Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt

Dave Garrett <davemgarrett@gmail.com> Wed, 03 June 2015 17:23 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09391ACDB6 for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 10:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyVnrx78ixp2 for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 10:23:40 -0700 (PDT)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4352E1ACC8C for <tls@ietf.org>; Wed, 3 Jun 2015 10:23:40 -0700 (PDT)
Received: by qgep100 with SMTP id p100so6795661qge.3 for <tls@ietf.org>; Wed, 03 Jun 2015 10:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=veY5fQi4NxAlsgXrdc16vPU7Ec55HBiNRJYyMW1iK58=; b=tMZqS8MV8m2ibaBnQqURRQq0tuLDWiNaTeGH6/j2o1T3pc5Z4+Wr7SLnab94Y4DDKZ wiKN34SVZcg9t0H8EqW1GHIbTui64mAp9EmQI/EK3Mi8lBzVTFe4ZDJ8gurKAyTePjic x2MO6mpPC54S9Gk8Q0DwYYq2DUzvSblI42szhb+s8FYzzk2FHXY0er6A2XFjADczJjtd gtjZe25oGuFcdT9/vWykg5omsUWt2ceheZBUd4Pihx5RmaZbzxILxiZrV8ujvOwP3fPZ i6+Gdf0C0fHVu48cPCrfEw+9LThDB/9sA+DkwOF6/fTKWFNBhKkIVRZgfQO+bZiww9ib NjCw==
X-Received: by 10.55.49.73 with SMTP id x70mr18117001qkx.49.1433352219477; Wed, 03 Jun 2015 10:23:39 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id p59sm727705qga.1.2015.06.03.10.23.38 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 03 Jun 2015 10:23:38 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Date: Wed, 3 Jun 2015 13:23:36 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <201506030405.47936.davemgarrett@gmail.com> <CAHOTMVLFHbmB-5QB0D7abRTGRnFQiWhVV1eVK-Ou1cHL+SkYNQ@mail.gmail.com>
In-Reply-To: <CAHOTMVLFHbmB-5QB0D7abRTGRnFQiWhVV1eVK-Ou1cHL+SkYNQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201506031323.37163.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/UkoFMKl80vrMlzQc-e1sGjXypG8>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Geoffrey Keating <geoffk@geoffk.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 17:23:41 -0000

On Wednesday, June 03, 2015 04:20:15 am Tony Arcieri wrote:
> On Wed, Jun 3, 2015 at 1:05 AM, Dave Garrett <davemgarrett@gmail.com> wrote:
> > Well... here's a way it could:
> > 1) Deprecate/prohibit all "DH(E)_*" cipher suites
> 
> I'm a bit unclear on this, but I think that's actually happening as part of TLS 1.3?

No, that's what you're proposing with a diediedie. (seems to have been a miscommunication here)

DH_* (non-ephemeral) are being deprecated in TLS 1.3. DHE_* are still in TLS 1.3. You're argument is that non-ECC DH(E) is harmful because Java is crap and chokes on it. (yeah, Java should be fixed, but it is crap and out there and breaking, and getting rid of DH(E) would fix that)

What I said was:
> 1) Deprecate/prohibit all "DH(E)_*" cipher suites
> 2) Create a new set of "FFDHE_*" cipher suites to replace them that only allow strong groups (3072+)

My suggestion is to do exactly what you propose, publish a DH(E) diediedie, but in the same RFC standardize a new set of DHE cipher suites with strong requirements using a new prefix (e.g. FFDHE) and new codepoint assignments. Servers supporting these new suites will never negotiate them with old clients that don't support them, but newer clients that add support will be able to negotiate DHE using the new cipher suites.

It's a cake-and-eat-it-too suggestion. Kill old DH(E) and replace it with a limited set of new suites that are only usable with strong groups and only supported by new clients.


Dave