Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 30 July 2021 05:14 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD203A1BD4 for <tls@ietfa.amsl.com>; Thu, 29 Jul 2021 22:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aO77dJcKulwq for <tls@ietfa.amsl.com>; Thu, 29 Jul 2021 22:14:17 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50353A1BCF for <tls@ietf.org>; Thu, 29 Jul 2021 22:14:16 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2168.outbound.protection.outlook.com [104.47.71.168]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-69-UQQpZz_0MrWbvJtk9wSk4Q-1; Fri, 30 Jul 2021 15:14:12 +1000
X-MC-Unique: UQQpZz_0MrWbvJtk9wSk4Q-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY4PR01MB6654.ausprd01.prod.outlook.com (2603:10c6:10:135::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Fri, 30 Jul 2021 05:14:08 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%3]) with mapi id 15.20.4373.023; Fri, 30 Jul 2021 05:14:08 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Thread-Index: AQHXhNw9hZMv7zd4Dke27Husna/eB6ta+Zes
Date: Fri, 30 Jul 2021 05:14:08 +0000
Message-ID: <SY4PR01MB6251677071C9EDF4E5149616EEEC9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CAOgPGoARpxr8-FzYJPRcup9XF-DRv875aAnuNZtoLPHM9-6j-w@mail.gmail.com> <4c0aafd3-fc8f-453a-a009-44ecc18dafd7@www.fastmail.com>, <YQNLizvBb/xZyxkl@straasha.imrryr.org>
In-Reply-To: <YQNLizvBb/xZyxkl@straasha.imrryr.org>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d25f94a6-ff72-4fed-a589-08d95318dc11
x-ms-traffictypediagnostic: SY4PR01MB6654:
x-microsoft-antispam-prvs: <SY4PR01MB665458BAE9EF4DC0990C28F5EEEC9@SY4PR01MB6654.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 6Efo4XMYt8kTqUavH9Rt0MuUAWDkA6txhbjeKVoqdBiZb71IYDfZ76OLLKJP1ubaaM3Ol7iQdXto93rrAUavRzkm9VmO4fde58T9SBLU0gCiJGpRdI+NazNomfiPFP7sJv8wp8flBL1sVyy5mQPEcGCMTCnG7xBFb1AZwZhNtB5YhMNk/A0LllawTcIxQB8/nSHkIskeQLmQ7NIbYSW1EZOZxD04VFjMs67ZwtjPhLYX+LzTPNP6QL9qbCsNPYzLoGKHL3g88F8axyrTG5VluI2exDgeqlTcHNd8UQidk4L5kTA136jpqHeB0zrUW+FhKM46t/xORWO1t50cIHiJSrQ0mx0czC4IptDsZUL8E2KvIgOibVZBEIXArkMXIkGWcqw8RIqY0MF78lZ4RHp3RX3IrNA4KdE214+KR41XK6WyJBjuNAObnowexLWnqG0oJknuowzCyd5zVmVnLpF5+gNhLU8DgyYFUpPNrl6yHj/RoIvcnIZ5Ou+brJDqscbkGpPH4Kf2On+A3kb5NVARJa+xGIFfSlh0qEfQ/xkvLjC9XYJvgmdxe+FrFAtd1XuWq6hPgUDIwXp4QRAsWgM5AqXi0wkw5f5Vylg8ykHg4Be7DQrlKnj7w+Srzq9IC0Hx
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(136003)(396003)(366004)(71200400001)(316002)(786003)(186003)(478600001)(55016002)(52536014)(9686003)(8676002)(26005)(38070700005)(6916009)(2906002)(86362001)(66946007)(6506007)(5660300002)(64756008)(38100700002)(33656002)(8936002)(122000001)(76116006)(4744005)(66556008)(66446008)(66476007)(7696005); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dDhsAFvTuzZ9z4j9woY+6xrZ4MpEhRqkA85PGwPGIBINQdb4HL3w3wbw4UqCEWOLJkEfOyz2//ynK0NZswddOlkbSbykLL3c9eYzt3pfhy/3tEHw+IrgY8gx8fcFe25iMwXPywNHVVa0fzo0X4wfN79I+b/QFKsQr0MieQFLRL1v/C7MwdC7ql+Kgzdrub8TPtCts5fu0iEcjgcVCe5COaCnf5RoeupSE/UiATY5X5WGULNHD0UMp/ma8jxyKPy9didiY6Tvbm9xZhmzCLQmFzAeBTE4NVVO36/aOU61VarlwC+mKhtAi692BXUe8BKoOn/OdVTYuVXIZ90kESXIyIbG7m0k7ILOV7Jb3zUIdLYvGDp1uepjkYFwh5CdI6Fs+VHB2wxuWINe8gI9FjIMrSm/unzMhWecpaanqZecIpdJlvr+g1pjf4U6tYUAwBWC87mth+sLeGLmNNW+ZWEBeZWqFkMHhH1qozyg86YklKtYRMqFGkoNATqY4i0pQoVu/Dua4A+yrqnFHfxhDL/jAbyPI7YDk0unxnPrZmkDUdVOaYnf7b3QutnEvg8bkqYxtb1oya20YZDaV1bmUILoegv6WomyOjpBXTiEX4A9CBH293zGsRmPefpQH1jUrEEj77PFWJlICg/V842szvOPOakxl3eKrO0wzzqXTK9zMho+UjV//vr4eQv64AY4xpPbkZNx/sOX4P0kPVc3iEdsvw==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d25f94a6-ff72-4fed-a589-08d95318dc11
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2021 05:14:08.3083 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: P+4jYBwRifpkYmiGfYonDT21He/43T4OHYXw2dNX40n5T349bSk/UKgQVa9mj51kHWS7qqDgJzjlaGd9987Mw7zwNVaDXMQUqTvxXkSXfgo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4PR01MB6654
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Nirp5TOZuQzlSN53Mk-_Clull1g>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 05:14:22 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

>The only other alternative is to define brand new TLS 1.2 FFDHE cipher code
>points that use negotiated groups from the group list.  But it is far from
>clear that this is worth doing given that we now have ECDHE, X25519 and X448.

There's still an awful lot of SCADA gear that does FFDHE, and that's never
going to change from that.  The current draft as it stands is fine, in fact it
seems kinda redundant since all it's saying is "don't do things that you
should never have been doing in the first place", but I assume someone needs
to explicitly say that.  No need to go beyond that.

Peter.