Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 28 March 2014 13:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF5A1A0639 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 06:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZuzMNXXHgoA for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 06:25:58 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 7442A1A0641 for <tls@ietf.org>; Fri, 28 Mar 2014 06:25:56 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 0B16AF984; Fri, 28 Mar 2014 09:25:51 -0400 (EDT)
Message-ID: <5335785F.2070104@fifthhorseman.net>
Date: Fri, 28 Mar 2014 09:25:51 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Marsh Ray <maray@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com> <31dba3a928d145c6835d4bbcfa603354@BY2PR03MB074.namprd03.prod.outlook.com>
In-Reply-To: <31dba3a928d145c6835d4bbcfa603354@BY2PR03MB074.namprd03.prod.outlook.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="HL9eAr6JrXGBVTbRJctjkQxHO4g467S2v"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Vd-W-H-AkHGt0mGz1iZRJMkOilY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 13:26:00 -0000

On 03/27/2014 08:17 PM, Marsh Ray wrote:
> From: Martin Thomson [mailto:martin.thomson@gmail.com] 
>>
>> On 27 March 2014 16:55, Marsh Ray <maray@microsoft.com> wrote:
>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Alyssa Rowan
>>>>
>>>> Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead?
>>>
>>> The general consensus at Microsoft is that we like ECDHE much better than the classic DHE.
>>
>> I think that this is the general trend, but is it so bad that you would want to prohibit DHE?
> 
> Historically we have opted to provide ECDHE *in place of* classic DHE.

did SChannel ever support classic DHE with RSA authentication?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx

suggests that XP and win2003 (which, afaict, were what immediately
preceded vista) does not have DHE.  So it looks like ECDHE was just
added, but "classic DHE" wasn't in SChannel in the first place, which
doesn't sound like ECDHE is "in place of" DHE to me.

or am i misreading the documentation?

	--dkg