Re: [TLS] chairs - please shutdown wiretapping discussion...

Stephen Farrell <> Tue, 11 July 2017 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 881DC131788 for <>; Tue, 11 Jul 2017 12:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7HTYwA43cDQL for <>; Tue, 11 Jul 2017 12:59:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 37F6612EC5D for <>; Tue, 11 Jul 2017 12:59:45 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id E64CFBF22; Tue, 11 Jul 2017 20:59:43 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H12srt3x8e-v; Tue, 11 Jul 2017 20:59:42 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 9C5D1BF16; Tue, 11 Jul 2017 20:59:42 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1499803182; bh=oHNo81C6PzelJW5Pn7/BWvIaE2AmvkuRj/bUx1m3lL0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=OpM1FGkD9A/WHKtEzeObGZiwWSju0EpxcAJmkVVzVaMuvoGdoxvSWliPCFxOXFvtn AcnNrPbYb2sii/WeD50DF6ou0bqqT712y2G1yfckd6ANLGKP85HZ0XjSdN9M1LyHsx efpn2Zxr2coNlJHT2nHxj8P4PtQ6aN9YhmHH8KJE=
To: Ted Lemon <>
Cc: Christian Huitema <>,
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Tue, 11 Jul 2017 20:59:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uKoDTAJimK8ksXBgnCiD9ShG7c8tedJXV"
Archived-At: <>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Jul 2017 19:59:46 -0000

On 11/07/17 20:48, Ted Lemon wrote:
> On Jul 11, 2017, at 3:40 PM, Stephen Farrell
> <>; wrote:
>> It'd seem possible for a server to hold a rather long list of
>> re-used static DH values and unlikely for normal clients to detect
>> those.
> Bearing in mind that the current proposal is intended to perpetuate a
> well-established use model so as to avoid having to re-tool, I don’t
> think this is a real concern. In practice I expect that the number of
> keys used in such a system will be small because the operational
> burden of making it large will be enough to motivate re-tooling.
> So in practice I would expect a client to be able to cache enough
> keys to notice this attack, if the user were motivated, or the client
> vendor considered this to be a credible threat worth addressing.

I can't see that happening. Once the first is called
out for using this, others will make their list longer or take
other approaches, e.g. use one exfiltrated private value as a
seed for others via some proprietary mechanism.

Actually, that calls out another reason to not standardise or
further develop this - any such standard is either undetectable
or leads to deployments deviating from the standard to become less
detectable - both undesirable outcomes. That latter case also
destroys the "but we should scrutinise it" argument IMO as the
"it" will change to be undetectable and not the "it" that was
ostensibly scrutinised.