Re: [TLS] Should we support static RSA in TLS 1.3?

Manuel Pégourié-Gonnard <> Sun, 17 November 2013 15:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5B6511E8DD4 for <>; Sun, 17 Nov 2013 07:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ptJvpGD1NVlR for <>; Sun, 17 Nov 2013 07:28:48 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0665011E8DFD for <>; Sun, 17 Nov 2013 07:28:27 -0800 (PST)
Received: from (unknown [IPv6:2a01:e35:8a5d:80b0:be5f:f4ff:fe2c:95bc]) by (Postfix) with ESMTPS id 1FB0816093; Sun, 17 Nov 2013 16:28:26 +0100 (CET)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 43D2923AA5; Sun, 17 Nov 2013 16:28:24 +0100 (CET)
Message-ID: <>
Date: Sun, 17 Nov 2013 16:28:23 +0100
From: =?ISO-8859-1?Q?Manuel_P=E9gouri=E9-Gonnard?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: Eric Rescorla <>, "" <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
OpenPGP: id=98EED379; url=
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Should we support static RSA in TLS 1.3?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 Nov 2013 15:28:53 -0000

On 17/11/2013 01:47, Eric Rescorla wrote:
> This isn't a no-brainer, though. Static RSA is still by far the
> dominant key exchange algorithm and if you have an RSA certificate, is
> strictly faster than any ephemeral suite.

Yes, if you have an RSA certificate. OTOH, if in the coming years ECDSA
certificates become more popular, then ECDHE_ECDSA is less computationally
expensive for the server than static RSA, though more expensive for the client.

(By the way, having key exchanges that are less expensive for the server is also
good to make DOS attacks harder.)

> There are also some settings where PFS is actually undesirable,
> especially for diagnosis and monitoring. In this settings, it's much
> more convenient to simply provide the monitoring device with the
> server key. ssldump and wireshark, for instance, both provide this
> feature.
I don't know about ssldump, but with wireshark if you're interested in debugging
only a handful of sessions, it can directly use the premaster secret if you can
get your SSL library to display it (I know NSS can do it, I don't know if
OpenSSL can).

Also, it is possible to (temporarily) use static keys with a
supposedly-ephemeral (EC)DH key exchange and an option could be added to
wireshark and similar tools to take advantage of that.

Overall, I'd be inclined to drop static RSA key exchange in TLS 1.3 and allow
only ephemeral key exchanges (except maybe for the PSK key exchanges).