Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05

Daniel Kahn Gillmor <> Sun, 01 March 2015 12:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 260C71A88A4 for <>; Sun, 1 Mar 2015 04:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DcqhhDmHpF7l for <>; Sun, 1 Mar 2015 04:02:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A77F21A88A3 for <>; Sun, 1 Mar 2015 04:02:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPSA id 50368F984; Sun, 1 Mar 2015 07:02:22 -0500 (EST)
Received: by (Postfix, from userid 1000) id 526091FFDD; Sun, 1 Mar 2015 13:02:22 +0100 (CET)
From: Daniel Kahn Gillmor <>
To: Sean Turner <>, " (" <>
In-Reply-To: <>
References: <> <>
User-Agent: Notmuch/0.18.2 ( Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Sun, 01 Mar 2015 13:02:22 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Mar 2015 12:02:26 -0000

On Wed 2015-02-18 13:12:33 +0100, Sean Turner wrote:
> The WGLC has concluded.  dkg noted he’d received some comments
> off-list and Watson provide some input.  We’ll need a new version to
> review the changes to see if it should be progressed or whether
> another WGLC is needed.  I’ve updated the datatracker to reflect the
> new state.
> dkg,
> Any chance of another version before the 2015-03-09 draft submission deadline?

I've just submitted -06.  The changes from -05 are:

 * re-added 6144, at the request of Niels Ferguson, who wanted a
   smoother ramp-up for people who want to increase adversarial work

 * made the recommended minimum exponent size more conservative,
   referencing NIST strength estimates.

 * added a "private use" sub-range within the ffdhe range for
   organizations that want to use their own pre-selected groups.

 * adjusted the false-start guidance slightly.  I agree with Brian Smith
   that this guidance really does belong in the false-start draft
   itself, but given that it is not there yet, i've left it here.  I
   don't think there will be a problem if the false-start draft simply
   repeats the same guidance.

I did not change the "special form" of the groups.

In particular, i left the leading and trailing bits set to 1 for more
efficient reduction, since that is used in practice.  There appear to be
no published attacks against this form (and it is widely used elsewhere,
so it should be an attractive target for research), and the concerns i
heard were that maybe the group strength could be weakened by the number
of bits held constant this way (128 bits, in this case).  For people who
have this concern, i recommend that they select a slightly larger group,
which should more than offset this difference.