RE: [TLS] Re: TLS 1.2 draft
<Pasi.Eronen@nokia.com> Wed, 07 March 2007 15:26 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOy2F-0001uk-VF; Wed, 07 Mar 2007 10:26:35 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOy2F-0001tn-3h for tls@ietf.org; Wed, 07 Mar 2007 10:26:35 -0500
Received: from smtp.nokia.com ([131.228.20.173] helo=mgw-ext14.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOy2D-0001Ec-J7 for tls@ietf.org; Wed, 07 Mar 2007 10:26:35 -0500
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext14.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l27FQUlQ007918; Wed, 7 Mar 2007 17:26:31 +0200
Received: from esebh103.NOE.Nokia.com ([172.21.143.33]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 17:26:26 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 17:26:25 +0200
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Re: TLS 1.2 draft
Date: Wed, 07 Mar 2007 17:26:25 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2403DB5DDF@esebe105.NOE.Nokia.com>
In-Reply-To: <87vehdl6rn.fsf@latte.josefsson.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Re: TLS 1.2 draft
Thread-Index: AcdgnudGDFrOrLnuQ7m7VZanLCCf4wAJWvzg
References: <200703061740.SAA00305@uw1048.wdf.sap.corp><86irdetgcx.fsf@raman.networkresonance.com> <87vehdl6rn.fsf@latte.josefsson.org>
From: Pasi.Eronen@nokia.com
To: simon@josefsson.org, tls@ietf.org
X-OriginalArrivalTime: 07 Mar 2007 15:26:25.0998 (UTC) FILETIME=[F85FEEE0:01C760CC]
X-eXpurgate-Category: 1/0
X-eXpurgate-ID: 149371::070307172631-19C78BB0-5E97B95E/0-0/0-1
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Simon Josefsson wrote: > Generating a fresh DH ephemeral with each key exchange would > deplete the entropy in many RNG's. The normal RSA ciphersuites require far more bytes from PRNG for each key exchange (although only on the client side), and I haven't heard that this would be a significant problem. <snip> > I can't find an appropriate section, but section 8.1.2 seems as good > as any, so I suggest adding this to the end of it: > > When ephemeral DH parameters are needed, they SHOULD be > re-freshed with some interval appropriate for the local > environment. This MAY be for each new key exchange, but MAY also > be each day, week or month. > > That's quite fuzzy, but I'm not sure there are any good > recommendations on this. In GnuTLS, I think we recommend to change > the DH ephemeral somewhere around each day or week. Considering that generating fresh DH private value costs about the same as one TLS handshake with DHE, I'd say even a day would be a very large interval. IKEv2 took the view that since this doesn't affect interoperability, there's no need to mandate anything in the spec (RFC 4306, Section 2.12). However, maybe some guidance would be helpful (especially if there really are implementations that store the "ephemeral" DH key in a file!). Earlier, I also suggested that we should recommend *against* generating new DH domain parameters: http://www1.tools.ietf.org/wg/tls/trac/ticket/35 Eric responded that this is not specific to TLS, and could be a separate document. That's of course true, but currently we don't have any normative dependency to documents that explain how to do DH securely. And I do agree with the sentiment expressed in IETF67's SAAG presentation that RFCs should include advice on how to implement them securely (especially for things that people earlier have gotten wrong). Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Mike
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… EKR
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft Eric Rescorla
- Re: [TLS] TLS 1.2 draft Dr Stephen Henson
- Re: [TLS] Re: TLS 1.2 draft Dr Stephen Henson
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- Re: [TLS] Re: TLS 1.2 draft Steven M. Bellovin
- RE: [TLS] TLS 1.2 draft Pasi.Eronen
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Martin Rex
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- [TLS] Re: TLS 1.2 draft EKR