Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 21 September 2013 21:43 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B50611E81A3 for <tls@ietfa.amsl.com>; Sat, 21 Sep 2013 14:43:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.952
X-Spam-Level:
X-Spam-Status: No, score=-100.952 tagged_above=-999 required=5 tests=[AWL=-1.704, BAYES_00=-2.599, MANGLED_TOOL=2.3, MIME_8BIT_HEADER=0.3, SARE_OBFU_ALL=0.751, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id al3H2LtRfQXd for <tls@ietfa.amsl.com>; Sat, 21 Sep 2013 14:43:51 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 8A77F11E81A1 for <tls@ietf.org>; Sat, 21 Sep 2013 14:43:41 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hj3so914500wib.0 for <tls@ietf.org>; Sat, 21 Sep 2013 14:43:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=KPOax2zguS+PPEpNpMoR5dQiHgYTWkG9sXzZ8UXhbMU=; b=B6Pl5lh4F1gz8uKkTUNf+nNYfF28TW4ahVub+7T6tUaD2TV1eMmqL362hO16sNWOp2 Pyq7wohi1cTwNCQxAVrXE3V4aYMQZCIfF2kt71RdAhWBiPeyanlPy7268pdvi77R13PD pbsP8137JCjfv90b9i+qSfsWpvvpQy8ED4pH4QsnJc/4yok9+4JM9dcIDutrMC2voWCc KPt8pxg13lrN4EqcXAhotSvIIj/Hlnwr9a1JS3sTlZZYp60a4cSfznb1Pl8Nuk4ICjPG lcD0i6g76uvGh8FxToMPXmD6hrQZuj7wXeywz304X+5e284ZxuKhmD0Al7sc4XT8tb6j krkw==
X-Received: by 10.194.110.138 with SMTP id ia10mr11387793wjb.3.1379799818359; Sat, 21 Sep 2013 14:43:38 -0700 (PDT)
Received: from [10.0.0.8] ([109.64.175.213]) by mx.google.com with ESMTPSA id i8sm14709513wiy.6.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 21 Sep 2013 14:43:37 -0700 (PDT)
Message-ID: <523E1308.2010501@gmail.com>
Date: Sun, 22 Sep 2013 00:43:36 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Michael Ströder <michael@stroeder.com>, james hughes <hughejp@mac.com>
References: <9A043F3CF02CD34C8E74AC1594475C735567407D@uxcn10-6.UoA.auckland.ac.nz> <A3161699-0975-403C-B9C1-8BE548062949@mac.com> <523DA10F.7010308@stroeder.com>
In-Reply-To: <523DA10F.7010308@stroeder.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 21:43:52 -0000

Hi James, Michael,

please read the section we just added to -01, 
http://tools.ietf.org/html/draft-sheffer-tls-bcp-01#section-4.4. In 
particular the last sentence.

Thanks,
	Yaron

On 09/21/2013 04:37 PM, Michael Ströder wrote:
> james hughes wrote:
>>
>> On Sep 19, 2013, at 2:56 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>
>>> "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> writes:
>>>
>>>> I personally think that for *ephemeral* DH even 1024 bits still is enough.
>>>> And would *much* prefer having PFS now with individual session keys at
>>>> somewhat greater risk, over a system that is very secure and completely
>>>> useless because nobody bothered to deploy it.
>>>
>>> Exactly.  We don't need theoretically perfect security in ten years when we've
>>> finished arguing about it and have upgraded every system on the planet to
>>> support it, we just need good enough right now.  That's DH-1024, and when we
>>> have that turned on everywhere we've got some breathing space to worry about
>>> what to do next.
>>
>>
>> "theoretically perfect security in ten years", really? You think that 1024
>> is "good enough"? I do not know a single reputable source that says 1024
>> bit is "secure" (outside the people on this list). Not even NIST. If you
>> are going to step forward for PFS, do it right. Raise the D-H key size to
>> 2048. 2048 bit is required now and will give you security for only 7 years
>> (Thank you France).
>
> I personally would prefer D-H key size 2048 bit everywhere and I don't worry
> about performance. (Did you ever notice that most SSL/TLS connections are
> going to ad servers?)
>
> But the problem in the context of draft-sheffer-tls-bcp is that existing
> implementations do not support D-H key size of 2048 bits. And the author(s) of
> this draft take this fact to rule out DH completely and recommend EC-based
> cipher suites. IMHO ECs seem to be a can of worms. I don't trust those
> complicated cipher suites.
>
> Ciao, Michael.
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>