Re: [Uta] updated I-Ds

"Orit Levin (LCA)" <oritl@microsoft.com> Wed, 26 February 2014 12:11 UTC

Return-Path: <oritl@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D2E1A000A for <uta@ietfa.amsl.com>; Wed, 26 Feb 2014 04:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n00X5oCejh4Z for <uta@ietfa.amsl.com>; Wed, 26 Feb 2014 04:11:19 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id 142911A0040 for <uta@ietf.org>; Wed, 26 Feb 2014 04:11:18 -0800 (PST)
Received: from BL2PR03MB290.namprd03.prod.outlook.com (10.141.68.19) by SN2PR03MB016.namprd03.prod.outlook.com (10.255.175.38) with Microsoft SMTP Server (TLS) id 15.0.888.9; Wed, 26 Feb 2014 12:11:10 +0000
Received: from BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) by BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) with mapi id 15.00.0883.010; Wed, 26 Feb 2014 12:11:10 +0000
From: "Orit Levin (LCA)" <oritl@microsoft.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Uta] updated I-Ds
Thread-Index: AQHPKOyYM81v6EF3MU+PpaV+HLl8EpqzmB+AgBLtuICAAAszAIAAAfSAgAAQXYCAAKhTgIAANsUw
Date: Wed, 26 Feb 2014 12:11:09 +0000
Message-ID: <c6e2036b17a34146abfb3a2fd891c825@BL2PR03MB290.namprd03.prod.outlook.com>
References: <52FD1424.4080400@stpeter.im> <CACsn0ckkJqx7EmNR3iwDCKw089LePHWguMmCvYpLz4dgYhUSzQ@mail.gmail.com> <530D0323.7020509@fifthhorseman.net> <CACsn0cmPTeB6kd_bQ7FMctwr1=UHnehk8tmp+aFtxaYg0gUcwA@mail.gmail.com> <530D0E2B.4040406@fifthhorseman.net> <530D1BE5.1070009@cs.tcd.ie> <530DA919.3020502@gmail.com>
In-Reply-To: <530DA919.3020502@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [195.99.168.174]
x-forefront-prvs: 0134AD334F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(13464003)(24454002)(189002)(199002)(479174003)(51704005)(377454003)(19580395003)(76482001)(19580405001)(87936001)(56776001)(54316002)(83322001)(85306002)(94316002)(94946001)(95416001)(69226001)(87266001)(575784001)(86612001)(81342001)(47976001)(47736001)(50986001)(2656002)(4396001)(49866001)(81542001)(74662001)(31966008)(93136001)(56816005)(33646001)(51856001)(47446002)(93516002)(80976001)(74502001)(53806001)(46102001)(54356001)(92566001)(74366001)(81816001)(86362001)(77982001)(59766001)(15975445006)(79102001)(63696002)(74316001)(81686001)(76576001)(15202345003)(76796001)(76786001)(66066001)(65816001)(80022001)(90146001)(85852003)(74876001)(83072002)(74706001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR03MB016; H:BL2PR03MB290.namprd03.prod.outlook.com; CLIP:195.99.168.174; FPR:F058D134.6C70D51C.F0376B.5AD87051.204FD; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/G4HBEGENWWQ4AEqVS5UZfoE6XUw
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] updated I-Ds
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 12:11:27 -0000

How about documenting this kind of applicability considerations under a short "Rationale" paragraph for each choice?
That would be especially helpful for hard choices where there is a no clear winner
- in terms of implementation availability and/or
- it is determined by a deployment case

Orit.

> -----Original Message-----
> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Yaron Sheffer
> Sent: Wednesday, February 26, 2014 12:43 AM
> To: Stephen Farrell; Daniel Kahn Gillmor; Watson Ladd
> Cc: uta@ietf.org
> Subject: Re: [Uta] updated I-Ds
> 
> The document recommends ECDHE over DHE, because DHE parameters
> cannot be
> negotiated and so some people will be stuck with DH-1024. See
> http://tools.ietf.org/id/draft-sheffer-tls-bcp-02.html#rfc.section.4.2
> 
> But for those people who cannot switch to ECDHE, the tradeoff is exactly
> between RSA-2048 and DH-1024. Stephen would recommend DH-1024 in this
> case, because the NSA can get at the server's private key and then, if
> you don't have PFS, you're hosed.
> 
> I would recommend RSA-2048 in this case, because DH-1024 can be broken
> today with commercially available compute power (buy a few Amazon extra
> large instances and let them run for a few months). Also, and this is a
> value judgment, I think the cryptographic break is a higher risk than
> wholesale theft of the private keys.
> 
> Thanks,
> 	Yaron
> 
> On 02/26/2014 12:40 AM, Stephen Farrell wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> >
> > On 02/25/2014 09:42 PM, Daniel Kahn Gillmor wrote:
> >> Yes, agreed.  DHE-1024 needs to be deprecated.
> >>
> >
> > True. But I would hope UTA WG BCPs can be broadly
> > implemented without waiting for a massive upgrade
> > so its possible we could have to live with DH-1024.
> >
> > Much better if that's only a niche or just gets fixed,
> > but that's the kind of trade off that needs to be
> > considered. And an important part of that trade off
> > is not between DH-1024 and RSA-2048, but rather
> > between PFS and non-PFS ciphersuites.
> >
> > S.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.14 (GNU/Linux)
> >
> >
> iQEcBAEBAgAGBQJTDRviAAoJEC88hzaAX42i6zIH/RVaXQWArXWBdga17SHXqv
> O7
> >
> viQ1M3iTdNHmaROxdT+qAtt6OXK6eY20bG/QHFvZrUX+RW051LhbCh3WvztX
> yjfH
> >
> BOI+VypROebsmDODi/bFU8JnP4BI8m0F9nsDQTv7QXqV+kG7Rf6nmX7Dru0n
> 0/ad
> >
> uTi1WAeTaFft7gKJMGp1enA9ruTP6BqfmcGG+6ejzS9D5bFNQjndTpmsLTLqK
> CVU
> >
> XfO+DRd2F0t/SQVOgTGilxD31gDGlvJioNA4IXjd3PMi6+1BSFuLj10z+SaaTHCe
> >
> +yjOVcz8Dg6HaY6PZwW+9o9UDS6Y8f/pnOMxSqy7D8I3sKwuyMJ/cHwM/ksS
> tz4=
> > =6IKl
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Uta mailing list
> > Uta@ietf.org
> > https://www.ietf.org/mailman/listinfo/uta
> >
> 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta