Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 31 July 2021 12:50 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 673D13A2510 for <tls@ietfa.amsl.com>; Sat, 31 Jul 2021 05:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysZyIfpqNw9t for <tls@ietfa.amsl.com>; Sat, 31 Jul 2021 05:50:12 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9534D3A250E for <tls@ietf.org>; Sat, 31 Jul 2021 05:50:11 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2232.outbound.protection.outlook.com [104.47.71.232]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-98-KSFsF585MQOKpII3ChAzew-1; Sat, 31 Jul 2021 22:50:03 +1000
X-MC-Unique: KSFsF585MQOKpII3ChAzew-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYXPR01MB1967.ausprd01.prod.outlook.com (2603:10c6:0:2a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Sat, 31 Jul 2021 12:49:56 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%3]) with mapi id 15.20.4373.026; Sat, 31 Jul 2021 12:49:56 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Thread-Index: AQHXhNw9hZMv7zd4Dke27Husna/eB6ta+ZesgADl/wCAASo/ag==
Date: Sat, 31 Jul 2021 12:49:55 +0000
Message-ID: <SY4PR01MB62516FFB35109F1B1459E01FEEED9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CAOgPGoARpxr8-FzYJPRcup9XF-DRv875aAnuNZtoLPHM9-6j-w@mail.gmail.com> <4c0aafd3-fc8f-453a-a009-44ecc18dafd7@www.fastmail.com> <YQNLizvBb/xZyxkl@straasha.imrryr.org> <SY4PR01MB6251677071C9EDF4E5149616EEEC9@SY4PR01MB6251.ausprd01.prod.outlook.com>, <YQRLcoKm/+lVGwfv@straasha.imrryr.org>
In-Reply-To: <YQRLcoKm/+lVGwfv@straasha.imrryr.org>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d68a087-1e83-490e-9260-08d95421b304
x-ms-traffictypediagnostic: SYXPR01MB1967:
x-microsoft-antispam-prvs: <SYXPR01MB196710D9583CFEE799F5F1E0EEED9@SYXPR01MB1967.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: dtUguFaspXMh4hyFixQ1LxwCZ/ZjfSuNYQkYDUdSxiPycP0U2PuyYG7gaio/XYzUQAQuXiTIJqNaxWInnruVEO+DmkyoD7qrfTHnFBSM4yNEdZMCXQb6R7MWRmDpyb5fG5sMAAhKcTXDlmmYyEzbmVOc4sCGn8DKkPLQfL4799g5uqV4+BEX5weZZWu7Zhu+3eCbRFyIavoOil9dKn8uOlGmzm9A+FJReQBwANRrDMXqpkHMRKCVl5pdlsMHZpbGmMTHoIas8Ll6dmFHQW9BdbCMsZLchH0wmvroIkX3vKzh5c6OT7mjboOj0yj6uRyZfGqAfMtKCOUCiQfMJ2JdN/iTZwckYZ/i59Wm1SjeS5pryi3X3FUkHRFJ5b+b5r/7e6HkLTiS+mK92NJWoThDXPEVuli87F61cfLmoDx+GG+lo2iICTzY7eYtJSay86NUHx1oZl4NPSfUT9BYoR7B938b37oNrTFUdz6iQkOFl0apuSn4eMMDM7HA6XViYd/6TzCNRnAEQNZnWiVScyT4TxzNG+3Ux9xM4+hB5UiG7hMnvYxM1DcP9wRbMx2gu/U+4bAWDFuLtKz/dQjYdH4kUtH8A2p0YcfryBiJmPoVOyniQR23uecLGm+4/5FA4bfJ++IjjCT2UmUKAd3axAv13fcviscAL/91UwScMuFeVTZliVlnkWD76N8Xn6zLVxCLgghAyUK1CWsulmcVvvIutw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(39860400002)(396003)(366004)(136003)(52536014)(4744005)(786003)(38100700002)(316002)(122000001)(38070700005)(5660300002)(66446008)(7696005)(86362001)(33656002)(71200400001)(6916009)(8936002)(6506007)(66476007)(76116006)(66946007)(66556008)(9686003)(478600001)(64756008)(55016002)(8676002)(2906002)(186003)(26005); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?fYtkElNmRwnWL5QniJZciFw/XM3b1cjzk/ig89JerPl0jj1Ujg4TsasNw3?= =?iso-8859-1?Q?GycO89+KSMxfX5WZmLn9yz+jF4nIDxnbpOAyvl4re+BfKYEhqmMdoz/gep?= =?iso-8859-1?Q?Q+5Umyy4U8iuEfZ+M/gxeTyhoAhBuSKZddVf8IpUeCvXm68vXt243xCVop?= =?iso-8859-1?Q?naQecfcO3Euqm1pE5SRpjKPdHYpcpKIwlv9sK2dkVrX34DnFcQABi+WGA7?= =?iso-8859-1?Q?ZB5Npn5QqjQDc9QqEmFdDAQTQRS5hxZY+BnOu+M/INeKEuGf+ybsLOKLbP?= =?iso-8859-1?Q?wlF6K+Mw2aUQSmT8AnnHUgEuUy0JNd3L/B2pLa4JDa1aL1OL7QqwJ2M8X8?= =?iso-8859-1?Q?tcmqL4eNTURLxpODjABLHIumGAhfwNjfyEdQCVJMSpknjsGpPKpFSPzCXu?= =?iso-8859-1?Q?c23yYTDOowH6BtUfGr97sdCq83HZ004pbtEo8f+0F/zGMh0YQ1dO9WIQZ3?= =?iso-8859-1?Q?9gq2jdm4jucFCABQwZRv/yi+/fPB7fY7TtiKCUHzjIDmqyb3+2mS7Zozyf?= =?iso-8859-1?Q?gPGGCdyABGWVLPzBQkGPXUYLKTKdAFTvbwRq+4az8fJJ3rwipT/5OO7Cdo?= =?iso-8859-1?Q?O7i09aTzzbwq2Fd6q342mSDIBT7U224hl37bZyPs/24MlIgy9Ow0pj+JRk?= =?iso-8859-1?Q?KCRDuhygEhq3WNlROpS3VST/A2jwBifHWI/EdwRS3xp+E9YEAZQX3DYfxM?= =?iso-8859-1?Q?E2S6rmx5zYXRrk2ssOhgtFezW1m6pBZ4VGZvUelN2j75Bc32TUsSsCACAM?= =?iso-8859-1?Q?8DHvEa4gtVktUKIV0HXAxOIK/yeExP3A9mCWSWRmMeHFUIy/fl1Kg5uRZL?= =?iso-8859-1?Q?ZskjyizBwVHYOY2A5GJjva6TUx7QnwKEPZrtWr0XX/iLl5JvZ8CVgXHiC4?= =?iso-8859-1?Q?keD8BkHpREJLhWyE9fwAidFgQt5e8mwoWcwI3r6vz0TceT/QtrA+B0WhuA?= =?iso-8859-1?Q?UY0ekdDB97TifB8kvkF3Q6FaGf1O+ReFpgbZUJgbPUMLvt27meCYKQ4tiF?= =?iso-8859-1?Q?zyFui6LwG+HdFHIWfDIXcFZyRUau7P7HO33KQrlElDAjx81Z+aCb1eZIjq?= =?iso-8859-1?Q?pyPDBiK5ZlI8OMNEONgmRNbQPvNmob8dTG10iIzKLMaGVUf2WUTdo5zGRD?= =?iso-8859-1?Q?axpuRUiLyf4xd50NrWfPzO/I8kHLDwfQ4wluzyaA2copoGQb7j3hKF83xz?= =?iso-8859-1?Q?iOO81qpA3ky/GyU1MB+5BIQhbHQ+tuxkJPd5CPoMfUfA48vDBIozkVGcj/?= =?iso-8859-1?Q?M3jRL9Jho7sQSUn+0Re4fmVFiQHDvUENuW7JOaKGkZZZHaceSqYnru1H/U?= =?iso-8859-1?Q?7kX9dJRViEWRL38uJShXIxb0AiXcXYNGsuMC1+FIeLrwne4=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d68a087-1e83-490e-9260-08d95421b304
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2021 12:49:55.3864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1S9KIUL8gSj3NOXcES9IytND2FMRaI7U6daSEmaBw9yRpzrrV3kVMoOyCHI8p2tSTsldUOXnZAu+aJupyFDhwW8p9U7ku4HVlv+cWmcFIZs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1967
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iaYsm2knG74O2wy7qKNW75mXV1s>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 12:50:17 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

>Can you explain what you mean by "don't do things that you should never have
>been doing in the first place"?

Just what the draft says, don't use static-ephemeral DH, don't reuse DHE
secrets, etc.  It seems a bit like publishing an RFC telling people not to
stick forks in light sockets, but I guess enough people must have been
sticking forks in light sockets to make it necessary.

Peter.