IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Geoffrey Keating <geoffk@geoffk.org> Wed, 13 April 2011 00:43 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfc.amsl.com
Delivered-To: tls@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id AAE9DE06AF for <tls@ietfc.amsl.com>; Tue, 12 Apr 2011 17:43:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41S6u+KxR6g3 for <tls@ietfc.amsl.com>; Tue, 12 Apr 2011 17:43:49 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfc.amsl.com (Postfix) with ESMTP id E77ADE067D for <tls@ietf.org>; Tue, 12 Apr 2011 17:43:48 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id E953233D162; Wed, 13 Apr 2011 00:43:45 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: mrex@sap.com
References: <878vvmy4cr.fsf@latte.josefsson.org> <201104130020.p3D0K20X013444@fs4113.wdf.sap.corp>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Tue, 12 Apr 2011 17:43:45 -0700
In-Reply-To: <201104130020.p3D0K20X013444@fs4113.wdf.sap.corp>
Message-ID: <m27hazgev2.fsf@localhost.localdomain>
Lines: 27
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2011 00:43:49 -0000

Martin Rex <mrex@sap.com> writes:

> In practice, a TLS implementation without these two cipher suites
> 
>       CipherSuite TLS_RSA_WITH_RC4_128_SHA              = { 0x00,0x05 };
>       CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA         = { 0x00,0x0A };
> 
> will likely encounter interop problems with a number of TLS peers,
> whereas TLS implementations with _only_ RSA (no DH, no DHE, no DSS)
> hardly ever missed those cipher suites, except maybe in a few
> exotic PKIs.

Actually, the first one is almost certainly not necessary for a
client.  A small fraction (less than 0.5%) of servers still require
TLS_RSA_WITH_RC4_128_MD5, but generally if you have
TLS_RSA_WITH_3DES_EDE_CBC_SHA you'll be OK, and you can reasonably add
TLS_DHE_RSA_WITH_AES_256_CBC_SHA to obtain forward security on those
servers that support it.  Many servers do prefer RC4 (probably for
performance reasons, if their alternative was 3DES!) but if it's not
available they'll choose something else.

There are some Internet hosts with a DSA key signed by a popular root
CA, but we're talking 0.03% or so, and many of those are expired.

For future work, I would ignore DSS.  It has some useful
characteristics in some circumstances, but ECDSA has the same
characteristics and more.

v2.23.0 | Report a Bug | By Email