IETF Logo Mail Archive

Re: [TLS] New Algorithm identifier for EDH > 1024 bits?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 27 September 2013 06:41 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A84D21E80E7 for <tls@ietfa.amsl.com>; Thu, 26 Sep 2013 23:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.587
X-Spam-Level:
X-Spam-Status: No, score=-2.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovDFmmNQNupA for <tls@ietfa.amsl.com>; Thu, 26 Sep 2013 23:41:16 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id 4F37621E808F for <tls@ietf.org>; Thu, 26 Sep 2013 23:41:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1380264074; x=1411800074; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=kP25js6bM2VW0vIR62NZpHIALP+U/8UQOCgpIf1Uf8g=; b=F8KkuZyMgXfBuRqvvQgECb7ay8fvN6AOpLEoWYk8bbwGa1GX1SIAArDq mGhMm90x5FLF1qpUEcmPWNAfgtRxZj+O4gFzEmJ+6y6siUzif2/IKp+7y AeqJNrN1JVldnOGYFHC3lJhJPMk0wQ4yn+dORQQ/ctOVEUXjLyzvoW7BB Y=;
X-IronPort-AV: E=Sophos;i="4.90,991,1371038400"; d="scan'208";a="214508260"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 27 Sep 2013 18:41:10 +1200
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.92]) by uxchange10-fe3.UoA.auckland.ac.nz ([130.216.4.125]) with mapi id 14.02.0318.004; Fri, 27 Sep 2013 18:41:09 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] New Algorithm identifier for EDH > 1024 bits?
Thread-Index: Ac67TImS2B3T+9kATv+sBl6Xqb9E8Q==
Date: Fri, 27 Sep 2013 06:41:09 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C735567E500@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] New Algorithm identifier for EDH > 1024 bits?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 06:41:22 -0000

Phillip Hallam-Baker <hallam@gmail.com> writes:

>My understanding of the 1024 bit Ephemeral DH key issue is that it is not
>currently possible to use longer keys because a certain number of deployed
>Web servers will abort the connection if a client presents a longer key.
>
>Hmmm, wonder who made that decision...

Could that be because of all of the TLS_DHE_DSS_* suites, with DSS limited to
1024 bits so implementers also limited the matching DH to 1024 bits?  Just
wondering what other reason there could possibly be for artificially limiting
the size to 1024 bits.

Peter.

v2.23.0 | Report a Bug | By Email