Re: [TLS] Should we support static RSA in TLS 1.3?
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sun, 17 November 2013 15:28 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5B6511E8DD4 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 07:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptJvpGD1NVlR for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 07:28:48 -0800 (PST)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) by ietfa.amsl.com (Postfix) with ESMTP id 0665011E8DFD for <tls@ietf.org>; Sun, 17 Nov 2013 07:28:27 -0800 (PST)
Received: from thue.elzevir.fr (unknown [IPv6:2a01:e35:8a5d:80b0:be5f:f4ff:fe2c:95bc]) by mordell.elzevir.fr (Postfix) with ESMTPS id 1FB0816093; Sun, 17 Nov 2013 16:28:26 +0100 (CET)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id 43D2923AA5; Sun, 17 Nov 2013 16:28:24 +0100 (CET)
Message-ID: <5288E097.6050606@elzevir.fr>
Date: Sun, 17 Nov 2013 16:28:23 +0100
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBN3WPigLn-ggm2YGTcPEwn8G-1ecRAxdCtK3ueuUPF09Q@mail.gmail.com>
In-Reply-To: <CABcZeBN3WPigLn-ggm2YGTcPEwn8G-1ecRAxdCtK3ueuUPF09Q@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Should we support static RSA in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 15:28:53 -0000
On 17/11/2013 01:47, Eric Rescorla wrote: > This isn't a no-brainer, though. Static RSA is still by far the > dominant key exchange algorithm and if you have an RSA certificate, is > strictly faster than any ephemeral suite. Yes, if you have an RSA certificate. OTOH, if in the coming years ECDSA certificates become more popular, then ECDHE_ECDSA is less computationally expensive for the server than static RSA, though more expensive for the client. (By the way, having key exchanges that are less expensive for the server is also good to make DOS attacks harder.) > There are also some settings where PFS is actually undesirable, > especially for diagnosis and monitoring. In this settings, it's much > more convenient to simply provide the monitoring device with the > server key. ssldump and wireshark, for instance, both provide this > feature. > I don't know about ssldump, but with wireshark if you're interested in debugging only a handful of sessions, it can directly use the premaster secret if you can get your SSL library to display it (I know NSS can do it, I don't know if OpenSSL can). Also, it is possible to (temporarily) use static keys with a supposedly-ephemeral (EC)DH key exchange and an option could be added to wireshark and similar tools to take advantage of that. Overall, I'd be inclined to drop static RSA key exchange in TLS 1.3 and allow only ephemeral key exchanges (except maybe for the PSK key exchanges). Manuel.
- [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Phillip Hallam-Baker
- Re: [TLS] Should we support static RSA in TLS 1.3? Geoffrey Keating
- Re: [TLS] Should we support static RSA in TLS 1.3? Watson Ladd
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Watson Ladd
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Eric Rescorla
- Re: [TLS] Should we support static RSA in TLS 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] Should we support static RSA in TLS 1.3? Andy Lutomirski
- Re: [TLS] Should we support static RSA in TLS 1.3? Geoffrey Keating
- Re: [TLS] Should we support static RSA in TLS 1.3? Andy Lutomirski
- Re: [TLS] Should we support static RSA in TLS 1.3? Phillip Hallam-Baker
- Re: [TLS] Should we support static RSA in TLS 1.3? Marsh Ray
- Re: [TLS] Should we support static RSA in TLS 1.3? Peter Gutmann