[TLS] Deprecating FFDHE + RSA Key Exchange

Nimrod Aviram <nimrod.aviram@gmail.com> Tue, 06 April 2021 09:27 UTC

Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A43FB3A18AD for <tls@ietfa.amsl.com>; Tue, 6 Apr 2021 02:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYXwNRuvFNVr for <tls@ietfa.amsl.com>; Tue, 6 Apr 2021 02:27:26 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6383A18AC for <tls@ietf.org>; Tue, 6 Apr 2021 02:27:25 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id u3so4625390qvj.8 for <tls@ietf.org>; Tue, 06 Apr 2021 02:27:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=94X5GnFnYP9AsYY0339UgmbGRlWXOBF8cyNCl1Dl7Es=; b=T1v24lCNP3xPDGfLmvD1+WsvWhgABRghTpxIjTEUwAoN5RfFSGCuu8o+lwd8S4r+/Q oA9vcJl1atpG+z4fcQtBFzbxjkhvI6B9KdqKeF08OxwnCeXEQSdMsiY7XJT7n9zEcRRH Gy3Hwts/+GK+yAJVD3ghTkw5xd8NaIkWRvp3X6MnsYiCF0Sxuc1Bgc+YnWswB+WepokB jQYNZuc3/vPrv409KLZAZIDiVM5tfMAwOn83z2gXEp4mWDb3u3jGvGInJOhpgkDOzTH4 3MiVH//++42x3n9qPLSUd2RKkFF1WOhhUinwyvkObdONM8uh8OrNP2XkEZGxXBSpxTUi liDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=94X5GnFnYP9AsYY0339UgmbGRlWXOBF8cyNCl1Dl7Es=; b=lg3uni4xDaC72N+ZyO6/c1TRJk6Lna/msgvS+KgbI758JuVDKUz3Rd4X/9be5av5NY KnIHzV0+mrSBaiOrwMebZKslj+FXS4W5Rzrgz1jqjozSmsTkVeOWWGpKXCYC1UvVaRMf 8ILT0ed+gsGKz9/e97ycHqeaLntyb8SLPTYVB77A9UL8TJmsxTXslmtvrF0dQV4YtKD2 qqA/nixrBlPtHAfKiz+Z5BEm0Vdx21yOCFsx/83w2j9nsr+iaFzB5Xsr9s9KwSyYEh4Z lhQ/B3570QsC8SnOll058VAYG4b5MsfTCvKY3C/4F782745ltZ6k+Sknn9TCTadBvxG2 7MfQ==
X-Gm-Message-State: AOAM532ATVRO0xUvCucF5ZVi6Ibcu0tT5iYIcjwce0dOpWCmQcvpF3UX mBMlSuvCsd0xHzoeMzrmh9cJLRhDsAnzpybSrCpawNQxTU9HVg==
X-Google-Smtp-Source: ABdhPJzf+4yAYwOV1A23TlW8ph00Yq/TfUfubHIdn6bkRzWCe0q19NGldqxierKhpAJM6prA+CwhHl6cVMwPOFrx1Vs=
X-Received: by 2002:a05:6214:2402:: with SMTP id fv2mr5007370qvb.40.1617701243105; Tue, 06 Apr 2021 02:27:23 -0700 (PDT)
MIME-Version: 1.0
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Tue, 6 Apr 2021 12:27:12 +0300
Message-ID: <CABiKAoTBTcRGvQyFF5GAUGDu3pu-Cc_S3U4nnafpjx6vGVHodA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f2b7c205bf4a6ba7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XVuFzKyGr0b0y1HaqsnETPDnDD4>
Subject: [TLS] Deprecating FFDHE + RSA Key Exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 09:27:28 -0000

Dear all,

Following the discussion around draft-bartle-tls-deprecate-ffdhe, what are
your thoughts on deprecating RSA key exchange, and Finite-Field
Diffie-Hellman? (This would probably happen in a separate document.)

Considering the following different areas/use cases:
1. On the open Internet/web, both key exchange methods have been superseded
by ECDH. Browser support for FFDHE has been entirely removed IIUC, so
formally deprecating FFDHE should not be a problem (right?). Are there any
reasons to avoid deprecating FFDHE and RSA on the open Internet?
2. On local networks, deprecating both key exchange methods may leave some
endpoints without any key exchange algorithms. Could you please give
feedback on the following:
a. Is the number of such endpoints large enough that we shouldn’t deprecate
these methods?
b. If the answer to the above is yes, what would be a good plan/timeline to
deprecate them?

We could also consider limiting FFDHE to well-known groups of at least 2048
bits, with fully ephemeral secrets. But this would likely cause enough
interoperability problems that we might as well deprecate it fully, right?

thanks,
Nimrod