Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 12 November 2018 13:57 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45220127333 for <tls@ietfa.amsl.com>; Mon, 12 Nov 2018 05:57:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7bmfVa2FzFB for <tls@ietfa.amsl.com>; Mon, 12 Nov 2018 05:57:04 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44A6C1274D0 for <tls@ietf.org>; Mon, 12 Nov 2018 05:57:04 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 76DDD30AFCF for <tls@ietf.org>; Mon, 12 Nov 2018 08:57:02 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <140080C241BAA1419B58F093108F9EDC58549B47@UK-MAL-MBOX-01.dyson.global.corp>
Date: Mon, 12 Nov 2018 08:57:01 -0500
Content-Transfer-Encoding: 7bit
Reply-To: "<tls@ietf.org>" <tls@ietf.org>
Message-Id: <8DE8B5EA-C5DD-4C7F-A2EE-15C1EED45DBA@dukhovni.org>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org> <m236seg80v.fsf@localhost.localdomain> <DE213706-285A-4FF4-BA25-3DFC69966BE6@dukhovni.org> <m2y3a4ebau.fsf@localhost.localdomain> <FF305E4A-B304-4C72-9D70-0D65116DD8B9@dukhovni.org> <F04642CF-132E-48EF-B17F-36CC57F245FC@ll.mit.edu> <1541716036588.29769@cs.auckland.ac.nz> <62FC16EB-9567-408E-B3A1-62B868F5A2BB@dukhovni.org> <1541744362984.15559@cs.auckland.ac.nz> <82B55ED0-06D5-416F-8EBE-CCA4808CC32D@dukhovni.org> <140080C241BAA1419B58F093108F9EDC58549B47@UK-MAL-MBOX-01.dyson.global.corp>
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TdTFe6b3vL6zK9NEIauGZaySzog>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 13:57:06 -0000

> On Nov 12, 2018, at 4:45 AM, Tony Putman <Tony.Putman@dyson.com> wrote:
> 
> Can you please explain to me the problem with (EC)DH ciphers? If it's the
> lack of forward secrecy, then I understand. If there are other problems, 
> then I would be keen to understand them.

As much as it was lack of forward-secrecy, it was unnecessary bloat.
Few if any users actually needed these, and they did not get used.

The question is not so much what problem they introduced, but rather
what problem they were supposed to solve, and whether that problem
warranted the added complexity in the protocol.  I think we've had
the answer for some time now...

-- 
	Viktor.