Re: [Uta] updated I-Ds
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 26 February 2014 12:23 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E781A02DA for <uta@ietfa.amsl.com>; Wed, 26 Feb 2014 04:23:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnZ--62dayRJ for <uta@ietfa.amsl.com>; Wed, 26 Feb 2014 04:23:34 -0800 (PST)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6621A02D1 for <uta@ietf.org>; Wed, 26 Feb 2014 04:23:34 -0800 (PST)
Received: by mail-we0-f171.google.com with SMTP id u56so1591831wes.16 for <uta@ietf.org>; Wed, 26 Feb 2014 04:23:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=sgCwCvjI/SqGg84eA8n674m1dAXlWwQD7CjoFBk6D8Y=; b=CDqprCFlzXki29U0DmovFbaLDPKvmMx2BE8C3lAIo/EdY/vCxfEHyYf8IIIuEfk6FS LziOPRLiG6qqkkEg+bfbcCdXhTtQz1yro6cL7jJv17V5tNIZWgI2hKIaP25XpHffq8yG pA9CeZyT+8ggZqGcfc/4av4GYdepniQ03yiG+U+qKT5YGXBKAJm1D9ceoOsRCZrXrORh 6lUNXxrGPKGmEKgmCkwVuAriBfNGXjpWOZgrfITumSkkXu2tPGmnyr8xFudTqXWT5kQL eku8HmqIcBxpA1x3fAEtvLllUPyHof5AJP/Kgcj/oBi5tj0XUzjZreggSZpmJ7TkqwXO WVnA==
X-Received: by 10.180.105.41 with SMTP id gj9mr4573114wib.28.1393417412719; Wed, 26 Feb 2014 04:23:32 -0800 (PST)
Received: from [10.2.0.25] (93-173-72-197.bb.netvision.net.il. [93.173.72.197]) by mx.google.com with ESMTPSA id d6sm4960654wiz.4.2014.02.26.04.23.31 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 26 Feb 2014 04:23:32 -0800 (PST)
Message-ID: <530DDCC3.8060602@gmail.com>
Date: Wed, 26 Feb 2014 14:23:31 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "Orit Levin (LCA)" <oritl@microsoft.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Watson Ladd <watsonbladd@gmail.com>
References: <52FD1424.4080400@stpeter.im> <CACsn0ckkJqx7EmNR3iwDCKw089LePHWguMmCvYpLz4dgYhUSzQ@mail.gmail.com> <530D0323.7020509@fifthhorseman.net> <CACsn0cmPTeB6kd_bQ7FMctwr1=UHnehk8tmp+aFtxaYg0gUcwA@mail.gmail.com> <530D0E2B.4040406@fifthhorseman.net> <530D1BE5.1070009@cs.tcd.ie> <530DA919.3020502@gmail.com> <c6e2036b17a34146abfb3a2fd891c825@BL2PR03MB290.namprd03.prod.outlook.com>
In-Reply-To: <c6e2036b17a34146abfb3a2fd891c825@BL2PR03MB290.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/-hN4HrqrpW4UxtJJ0yh8ZdYcxDc
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] updated I-Ds
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 12:23:38 -0000
Hi Orit, Each choice we make needs a rationale, for sure. The question of where to put it (per paragraph, in a separate section, in a separate document) is mostly editorial. For us, having the rationale close to the decision is helpful. For the presumed audience (system architects, implementers) it's best if the rationale is separate, so that the essence of the document is as short as possible. Thanks, Yaron On 02/26/2014 02:11 PM, Orit Levin (LCA) wrote: > How about documenting this kind of applicability considerations under a short "Rationale" paragraph for each choice? > That would be especially helpful for hard choices where there is a no clear winner > - in terms of implementation availability and/or > - it is determined by a deployment case > > Orit. > >> -----Original Message----- >> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Yaron Sheffer >> Sent: Wednesday, February 26, 2014 12:43 AM >> To: Stephen Farrell; Daniel Kahn Gillmor; Watson Ladd >> Cc: uta@ietf.org >> Subject: Re: [Uta] updated I-Ds >> >> The document recommends ECDHE over DHE, because DHE parameters >> cannot be >> negotiated and so some people will be stuck with DH-1024. See >> http://tools.ietf.org/id/draft-sheffer-tls-bcp-02.html#rfc.section.4.2 >> >> But for those people who cannot switch to ECDHE, the tradeoff is exactly >> between RSA-2048 and DH-1024. Stephen would recommend DH-1024 in this >> case, because the NSA can get at the server's private key and then, if >> you don't have PFS, you're hosed. >> >> I would recommend RSA-2048 in this case, because DH-1024 can be broken >> today with commercially available compute power (buy a few Amazon extra >> large instances and let them run for a few months). Also, and this is a >> value judgment, I think the cryptographic break is a higher risk than >> wholesale theft of the private keys. >> >> Thanks, >> Yaron >> >> On 02/26/2014 12:40 AM, Stephen Farrell wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> On 02/25/2014 09:42 PM, Daniel Kahn Gillmor wrote: >>>> Yes, agreed. DHE-1024 needs to be deprecated. >>>> >>> >>> True. But I would hope UTA WG BCPs can be broadly >>> implemented without waiting for a massive upgrade >>> so its possible we could have to live with DH-1024. >>> >>> Much better if that's only a niche or just gets fixed, >>> but that's the kind of trade off that needs to be >>> considered. And an important part of that trade off >>> is not between DH-1024 and RSA-2048, but rather >>> between PFS and non-PFS ciphersuites. >>> >>> S. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.14 (GNU/Linux) >>> >>> >> iQEcBAEBAgAGBQJTDRviAAoJEC88hzaAX42i6zIH/RVaXQWArXWBdga17SHXqv >> O7 >>> >> viQ1M3iTdNHmaROxdT+qAtt6OXK6eY20bG/QHFvZrUX+RW051LhbCh3WvztX >> yjfH >>> >> BOI+VypROebsmDODi/bFU8JnP4BI8m0F9nsDQTv7QXqV+kG7Rf6nmX7Dru0n >> 0/ad >>> >> uTi1WAeTaFft7gKJMGp1enA9ruTP6BqfmcGG+6ejzS9D5bFNQjndTpmsLTLqK >> CVU >>> >> XfO+DRd2F0t/SQVOgTGilxD31gDGlvJioNA4IXjd3PMi6+1BSFuLj10z+SaaTHCe >>> >> +yjOVcz8Dg6HaY6PZwW+9o9UDS6Y8f/pnOMxSqy7D8I3sKwuyMJ/cHwM/ksS >> tz4= >>> =6IKl >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Uta mailing list >>> Uta@ietf.org >>> https://www.ietf.org/mailman/listinfo/uta >>> >> >> _______________________________________________ >> Uta mailing list >> Uta@ietf.org >> https://www.ietf.org/mailman/listinfo/uta
- [Uta] updated I-Ds Peter Saint-Andre
- Re: [Uta] updated I-Ds Watson Ladd
- Re: [Uta] updated I-Ds Orit Levin (LCA)
- Re: [Uta] updated I-Ds Alexey Melnikov
- Re: [Uta] updated I-Ds Daniel Kahn Gillmor
- Re: [Uta] updated I-Ds Watson Ladd
- Re: [Uta] updated I-Ds Daniel Kahn Gillmor
- Re: [Uta] updated I-Ds Stephen Farrell
- Re: [Uta] updated I-Ds Yaron Sheffer
- Re: [Uta] updated I-Ds Orit Levin (LCA)
- Re: [Uta] updated I-Ds Yaron Sheffer