Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Nimrod Aviram <nimrod.aviram@gmail.com> Sun, 01 August 2021 11:27 UTC
Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A9443A3779 for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 04:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDJt2Unzy-gK for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 04:27:36 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F0A3A3776 for <tls@ietf.org>; Sun, 1 Aug 2021 04:27:36 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id t66so14087320qkb.0 for <tls@ietf.org>; Sun, 01 Aug 2021 04:27:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=uT7Zx7wqqHxj1tZuCgyUjagBZLSDXGF34Sq+n+XFOJw=; b=UinzGlgaw1/ikRVQHd4B+l204aS2jYsdE7suqR4zsi0mpSTdgYUjXnf8oNGDPbdCDP 3KOL9u9AAn0nTxc2zcJtrO5UILuMtjVWsXSRleivFXIAZQpVjIJZribszXnUELwOau5y qMYZPiiI0XXdPKL7U8Bd5ui2JDqkOnJK0FHBbSjxnITcdFLyNSs4Sv079MWN14MPYvUt pD3L9bCOflEkGR1xansJcQoXm4rgNsVIPW5q/5f6M1JigiU0aUHdmCWZf/+nK2Bm6g/E uAaY/q9rSeHRWpEokDWsNGu8ps755ZsfC8/bPJct+T0KuDSZ34EfHjmPCE809PqLHnMU BFaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=uT7Zx7wqqHxj1tZuCgyUjagBZLSDXGF34Sq+n+XFOJw=; b=kbVe4cUmizczrOEkgmUXHrdeDEt+2zUeS3Y/bVb2J4CPfzaYtEYioHZ9BjRMF/+EgV nYCcSHsRll6+ylPEzL1y6sCSjy7TNHZgNEPK54QU1o6gGUzjCIeXoB6VOYDJtU2MYe4S X5WyiktrDD7Z3p2zKu1QTpMYXRgd7Arl3XF3fyWl9E6zEYFKrxx5VGwtod/A8tcQrch1 aE3NGuUj/xr4GlCKHlstA0xPhgLB8ui8pwDN3tgJeV/u6VIjmG/gEeHDeAPbxPnVbNYl 7o7XQQANSaSS7Ve5aKFjj6xhh/UBCgCWxxRvoZ0anXLWZQRbd5YaZljSaSsYRMQhHCLG wpVw==
X-Gm-Message-State: AOAM531ysv8hykptMJa3KLH/WLZdYnZiOKHlGUu54OSvmkSzSGYuwH+S n/zHB3JGxXGXI5mVgFCd6aknqv5J/eKUUE0KNw0372Et0wuXtg==
X-Google-Smtp-Source: ABdhPJx0Lt5FulSrWn04VTuMFVqS7yFDhaqV+89rclI3Ic7XvLb24JD1Nbn2S2vUQCRpAmI9DqkRm0wJYOX8vV9Q/nA=
X-Received: by 2002:a37:a78d:: with SMTP id q135mr10749178qke.192.1627817253615; Sun, 01 Aug 2021 04:27:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoARpxr8-FzYJPRcup9XF-DRv875aAnuNZtoLPHM9-6j-w@mail.gmail.com> <4c0aafd3-fc8f-453a-a009-44ecc18dafd7@www.fastmail.com> <YQNLizvBb/xZyxkl@straasha.imrryr.org> <SY4PR01MB6251677071C9EDF4E5149616EEEC9@SY4PR01MB6251.ausprd01.prod.outlook.com> <YQRLcoKm/+lVGwfv@straasha.imrryr.org> <BL3PR11MB5682F0455884BAC742324DD8C1EC9@BL3PR11MB5682.namprd11.prod.outlook.com> <YQRXGUZ/J7YZpzVv@straasha.imrryr.org> <SY4PR01MB6251775C9FD86B52BF71064CEEED9@SY4PR01MB6251.ausprd01.prod.outlook.com> <YQV2Q5S0iF5bHCms@straasha.imrryr.org>
In-Reply-To: <YQV2Q5S0iF5bHCms@straasha.imrryr.org>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Sun, 01 Aug 2021 14:27:22 +0300
Message-ID: <CABiKAoR5U2i4izZmaWYyRXP5PbrAvRuQUAwAJTm+YbLBeO+T5g@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000293b7105c87dbd2d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SdQSxOqpl69ojabod-49KdVbJtQ>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 11:27:42 -0000
Looks like we have consensus for the following: - Clients may choose to not support FFDHE, a la Chrome. I don't see consensus for full deprecation of FFDHE, please correct me if I'm wrong. - Clients must not connect when the server uses a group of less than 2048 bits. - Clients may connect when the server uses a well-known, safe prime group of at least 2048 bits (well-known might mean "from RFC 7919 plus the built-in Postfix group", or other reasonable definitions). - Clients may connect when the server uses a custom safe prime group of at least 2048 bits, if the client verifies that the prime is safe. The only point where we don't have consensus seems to be: - For clients who choose to support FFDHE, when the server uses a custom group of at least 2048 bits, and the client isn't willing to check safe-primality, what should the client do? (This only applies when FFDHE is chosen in practice, rather than ECDHE.) My personal opinion is that both options - either allowing or forbidding the client to connect - would be reasonable here. Perhaps it'd be best to leave this specific point to the next WG meeting? We can still make progress on the document in the meanwhile. I'll also ask around if we can get some metrics, in general and specifically pertaining to that last point. thanks again everyone, Nimrod ---------- Forwarded message --------- From: Viktor Dukhovni <ietf-dane@dukhovni.org> Date: Sat, 31 Jul 2021 at 19:12 Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS To: <tls@ietf.org> On Sat, Jul 31, 2021 at 12:57:39PM +0000, Peter Gutmann wrote: > Viktor Dukhovni <ietf-dane@dukhovni.org> writes: > > >I strongly doubt there's a non-negligible server population with weak locally > >generated groups. > > Would you care to rephrase that so we can make sure you're saying what we > think you're saying in order to disagree with it? OK, who goes around bothering to actually generate custom DH parameters, and with what tools, but then does not use a "strong" (Sophie Germain) prime? The only weakness I expect to encounter is a deprecated size of e.g. 512, 768 or 1024 bits. Clients can easily detect that and enforce a floor, but of course still don't get to negotiate a minimum. Clients also don't get to negotiate the size of the server's RSA public key, or as you mentioned various other ways for the server to not screw up. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Adoption call for Deprecating Obsolete Key … Joseph Salowey
- Re: [TLS] Adoption call for Deprecating Obsolete … Salz, Rich
- Re: [TLS] Adoption call for Deprecating Obsolete … Martin Thomson
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Scott Fluhrer (sfluhrer)
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Nimrod Aviram
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Viktor Dukhovni
- Re: [TLS] Adoption call for Deprecating Obsolete … Peter Gutmann
- Re: [TLS] Adoption call for Deprecating Obsolete … Carrick Bartle
- Re: [TLS] Adoption call for Deprecating Obsolete … Ilari Liusvaara
- Re: [TLS] Adoption call for Deprecating Obsolete … Carrick Bartle
- Re: [TLS] Adoption call for Deprecating Obsolete … Loganaden Velvindron
- Re: [TLS] Adoption call for Deprecating Obsolete … David Schinazi
- Re: [TLS] Adoption call for Deprecating Obsolete … Joseph Salowey