Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 13 March 2014 23:01 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113481A0760 for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 16:01:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dY1KJDT_nn22 for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 16:01:35 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id 25A561A058E for <tls@ietf.org>; Thu, 13 Mar 2014 16:01:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1394751689; x=1426287689; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=tN2DgIxmOMliBssg+KS1fOtSl++vO7+G+UXOPJJi5HQ=; b=Uy+PfqnBG8X825aLmL/nb7+CPTETNzNvpdPJezGDTqV5DCwa9PR1DopN 4+uAe8nmq47ZN3lXG5hsxC+/wR2417Zk+fQ/DZQFOMfbIp9Xz7q+ri9L9 AhFp8vqtVf8ZYjZpQWg7X+wHxZVicCvs2A9lbho3Fey+7ux1SPNo7DJHu 4=;
X-IronPort-AV: E=Sophos;i="4.97,649,1389697200"; d="scan'208";a="239570070"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 14 Mar 2014 12:01:27 +1300
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.53]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Fri, 14 Mar 2014 12:01:26 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Thread-Topic: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Thread-Index: Ac8/ECkmgTZ4h3K+S8u8HHUPIcV3Hw==
Date: Thu, 13 Mar 2014 23:01:26 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C737238B6C3@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XKxTwatcnd2Jy44Hfz4LyVplzeE
Subject: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 23:01:41 -0000

Alyssa Rowan <akr@akr.io> writes:

>Can we perhaps make that a SHOULD NOT (or even a MUST NOT), if it somehow
>isn't already? It's way too common in the wild, and it really is next to
>useless practice from the same kind of wilful carelessness that brought the
>world so many default/engineering/field service passwords/backdoors.

I doubt it'll make any difference, those who would read and follow the RFC on
this point won't be using insecure certs/keys anyway, and those who are using
them will ignore (or not even read to that point) the RFC.  I've heard this
sort of thing referred to in the past as "workgroup posturing", and that's
unfortunately what it'll be...

Peter.