Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 02 December 2014 17:41 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FECB1A1EEA for <tls@ietfa.amsl.com>; Tue, 2 Dec 2014 09:41:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_71=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIOApGVL3ISM for <tls@ietfa.amsl.com>; Tue, 2 Dec 2014 09:41:18 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC0881A6FBB for <tls@ietf.org>; Tue, 2 Dec 2014 09:40:34 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 7458A282FD0; Tue, 2 Dec 2014 17:40:33 +0000 (UTC)
Date: Tue, 02 Dec 2014 17:40:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141202174033.GW285@mournblade.imrryr.org>
References: <20141202132629.8023.24760.idtracker@ietfa.amsl.com> <547DC339.80800@streamsec.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547DC339.80800@streamsec.se>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_etXW0RypDFAH2g-LxSPogVCLW4
Subject: Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 17:41:19 -0000
On Tue, Dec 02, 2014 at 02:48:41PM +0100, Henrick Hellstr?m wrote: > Server implementations SHOULD support all of the following cipher > suites, and client implementations SHOULD support at least one of > them: > > o TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA > o TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA > o TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. > > Isn't this recommendation problematic? I don't think it is very common for > servers to have more than one certificate, and a server can't support all > four of these cipher suites, unless it has both one RSA certificate and one > EC certificate. Given the far from universal support for ECDSA by clients, a server that wants to use ECDSA when possible, but still wants to interoperate with more than just a select few clients really SHOULD have both ECDSA and RSA certificates. The main reason it is not common for servers to have more than one certificate is that generally they have only RSA certificates, which have (practically) universal support. For what it is worth, Postfix (via OpenSSL) supports simultaneous deployment of both RSA and ECDSA keys/certs. In the near to medium term, any server that wants to deploy ECDSA should also deploy RSA, to avoid interoperability issues with a sizeable fraction of clients. -- Viktor.
- [TLS] I-D Action: draft-ietf-tls-rfc4492bis-00.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Manuel Pégourié-Gonnard
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-rfc4492bis-0… Yoav Nir