Re: [TLS] The progress about theNegotiated FFDHE proposal

Brian Smith <brian@briansmith.org> Wed, 09 December 2015 19:08 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54A4D1B2D51 for <tls@ietfa.amsl.com>; Wed, 9 Dec 2015 11:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwHP_PJncKWg for <tls@ietfa.amsl.com>; Wed, 9 Dec 2015 11:08:35 -0800 (PST)
Received: from mail-ob0-x231.google.com (mail-ob0-x231.google.com [IPv6:2607:f8b0:4003:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A47FD1A1B59 for <tls@ietf.org>; Wed, 9 Dec 2015 11:08:35 -0800 (PST)
Received: by obciw8 with SMTP id iw8so42571259obc.1 for <tls@ietf.org>; Wed, 09 Dec 2015 11:08:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9/9YDWhEwuhvEe2Q2hfb+CpO3lOqKO4M5kDg8aaqAoE=; b=DTEUSqP8qm7ejro8gGsqjmH29yeKXGn5/4EjrYU0knowRJWMcI4vE9yk6Cg1lfmQpA sLOEfGukax2510UME0qMfZGXDoZQ2Q46g8eyXVlgZbpP96hJOYnnuktvWrUnq6j1zAFd ZpHkRjtCmQzOgncLV4dfBAJMAnCmX0GOvyU7G9pawNdvencW0l0ZwkFxHEfv6RlidK+S 0jleqvr/eQWBrOvHbByvgsodF/jfTdpugijgWsrn1yt/7zQH7BRT92LMkFc1oCFYV0pe kCP80WXE6P4Fit9ZotiLArZFwwMeSxlcxu1TO5F2qD0XsS4wzC2nCzlyja+fab9BWjxM b+7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9/9YDWhEwuhvEe2Q2hfb+CpO3lOqKO4M5kDg8aaqAoE=; b=XgAQQQuVh8GNR7RfVMddTbhrvQKu/ec8Obj2ggk7YNu5MB9HChgGHws2gtDSSEBUuD pq4KEu4M7gnhsKHTADc63g9/81xJ1D9ujzodOMsIIu0WU7NQwCsSeO7AypxS3+aqVLKu EiXN4h5VO5B5Bx36vud+riAazWGM02esgtvLra4FcHF+pmQLJzYBAW095bc05LF4GOlM HLL2tNPGzaX4ThmRu0dhyRjw3Jg2D7++SlBIrYtsL49lczpbpdkmoZSjbNITHetI/0p7 cJ9L/uE6hD0ru/QBaLuXVCnp2QuhOZekJ5klJa1A/rHVE8cHEB2Tqzgz7cs9tNkF3zDT WDWw==
X-Gm-Message-State: ALoCoQldVCJwxqJRqmtCac2+XYS5uu0UjQr4K0y5MG0BfXce3ZbvksZDWXzLCTojBoQXQsmy0RdjHsqllOIUpETwG1OfAJ75Dg==
MIME-Version: 1.0
X-Received: by 10.182.241.3 with SMTP id we3mr5981111obc.9.1449688115032; Wed, 09 Dec 2015 11:08:35 -0800 (PST)
Received: by 10.76.109.78 with HTTP; Wed, 9 Dec 2015 11:08:34 -0800 (PST)
In-Reply-To: <3074F77D-059D-451B-932E-6B9C07197BA5@sn3rd.com>
References: <CAAgBOhu4151RouRNrCOv8p9PC55nTgdDU28QOEryEF7DHb1BAw@mail.gmail.com> <20151205154330.GA25350@LK-Perkele-V2.elisa-laajakaista.fi> <3074F77D-059D-451B-932E-6B9C07197BA5@sn3rd.com>
Date: Wed, 9 Dec 2015 09:08:34 -1000
Message-ID: <CAFewVt684t0eke+WHtGe2oz1b61QKvCSOEmonhtZ-J+-jHgthA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary=001a11c3608c21d3e705267bd1f2
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The progress about theNegotiated FFDHE proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 19:08:37 -0000

On Wed, Dec 9, 2015 at 8:44 AM, Sean Turner <sean@sn3rd.com> wrote:

> On Dec 05, 2015, at 10:43, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> >
> > On Sat, Dec 05, 2015 at 11:32:40PM +0800, Xuelei Fan wrote:
> >> Hi,
> >>
> >> Any one know why the negotiated FFDHE draft hang on MISSREF state for
> more
> >> than 180 days?
> >>
> >>    http://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/
> >
> > Normatively depends on the false-start draft that isn't sent to the
> > RFC-Editor yet.
> >
> > The specification itself is done and all the needed codepoints have
> > been assigned.
>
> I haven’t see any comments on he 01 version so I’m checking with Bodo to
> see if he got any off list comments.  If not, we’ll get the WGLC started.
>

The FF-DHE draft should be reset so that it specifies new cipher suite IDs
for TLS_DHE_* cipher suites with the same semantics as the current
TLS_DHE_* cipher suites, but with the requirement that the FF-DHE extension
is present (for TLS 1.2 and earlier versions). As predicted long ago, the
current design of this extension doesn't make sense because it doesn't
allow for a client to require a strong DHE key and at the same time
maintain compatibility with sites that use weak DHE keys when DHE cipher
suites are offered but which would use a strong non-DHE cipher suite if DHE
cipher suites are not offered.

Additionally, because of the Microsoft SChannel AES-GCM bug from last year,
it is very difficult to deploy a client that uses TLS-DHE-AES-GCM or
TLS-AES-GCM cipher suites. This is more motivation for the proposal in the
previous paragraph.

If the current proposal goes ahead unmodified, I suspect most implementers
will be forced to ignore it and simply turn of TLS_DHE cipher suites
completely. That's what Apple Safari did, what Google Chrome appears to be
doing, and also what Firefox partially did.

If the goal is really to deprecate TLS_DHE cipher suites completely, then
the wording of the draft should be made much simpler and more direct to
that effect.

Cheers,
Brian
--
https://briansmith.org/