IETF Logo Mail Archive

Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 16 April 2024 12:50 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84CD6C14F710 for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 05:50:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGo3TrXiUHWX for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 05:50:51 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2EB7C14F70B for <tls@ietf.org>; Tue, 16 Apr 2024 05:50:50 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2232.outbound.protection.outlook.com [104.47.71.232]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-100-Xbxhpm5yNPyybTAgWBk31A-1; Tue, 16 Apr 2024 22:50:40 +1000
X-MC-Unique: Xbxhpm5yNPyybTAgWBk31A-1
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM (2603:10c6:220:229::18) by SY8P300MB0423.AUSP300.PROD.OUTLOOK.COM (2603:10c6:10:298::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.30; Tue, 16 Apr 2024 12:50:38 +0000
Received: from ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::cf8d:e124:c5c6:d1a3]) by ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM ([fe80::cf8d:e124:c5c6:d1a3%5]) with mapi id 15.20.7472.027; Tue, 16 Apr 2024 12:50:38 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Joseph Salowey <joe@salowey.net>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Deprecating Static DH certificates in the obsolete key exchange document
Thread-Index: AQHaj2DR5mU6dN3aJ0W9V4OJWEGrurFq2n95
Date: Tue, 16 Apr 2024 12:50:38 +0000
Message-ID: <ME0P300MB0713960691D3A236557C58D3EE082@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
References: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
In-Reply-To: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME0P300MB0713:EE_|SY8P300MB0423:EE_
x-ms-office365-filtering-correlation-id: 8e2c8369-77b3-4ab1-4594-08dc5e13d14c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: WM75rrCzzI9fnptojjXt00sX1+f8jhdywKlOPXK89jjoYTFT9+HkBgxwdH7hyagFa3IVRxDwNGVRXypSkUbM1i7EkkRr137hQAEUuRZ5nnnLklUN8mUP7ccUzx1/W0kMHxJ2oM/SWqjDARHGiYxSW/Miuv5XJapUNzoJjyL04Aa6eBOKC7PVbKRre2UN4xkSrYK+tBbwTQVGWavrn5yNucGwNqypALSpYMYWtQsWjtjJWgOZctrVLZAIQE43IOWyRL9eNnphVv16eyBTawmr6QaHlfCPQClOOagmZLDk0A9EcrWHG2jb3n9Zqie/voT/Bx9qaS1W3/5tXJrjxfo3Wzu7T48uYF59b3cmS4zG6gBjEeP/qJhwrLhbTcQCHVAF+CJf7rr0T8VztD+bixwl0XTYVihcUKqvJp8QGRLkGiF/qug463+TR0v2MeJQQUfZ2oeiiWHFajBQ+Yyvw7L5Kvs4wUOH+VqYxZgFdGHcBjaeWcMfmDF/hrt75LuJzJTkGEoBp6g9oViTsXm9lZ2VUJxH9gjrglh2CFFatUPpoLQNNH+i4+vzfQUE7pKakR27Y0fKpjkeBTuec+qEEh4dSznsKQoC75ye/NCVg6rPm/lXhZEcneQ/y5sFRsHqXUxbpKQbaGq1cAnyQbMOt2yIp6rKepvo3xjtzqqz1qNT0QBzMIH1626k+RoL2ZX/su3vxatjmo1lyxbPkg0CheLYo2z8L0xa0OyvRTSAYariy+A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015)(38070700009); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: z/M9sT4qXKaFhpmNfqulo6KsY5QWAn1W0LfHx5159OarZVMz+wtRCbMZVhs5OuSYfb1A/ibzb7nuoW9TFEPTgQIWXA/F3AfakWmsB356ql3i7syrU0PmJlB411TM2jiFX3FQIlZ904dl1zNu2fLJhNRZ1ejb70isbzUkDp7orczIPvzTZTuxVWNoM1F02UWH69T07uw7b5LlL8YlEaVmnBQrSlqoGxT14iGkQiJQoXkL91Kq80eYwN5KLj4ceJsV4DrTnp4vyO9R4/m3NWJ5DIR7kqdCMLTLAUjD65zUVVrhiZImMj3ITBzvUBSozzj/c9KchTBwxlI/hSkP52vrOlN8eDqhDusiw5a483EaPUAWSlbl8/PdAaeuQ1oTo1WKlhDnRNXupbDJRvH1GLEttglqbEap5kwwbz2twUnou8M6x9d4l6IohNKtPrv4MWWTWR4AnwpEHeZJSZU84TsX2gFXeMSppDkrylmXc9b8YlmCJhJ+VSZEUjqOio3/rIBrTVRTgEdpxyjcHJyUAW02wVH+gUzQb7SkV2Kh2rUHFyrxm420WAKAo4vgY3zjyngfJsP2tfQqDZC6t/RQrwfkJx2l8d2AUkk3jSILMH50zxaE1ktEG02lTqg3erLpw2DykXOWvhgUBm144AINFxep82H51bnpmIighhXqvqDIotn5q7+V92KFugTvOy4kTsAY/1c2EbYrH31TUFY2KPF076HsgIb3HKHxFYrCe0YiGhqpqgM2bfxwm9VksR+a16uLmRZ9CAwKXipuXa5mN/4I0BOqrZa1Ix1WEB1j/Vle3FJc+rYajSCPGKfa9nJVrjHx0itkF4mlvg1G0IUeNKPsaBkksRj6PMFJXxCJZvuDjooote6mttZfDfWSYW484lasAladk5dzVOTjYvh7H8OjFIdoIFubHNKIEsgRf7UvhiociDNZ9oxjIG6Mx3IzyEH4CV5G4CkziKZaC3Ptezelg74evvEPaStJ1+TrBZsbYoEE/Veu4ddNi4djNU6X/VkKlyhB4O8J9ebsDMt6MM3XA5BbOc6jpmcCaqTnIZB8bbQOiwPsXDs9iui/FJMi0qA33J3O1VbOFY4R7UCyGW3E6ymG9mkymgcEskb72foC8nUHtTxKalNkwsWSuNpBI4Zr1hV0wg4gl2eVL+bHMxM95cgM5iYbR6y1nPm3RrPyVSyii9jRCoqWCLjIv5s6DOIuI9h9WaqVj5dOYHYPap8YF9sWo/7XAgaU1jJlzxTIRp5dUvNw6H5UPaG1A86fdq1q0vbWLZxjvrq7shIfwOTXV1c9/TViUp51UCdSCXIM0hD6ZRmFXFB7mC15fDoRhUb/8a4D5+PS09WodoVSGqDig6UWLLDFjxZRfMvavzCJd4o+v2N5J+Uzut/2P2U9HkB/ZqUMMEDoHgc7jVA1TpTYstHGoQ8/TZF5THckxtyHcUpm1PXpcxSpkQIa1LvE/kHOd+mReHNPSNbDnRheIALGs29jzVNUAJ1gUcXlxy9vDfya74Y5Mjr0VnfMy2b8o7dR7X9maAOx3s8OPi7KMcYndImr1KCauOtHkqC9wsOFGEVrw+D0bDuboJKqwBRMzj4Ed+7doni+h83LBUbFVRqsAg==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e2c8369-77b3-4ab1-4594-08dc5e13d14c
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2024 12:50:38.8577 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oQ/m93lnm4QNYMJMe6ncF2FXV4JZCnAKUbBGTlV9cx1yLKMFZf1CrpJJhnn3vDrqXpVsYj0lKAeHjN4Nwy4fZ4fplDBhiCkoPBOrtJAprXo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8P300MB0423
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XJhOZq2ckdAvaJwwWfl74GLRQgU>
Subject: Re: [TLS] Deprecating Static DH certificates in the obsolete key exchange document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 12:50:57 -0000

Joseph Salowey <joe@salowey.net> writes:

>At IETF 119 we had discussion that static DH certificates lead to static key
>exchange which is undesirable.

Has anyone every seen one of these things, meaning a legitimate CA-issued one
rather than something someone ran up in their basement for fun?  If you have,
can I have a copy for the archives?

The only time I've ever seen one was some custom-created ones for S/MIME when
the RSA patent was still in force and we were supposed to pretend to use
static-ephemeral DH for key transport instead of RSA.

Peter.

v2.23.0 | Report a Bug | By Email