Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Martin Thomson <mt@lowentropy.net> Sat, 31 July 2021 01:51 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5803A0400 for <tls@ietfa.amsl.com>; Fri, 30 Jul 2021 18:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=nnhQFVyn; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=aIixrj5b
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1jsUgRzK6Bj for <tls@ietfa.amsl.com>; Fri, 30 Jul 2021 18:51:51 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9FE3A03FB for <tls@ietf.org>; Fri, 30 Jul 2021 18:51:51 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A3BAA5C00E8; Fri, 30 Jul 2021 21:51:45 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Fri, 30 Jul 2021 21:51:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=RTqEYC6dqTVLetripNXpfgC8qhZ5 JNcPU7+v1Sr2D6k=; b=nnhQFVynfv7Jgeh74GHLscj5p4HK65QRPfT3M4moBnnL CvJbe5wN53NPtrgUMrNxlZtoFlq0WPJzZnx0NSw6U0DLPR1eHKKl3X2r8jLqr7pd 6P95tIo91aArM9JmIV8bOD8fMILuc1vigQ00K/aZ5tWNWPZDcRiYv2dDvSz9zm4K d1QR4vxX1xBl41JUpMCTJoGkY8+23lcS6woKtnkC55Jm9c8EZWJPlDHiF/CnGImb /cnoGWPKOvr6uk8pQComDUra6voqtU1MggmBMvYBv+QemfKI2UD1v6RCUzu5ClEy 16/cCU/qZ8ZPY/DoEeRBKk9gg5KPv2mjfsJ5X42UnA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=RTqEYC 6dqTVLetripNXpfgC8qhZ5JNcPU7+v1Sr2D6k=; b=aIixrj5byPhaHEWiAtesno twZ9tu1v0jNncLHhLGZZ1/rBKCFlxam5rT1QFIDRbe4AjO4aFdASuA8Vg44HHoLy GRq8MVmx10EbZzNqrKnKA2plKwZdECIkIyeisInIw+ls4WqF/yh5KeXDHrpXmLzT 4yOAqQnq4Zg0AhVGpDxQJkBfOmZUF+lscCqBsmJcumE4EZZpQhNmg9TePBFmzFBu 9d2JiRgTrFTGk9cZyIGQT017bD4yINgRiXeCoXxKKk/N82aJJzN4e7sFUlyvtfTq Fb/olo8iiqm8pBn/9CZt40iCFapYZE6v7syHsd+CW4PXonnC1a22HgE1+R9AiWoQ ==
X-ME-Sender: <xms:sKwEYfR_RZRpNrdVqCFKrvhb5079Rw-EpSUXjonoEcCOKKn8hkfuUQ> <xme:sKwEYQzPcmfzgo4MdvclRps4s7pIk7FnjqIUJ6y8Bzj7vJf0kM6_z1YJdiyTZKmAd 0AJfOYXeNsqdiBT4OE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrheeigdehtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtf frrghtthgvrhhnpeekteeuieektdekleefkeevhfekffevvdevgfekgfeluefgvdejjeeg ffeigedtjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:sKwEYU1IV3Cia6yultIlcoZVT7HGcnVF_VrSqbQPsZpea0ibPNuV4Q> <xmx:sKwEYfBi_vGiiIj4Z6naILFc0eZGNrl23tq3oHrhIKvO6MGmFPPPGA> <xmx:sKwEYYiEtyfFAAP7KpJoYBxxqfda9vjfDQtZt1Id6WK0iR1NEuJxlQ> <xmx:sawEYWdX5XSbHsjBV5yP8NtE6AAQJ3PXUTygCFMInkUwX6CB66wJkA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B9DFF3C0471; Fri, 30 Jul 2021 21:51:44 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-545-g7a4eea542e-fm-20210727.001-g7a4eea54
Mime-Version: 1.0
Message-Id: <b8eb242c-2634-43c4-8d1d-0cb7df700996@www.fastmail.com>
In-Reply-To: <42825587-F7A0-4972-9A33-BDEE68123446@icloud.com>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <1f86d146-92a1-4175-985f-92705d077d7c@www.fastmail.com> <42825587-F7A0-4972-9A33-BDEE68123446@icloud.com>
Date: Sat, 31 Jul 2021 11:51:23 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: "Carrick Bartle" <cbartle891@icloud.com>
Cc: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/j-MCuSnfJKiHEML5_F7FfRRWoIk>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jul 2021 01:51:56 -0000

On Sat, Jul 31, 2021, at 06:25, Carrick Bartle wrote:
>  are you opposed to fully deprecating FFDHE? If so, why?

No so much opposed as that it is not necessary.  Though the TLS 1.2 variant is - as others have noted - close to impossible to negotiate the "good" groups, it's not concretely bad when you use it in TLS 1.3.