[TLS] DSA should die

Hanno Böck <hanno@hboeck.de> Wed, 01 April 2015 18:12 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BED71A1A94 for <tls@ietfa.amsl.com>; Wed, 1 Apr 2015 11:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdPvrYKKVNcF for <tls@ietfa.amsl.com>; Wed, 1 Apr 2015 11:12:12 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 376C81A0270 for <tls@ietf.org>; Wed, 1 Apr 2015 11:12:12 -0700 (PDT)
Received: from pc1.fritz.box (x4d0c3efb.dyn.telefonica.de [::ffff:77.12.62.251]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by zucker.schokokeks.org with ESMTPSA; Wed, 01 Apr 2015 20:12:10 +0200 id 000000000000006F.00000000551C34FA.000022F8
Date: Wed, 1 Apr 2015 20:12:21 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20150401201221.163745c2@pc1.fritz.box>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-8952-1427911930-0001-2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rmA-1c8WsyFGwhhOzPIguWviB8Y>
Subject: [TLS] DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 18:12:20 -0000

Hi,

Mozilla just removed DSA support from Firefox. It seems the use of
(non-ecc) DSA in TLS is pretty much nonexistent. Still the TLS 1.3 draft
contains DSA.

Proposal: DSA should go away and not be part of TLS 1.3.

Reasons to remove DSA:
* DSA with 1024 bit is considered weak and DSA with more than 1024 bit
  is widely unsupported.
* DSA has comparable security to RSA (it using same keysize) which is
  the de-facto-default. Given that everybody uses RSA and nobody uses
  DSA having the latter only adds unneccessary complexity.
* DSA can fail badly with bad random number generators.

Some numbers:
In the 2013 https ecosystem scan there were 17 DSA keys on public IPs,
none of them CA-trusted:
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf

I think it's safe to say nobody will care if DSA is removed.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42