Re: [TLS] The progress about theNegotiated FFDHE proposal

Brian Smith <> Wed, 09 December 2015 19:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 54A4D1B2D51 for <>; Wed, 9 Dec 2015 11:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MwHP_PJncKWg for <>; Wed, 9 Dec 2015 11:08:35 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A47FD1A1B59 for <>; Wed, 9 Dec 2015 11:08:35 -0800 (PST)
Received: by obciw8 with SMTP id iw8so42571259obc.1 for <>; Wed, 09 Dec 2015 11:08:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9/9YDWhEwuhvEe2Q2hfb+CpO3lOqKO4M5kDg8aaqAoE=; b=DTEUSqP8qm7ejro8gGsqjmH29yeKXGn5/4EjrYU0knowRJWMcI4vE9yk6Cg1lfmQpA sLOEfGukax2510UME0qMfZGXDoZQ2Q46g8eyXVlgZbpP96hJOYnnuktvWrUnq6j1zAFd ZpHkRjtCmQzOgncLV4dfBAJMAnCmX0GOvyU7G9pawNdvencW0l0ZwkFxHEfv6RlidK+S 0jleqvr/eQWBrOvHbByvgsodF/jfTdpugijgWsrn1yt/7zQH7BRT92LMkFc1oCFYV0pe kCP80WXE6P4Fit9ZotiLArZFwwMeSxlcxu1TO5F2qD0XsS4wzC2nCzlyja+fab9BWjxM b+7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9/9YDWhEwuhvEe2Q2hfb+CpO3lOqKO4M5kDg8aaqAoE=; b=XgAQQQuVh8GNR7RfVMddTbhrvQKu/ec8Obj2ggk7YNu5MB9HChgGHws2gtDSSEBUuD pq4KEu4M7gnhsKHTADc63g9/81xJ1D9ujzodOMsIIu0WU7NQwCsSeO7AypxS3+aqVLKu EiXN4h5VO5B5Bx36vud+riAazWGM02esgtvLra4FcHF+pmQLJzYBAW095bc05LF4GOlM HLL2tNPGzaX4ThmRu0dhyRjw3Jg2D7++SlBIrYtsL49lczpbpdkmoZSjbNITHetI/0p7 cJ9L/uE6hD0ru/QBaLuXVCnp2QuhOZekJ5klJa1A/rHVE8cHEB2Tqzgz7cs9tNkF3zDT WDWw==
X-Gm-Message-State: ALoCoQldVCJwxqJRqmtCac2+XYS5uu0UjQr4K0y5MG0BfXce3ZbvksZDWXzLCTojBoQXQsmy0RdjHsqllOIUpETwG1OfAJ75Dg==
MIME-Version: 1.0
X-Received: by with SMTP id we3mr5981111obc.9.1449688115032; Wed, 09 Dec 2015 11:08:35 -0800 (PST)
Received: by with HTTP; Wed, 9 Dec 2015 11:08:34 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Wed, 9 Dec 2015 09:08:34 -1000
Message-ID: <>
From: Brian Smith <>
To: Sean Turner <>
Content-Type: multipart/alternative; boundary=001a11c3608c21d3e705267bd1f2
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] The progress about theNegotiated FFDHE proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Dec 2015 19:08:37 -0000

On Wed, Dec 9, 2015 at 8:44 AM, Sean Turner <> wrote:

> On Dec 05, 2015, at 10:43, Ilari Liusvaara <>
> wrote:
> >
> > On Sat, Dec 05, 2015 at 11:32:40PM +0800, Xuelei Fan wrote:
> >> Hi,
> >>
> >> Any one know why the negotiated FFDHE draft hang on MISSREF state for
> more
> >> than 180 days?
> >>
> >>
> >
> > Normatively depends on the false-start draft that isn't sent to the
> > RFC-Editor yet.
> >
> > The specification itself is done and all the needed codepoints have
> > been assigned.
> I haven’t see any comments on he 01 version so I’m checking with Bodo to
> see if he got any off list comments.  If not, we’ll get the WGLC started.

The FF-DHE draft should be reset so that it specifies new cipher suite IDs
for TLS_DHE_* cipher suites with the same semantics as the current
TLS_DHE_* cipher suites, but with the requirement that the FF-DHE extension
is present (for TLS 1.2 and earlier versions). As predicted long ago, the
current design of this extension doesn't make sense because it doesn't
allow for a client to require a strong DHE key and at the same time
maintain compatibility with sites that use weak DHE keys when DHE cipher
suites are offered but which would use a strong non-DHE cipher suite if DHE
cipher suites are not offered.

Additionally, because of the Microsoft SChannel AES-GCM bug from last year,
it is very difficult to deploy a client that uses TLS-DHE-AES-GCM or
TLS-AES-GCM cipher suites. This is more motivation for the proposal in the
previous paragraph.

If the current proposal goes ahead unmodified, I suspect most implementers
will be forced to ignore it and simply turn of TLS_DHE cipher suites
completely. That's what Apple Safari did, what Google Chrome appears to be
doing, and also what Firefox partially did.

If the goal is really to deprecate TLS_DHE cipher suites completely, then
the wording of the draft should be made much simpler and more direct to
that effect.