Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Carrick Bartle <cbartle891@icloud.com> Mon, 09 August 2021 18:14 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB74E3A0FFD for <tls@ietfa.amsl.com>; Mon, 9 Aug 2021 11:14:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsbzPwbgKVHF for <tls@ietfa.amsl.com>; Mon, 9 Aug 2021 11:14:46 -0700 (PDT)
Received: from mr85p00im-hyfv06021401.me.com (mr85p00im-hyfv06021401.me.com [17.58.23.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491A33A0FE3 for <tls@ietf.org>; Mon, 9 Aug 2021 11:14:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1628532886; bh=58D0d8bO8ZcTOIFJUNZgEAtRY3xB0s+EAdfKnOmNJQw=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=N+rWAQg9dMe+nGT4vVJbssfmu+CWCmFWoB/yDCXnTMSkSwUokFsmf9NDiKhz2+6iP 8+2XdTVAoIdCb2b2U8F5kg4taYK6nQr+3lKCwPHkYpv6z6ZYnhp7Q7w/x8Zlypv1ak zo3HfLqpIzNSZvX6HmcEHBkYbeHFnWQWSx6rWpCM5U4SWucrAwYt2N7H+HIa7wtzgN /fWVub/WVgw5aTpqRCoV60bDYjZFrix8yubkdYJPtH3iHeZhCH/r85/1jQLZ7mA7oJ Xl/CKWFG8shHmxtIBoZ5+LneppE3DjlA9/1wlIowdyBHT4EGbHh6U8AaS98RYtsGEX pAg7vi81nR4Lg==
Received: from smtpclient.apple (unknown [17.234.102.47]) by mr85p00im-hyfv06021401.me.com (Postfix) with ESMTPSA id 8E9BB9C06B0; Mon, 9 Aug 2021 18:14:45 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <72A34713-C314-40EE-A4B0-85AD628691AB@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2A56DF49-5128-4418-9099-C6D2D6651BA9"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
Date: Mon, 9 Aug 2021 11:14:45 -0700
In-Reply-To: <1BBD0390-515C-4F52-B860-8580097AB8E8@icloud.com>
Cc: Martin Thomson <mt@lowentropy.net>, tls@ietf.org
To: Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <1f86d146-92a1-4175-985f-92705d077d7c@www.fastmail.com> <1BBD0390-515C-4F52-B860-8580097AB8E8@icloud.com>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
X-Proofpoint-Virus-Version: =?UTF-8?Q?vendor=3Dfsecure_engine=3D1.1.170-22c6f66c430a71ce266a39bfe25bc?= =?UTF-8?Q?2903e8d5c8f:6.0.391,18.0.790,17.0.607.475.0000000_definitions?= =?UTF-8?Q?=3D2021-08-09=5F06:2021-08-05=5F02,2021-08-09=5F06,2020-04-07?= =?UTF-8?Q?=5F01_signatures=3D0?=
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 spamscore=0 suspectscore=0 clxscore=1015 bulkscore=0 adultscore=0 phishscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2108090129
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_5aVWz1NpTqia4p_Rokq3WakzxM>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 18:14:53 -0000

I've posted a revision here: https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdh/ <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdh/>


> On Jul 30, 2021, at 11:56 AM, Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org> wrote:
> 
> Sorry, the title will be changed in the next version, which I'll be posting as soon as possible. You are correct about the scope of the work.
> 
> 
>> On Jul 29, 2021, at 5:41 PM, Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote:
>> 
>> I support the *contents* of this document.  The title, however, I can't agree to.  So I want to be clear about the scope of the work, namely deprecating semi-static FFDH and ECDH suites and any use of FFDHE ephemeral suites with reused keys.
>> 
>> The draft limits the ban on ephemeral key reuse to FFDHE, which is right; I could tolerate a prohibition on reuse for ECDH, but I know that we rely on that for HPKE and other things, so it can't really be bad enough to ban.
>> 
>> Cheers,
>> Martin
>> 
>> On Fri, Jul 30, 2021, at 07:50, Joseph Salowey wrote:
>>> This is a working group call for adoption for Deprecating FFDH(E) 
>>> Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00 
>>> <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/ <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>>). 
>>> We had a presentation for this draft at the IETF 110 meeting and since 
>>> it is a similar topic to the key exchange deprecation draft the chairs 
>>> want to get a sense if the working group wants to adopt this draft 
>>> (perhaps the drafts could be merged if both move forward).  Please 
>>> review the draft and post your comments to the list by Friday, August 
>>> 13, 2021.  
>>> 
>>> Thanks,
>>> 
>>> The TLS chairs
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org <mailto:TLS@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tls
>>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org <mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls