Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Patrick Pelletier <code@funwithsoftware.org> Mon, 23 September 2013 06:43 UTC

Return-Path: <code@funwithsoftware.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B148F11E819C for <tls@ietfa.amsl.com>; Sun, 22 Sep 2013 23:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.38
X-Spam-Level:
X-Spam-Status: No, score=-2.38 tagged_above=-999 required=5 tests=[AWL=0.219, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpWIIMlYC4wZ for <tls@ietfa.amsl.com>; Sun, 22 Sep 2013 23:43:15 -0700 (PDT)
Received: from asbnvacz-mailrelay01.megapath.net (asbnvacz-mailrelay01.megapath.net [207.145.128.243]) by ietfa.amsl.com (Postfix) with ESMTP id C1AD911E81A1 for <tls@ietf.org>; Sun, 22 Sep 2013 23:43:12 -0700 (PDT)
Received: from mail6.sea5.speakeasy.net (mail6.sea5.speakeasy.net [69.17.117.50]) by asbnvacz-mailrelay01.megapath.net (Postfix) with ESMTP id 294C61EE53E6 for <tls@ietf.org>; Mon, 23 Sep 2013 02:43:11 -0400 (EDT)
Received: (qmail 12010 invoked from network); 23 Sep 2013 06:43:10 -0000
Received: by simscan 1.4.0 ppid: 762, pid: 5592, t: 1.2494s scanners: clamav: 0.88.2/m:52/d:10739 spam: 3.0.4
Received: from dsl017-096-185.lax1.dsl.speakeasy.net (HELO [192.168.11.2]) (ppelleti@[69.17.96.185]) (envelope-sender <code@funwithsoftware.org>) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with AES128-SHA encrypted SMTP for <tls@ietf.org>; 23 Sep 2013 06:43:09 -0000
Message-Id: <F7708B3F-38DB-40BE-9F11-655A645A4E2A@funwithsoftware.org>
From: Patrick Pelletier <code@funwithsoftware.org>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <83FC5008-BB1A-4CC9-9DB5-4F14CF52FA06@checkpoint.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 22 Sep 2013 23:43:07 -0700
References: <9A043F3CF02CD34C8E74AC1594475C735567407D@uxcn10-6.UoA.auckland.ac.nz> <A3161699-0975-403C-B9C1-8BE548062949@mac.com> <523DCC5D.9040707@pobox.com> <523E2F56.9040307@funwithsoftware.org> <3E26A3FE-2491-4D48-BBE9-A11B995CD28D@checkpoint.com> <523FC581.3090103@funwithsoftware.org> <83FC5008-BB1A-4CC9-9DB5-4F14CF52FA06@checkpoint.com>
X-Mailer: Apple Mail (2.936)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 06:43:22 -0000

On Sep 22, 2013, at 10:21 PM, Yoav Nir wrote:

> Some people are suggesting that clients break the connection if  
> offered a 1024-bit group. It does make sense that they would break  
> the connection if offered, say, a 512-bit group, no?

True, I think it's reasonable to break the connection for 512, but not  
for 1024.  1024 is "not great security, but not utterly laughable,  
either," so the client ought to accept 1024 if the server offers it.

> No, it's different asking a vendor to change something vs asking end  
> users to recompile Apache.

I think the difference is that the mod_ssl issue is just a matter of  
inertia and might eventually be fixed upstream, while the Red Hat ECC  
position is an institutional policy formulated by lawyers, and is  
unlikely to change.

--Patrick