: [TLS] Adoption call for Deprecating Obsolete … David Schinazi
- Re: [TLS] Adoption call for Deprecating Obsolete … Joseph Salowey