Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

[Hubert Kario <hkario@redhat.com>]

On Tuesday 23 June 2015 23:21:53 Yoav Nir wrote:
> > On Jun 23, 2015, at 9:51 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
> > wrote:> 
> > On Wed, May 20, 2015 at 12:51:40AM +0300, Yoav Nir wrote:
> >> 2) I question the need for TLS_DHE_ ciphersuites, and I seriously doubt
> >> anybody’s going to use those with ChaCha20 “in the wild”.
> > 
> > Can you expand on that (I found that comment strange)? The possiblities
> > that come to mind are:
> > 
> > a) That was a typo for TLS_RSA_ (which isn't FS)
> > b) Actually both TLS_DHE_ and TLS_RSA_, since whatever considers
> > 
> >   supporting Chacha20 supports ECDHE already (or it just does pure-PSK),
> >   and that's superrior to both.
> > 
> > c) Something else.
> 
> No, I actually meant DHE. DHE is hardly used. Any cryptographic library new
> enough to support ChaCha20 will also support ECDHE, which is faster than
> DHE and does not have the baggage of interoperability with legacy
> implementations that only support 1024 bits.
> 
> I thought that we should just deprecate DHE and not even do the
> negotiated-ff-dhe draft. The group thought differently, but pairing this
> legacy key exchange with a new cipher looks strange to me.

If we go the route of negotiating the KEX separately from bulk cipher in 
TLSv1.3, you'll have DHE with ChaCha20 in TLSv1.3.

So you'll remove it only from TLSv1.2 and lower.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic