Re: [TLS] [EXT] Re: Deprecating Static DH certificates in the obsolete key exchange document
David Benjamin <davidben@chromium.org> Tue, 23 April 2024 15:31 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF20C14F68E for <tls@ietfa.amsl.com>; Tue, 23 Apr 2024 08:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.296
X-Spam-Level:
X-Spam-Status: No, score=-11.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIr6u92ytp4x for <tls@ietfa.amsl.com>; Tue, 23 Apr 2024 08:31:55 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 861E9C14F6AA for <tls@ietf.org>; Tue, 23 Apr 2024 08:31:55 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-6164d7a02d2so67494767b3.3 for <tls@ietf.org>; Tue, 23 Apr 2024 08:31:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1713886314; x=1714491114; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eTiQcCEk2cwi/Z5LapLvL4PyWOHsv4jqsIqB5G5yrF4=; b=I9Nt89JnIZGoR3/pNBenM+vNBhLKwtahsErHbsLRcHEuS4HvMWXqiSIZukVlkkPuRV qu4jXBleIWm2mO+EkEumPSOEWNuHi3+pSP64cDfKeV46isqo7q+G3whNPzn0Xqbq1STE ctVP0P3ClsZtyuyHtErqcwTupKrZrTldEAnJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713886314; x=1714491114; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eTiQcCEk2cwi/Z5LapLvL4PyWOHsv4jqsIqB5G5yrF4=; b=anSP8J1+VNrEdgeHYfUnUgIKZSwCvgFat9jfrxW5bJCMz+o+NgpNBg8YeOpxU4P+rr ppqPre1cE34P1ARTsjgZFe6kJLEKK+xpnq3EfasMbYz8QoIa5bZxZyGmblML9alvgFU5 Wx8nfpFqRWqNtPdQ5xKPPzBF8EqjGTkx15Y97mTECKmZBJMdGyiBOl019OEgr483w4r9 x2rawO5I9T3nrDUxo9K0RMX6JSE7+Cq+RHCvg/pSZsTSQk3tZKf5Erk4N9CJnZq3yp5X LGBDagRSOlwQ1BMtPOMriZMqM+9vmCwD/l1/u8mlqLG2fg09wXhYwoL+qdcHQi06x5iU WgkA==
X-Forwarded-Encrypted: i=1; AJvYcCWT/Zt2+DYbPkOFPpUWg7dIVF+HX5ifFxnNJtN9BA0pdwKMZFUJ7okQJWYKHnkGcvHZXpn8y9GviwrRExQ=
X-Gm-Message-State: AOJu0Yz9akrl3L0RgY7flevBU95lKm7oBQ8PylzXk7WKZIQYZ7W2TnGn d8XxfHhbelYw6aWdQwWfgwv0GFts4tnLYHaJPx2IB7b1k4UYURoN/1m6umxVjqO+H6IaPi5NxYj 5Ox1bO0iiY8LcV1GvJGj8ZWTATRQzDqWkzwU=
X-Google-Smtp-Source: AGHT+IFlz2JQjJmdKyr7YGY+qpyL3PcwCO+BgzstAe3r7AktzVRt21cPDDiNH6tiAOVg7M5Pib00wpTF2p0MMs6Fj48=
X-Received: by 2002:a05:690c:6f8e:b0:60a:448:ff4f with SMTP id je14-20020a05690c6f8e00b0060a0448ff4fmr15758560ywb.41.1713886313673; Tue, 23 Apr 2024 08:31:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoBBq-SBb4N1b0VCyUxMytbgRCoGWOQug-XJAKSYh6Ezag@mail.gmail.com> <CAOp4FwTOOqaM9=qbGY3ggZ=zJ0M9QBK+ZSA4jvrRx45QuY5Yrw@mail.gmail.com> <ME0P300MB0713FAEDDEB374F45F8B41C8EE0C2@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <ZiVVzrToTdpoPjJ7@chardros.imrryr.org> <BN0P110MB1419089AB59181ADDD061DB59013A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM> <SY8P300MB071114BAF530B5FACA1C2370EE112@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM>
In-Reply-To: <SY8P300MB071114BAF530B5FACA1C2370EE112@SY8P300MB0711.AUSP300.PROD.OUTLOOK.COM>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 23 Apr 2024 11:31:36 -0400
Message-ID: <CAF8qwaBSM1MK=hh2Ezz3ESN82iYFdLi6R4-+Rj7h-vJcnwzJ7g@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9e4860616c540cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fj_m5BKrekl4nsTsUVpwXhICuzI>
Subject: Re: [TLS] [EXT] Re: Deprecating Static DH certificates in the obsolete key exchange document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2024 15:31:59 -0000
Having worked on a TLS implementation and removed code for this, I can tell you that is *not* simply a natural side-effect of supporting DH certificates. These modes interact with the TLS handshake logic a fair bit. They omit the ServerKeyExchange message and change the ClientKeyExchange message. The latter is extra fun because it's not determined by the cipher suite, but by what client certificate you got. (This is why TLS 1.2's message order needs to be a somewhat funny Certificate, ClientKeyExchange, CertificateVerify.) It's just code, and it's implementable, but as it is unused, there is no point in expending anyone's complexity budget on it. I support removing these and would echo everything Filippo said. Not every TLS implementor follows IETF discussions carefully, or is as well-connected as we are to the TLS ecosystem. We owe it to them to communicate our understanding and intentions with the protocol as clearly as we can. That includes marking things as a dead end when we believe them to be. If someone were to use one of these today, they would be in for a headache, between security issues, inability to upgrade to TLS 1.3, and interop failures with other stacks. At best, they waste their time. It is thus worth our time to document this, even if, yes, it means we have to do this kind of spring cleaning work. I'd like to thank the folks driving this for being willing to put time into this. We could make that work less time-consuming if we stopped repeating this same discussion every time we do this necessary and responsible task. It needn't be so much fuss to deprecate a thing that no one uses, and that we have already tacitly disavowed by not carrying forward to TLS 1.3. On Tue, Apr 23, 2024 at 6:08 AM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> writes: > > >Nobody in the real world employs static DH anymore – in which case this > draft > >is useless/pointless > > It's not "any more", AFAICT from my inability to find any evidence of the > certificates needed for it in 25-odd years it's "nobody has ever used > static > DH" (with the absence-of-evidence caveat). > > >I’m amazed by drafts like this one. Is nothing constructive remains out > there > >to spend time and efforts on? > > Slow news day? End-of-financial-year clearout? Quota to fill? Someone > lost > a bet? Could be all sorts of things. > > Someone else commented on having seen code to support this, that's just a > natural side-effect of having code that supports DH and code that supports > certificates, you end up with code that probably supports DH certificates, > probably because without ever having seen one to test your code with you > can't > be 100% sure there isn't some glitch somewhere. For example my code > happens > to support Elgamal certificates because there's Elgamal code in there for > PGP > support and so if you use an Elgamal key in a certificate you'll get an > Elgamal certificate. As with the DH-cert code it's never been tested > because > I don't think such a thing as an Elgamal X.509 certificate exists, but in > theory there's support for them in there. > > Peter. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Deprecating Static DH certificates in t… Martin Thomson
- [TLS] Deprecating Static DH certificates in the o… Joseph Salowey
- Re: [TLS] Deprecating Static DH certificates in t… Eric Rescorla
- Re: [TLS] Deprecating Static DH certificates in t… Salz, Rich
- Re: [TLS] Deprecating Static DH certificates in t… Filippo Valsorda
- Re: [TLS] Deprecating Static DH certificates in t… Peter Gutmann
- Re: [TLS] Deprecating Static DH certificates in t… Nimrod Aviram
- Re: [TLS] Deprecating Static DH certificates in t… Loganaden Velvindron
- Re: [TLS] Deprecating Static DH certificates in t… Peter Gutmann
- Re: [TLS] Deprecating Static DH certificates in t… Viktor Dukhovni
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… Rob Sayre
- Re: [TLS] [EXT] Deprecating Static DH certificate… Hubert Kario
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… Filippo Valsorda
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… Peter Gutmann
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… David Benjamin
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… David Benjamin
- Re: [TLS] [EXT] Re: Deprecating Static DH certifi… Rob Sayre
- [TLS]Re: [EXT] Re: Deprecating Static DH certific… Joseph Salowey