Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 17 September 2013 09:25 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65F5B11E83C5 for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 02:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8VYF8+LL4hK for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 02:25:38 -0700 (PDT)
Received: from mail-bk0-x230.google.com (mail-bk0-x230.google.com [IPv6:2a00:1450:4008:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 1E30111E83C1 for <tls@ietf.org>; Tue, 17 Sep 2013 02:25:37 -0700 (PDT)
Received: by mail-bk0-f48.google.com with SMTP id my13so1984967bkb.21 for <tls@ietf.org>; Tue, 17 Sep 2013 02:25:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=VCaI1miH2eyBfAbgBDXcm7/zgGbExX08ZubbHvFUQ2E=; b=s2Wt+lqEH2i4JdhlJuOczgwpK4N3y4TU5SLYoHjKajEST6k8uDIKY+UQQ8+4AJBSq8 oDb9tKPzqoZqwsDrHzqJbTkVa4NeqCj61NAIYeY78v7Pl9U8qJdpUpaxYS4guN81LhGx LJ6OdTwvpOAJItXn5F5C3CZn9LxkBQGh6+jbjayW0e5nZKZH2SRK3Fd3rdYxeeG8z8C3 aKK8tn6Du5jQtFtjTIgvlkwAOag2eMO0UcC5Q7qYzhropyi5aSv1PooWmyrZNRJFRUdo tg+2VYqp4n8QTZVvtnUZPVgug6OPKhxe/NpY/wyoP4xBV90WHEjB66d377Vh806oRMr8 EvAg==
X-Received: by 10.204.168.197 with SMTP id v5mr28368282bky.24.1379409937206; Tue, 17 Sep 2013 02:25:37 -0700 (PDT)
Received: from [10.0.0.140] (93-173-253-212.bb.netvision.net.il. [93.173.253.212]) by mx.google.com with ESMTPSA id jt14sm9485241bkb.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Sep 2013 02:25:36 -0700 (PDT)
Message-ID: <5238200E.70500@gmail.com>
Date: Tue, 17 Sep 2013 12:25:34 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: mrex@sap.com
References: <20130916211725.6E5E21A971@ld9781.wdf.sap.corp>
In-Reply-To: <20130916211725.6E5E21A971@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 09:25:40 -0000

Hi Martin,

you are right about Windows of course.

More generally, the draft is not trying to make recommendations that are 
actually implemented today by all browsers. We all know that 
implementation of TLS 1.2 is patchy to say the least. But we also know 
that the industry is in fact moving there. My personal goal is to make 
recommendations that will be useful (using real production software) 
mid-2014 or so, for people who are willing to update to the latest 
product releases.

Thanks,
	Yaron

On 09/17/2013 12:17 AM, Martin Rex wrote:
> Yaron Sheffer wrote:
>>
>> Problem #1 goes away if we say that the server only sends 2048-bit DH
>> parameters to "new" clients (those that offer TLS 1.2), and assume these
>> can all deal with DH of any length. Our draft recommends a TLS 1.2-only
>> cipher suite anyway. And since new clients are still rare, this could work.
>>
>> This partial solution is complicated by IE10, which (AFAIK) supports TLS
>> 1.2, but has this support off by default, and does not support larger
>> than 1024-bit DH.
>
> IE10 is an awkward way to refer to an implementation.
> What matters is what Microsoft's SChannel from the underlying OS supports.
> And Microsoft seems to not support DHE with RSA
> (only DHE_DSA, ECDHE_RSA and ECDHE_ECDSA).
>
>
> Windows 7 & 2008R2
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx
>
> Windows Vista & 2008:
> http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651%28v=vs.85%29.aspx
>
> Windows XP & 2003
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx
>
>
>
> -Martin
>