On Mon, 2018-11-05 at 21:24 -0500, Viktor Dukhovni wrote:
> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
> certificate that *only* lists:
>
> X509v3 Key Usage:
> Key Encipherment, Data Encipherment
>
> (which one might take to mean that only RSA key
> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into TLS
> was a mistake, and glad to see them gone in TLS 1.3.
I agree with the sentiment, but there is a concerted effort to bring fixed
(EC)DH to TLS 1.3:
https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.0
> On Nov 12, 2018, at 4:45 AM, Tony Putman wrote:
>
> Can you please explain to me the problem with (EC)DH ciphers? If it's the
> lack of forward secrecy, then I understand. If there are other problems,
> then I would be keen to understand them.
As much as it was lack of forward-secrecy, it was
Victor,
> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
> TLS was a mistake, and glad to see them gone in TLS 1.3.
Can you please explain to me the problem with (EC)DH ciphers? If it's the
lack of forward secrecy, then I understand. If there are other problems,
then I
> On Nov 9, 2018, at 11:52 AM, Yoav Nir wrote:
>
>> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
>> TLS was a mistake, and glad to see them gone in TLS 1.3.
>
> FWIW RFC 8422 also deprecates them for TLS 1.2 and earlier.
Great! Thanks. I see that in:
5.5.
> On 9 Nov 2018, at 13:40, Viktor Dukhovni wrote:
>
>> On Nov 9, 2018, at 1:19 AM, Peter Gutmann wrote:
>>
>>> Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>>> used for encryption with ECIES.
>>
>> Sure, in theory, but in practice I've never seen an (EC)DH cer
> On Nov 9, 2018, at 1:19 AM, Peter Gutmann wrote:
>
>> Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>> used for encryption with ECIES.
>
> Sure, in theory, but in practice I've never seen an (EC)DH cert used in TLS
> (despite actively looking for one,
Nor have I,
Viktor Dukhovni writes:
>Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>used for encryption with ECIES.
Sure, in theory, but in practice I've never seen an (EC)DH cert used in TLS
(despite actively looking for one, since it'd be a collectors item for the
cert collec
> On Nov 8, 2018, at 5:27 PM, Peter Gutmann wrote:
>
>> Always enforce peer certificate key usage (separation) for ECDSA. ECDSA keys
>> are more brittle when misused.
>
> Since ECDSA can only do signing, isn't this a bit redundant? In other words
> you can't really not enforce keyUsage for a si
Blumenthal, Uri - 0553 - MITLL writes:
>Always enforce peer certificate key usage (separation) for ECDSA. ECDSA keys
>are more brittle when misused.
Since ECDSA can only do signing, isn't this a bit redundant? In other words
you can't really not enforce keyUsage for a signature-only algorithm.
Yes to what Viktor proposed.
On 11/7/18, 11:27 PM, "TLS on behalf of Viktor Dukhovni" wrote:
> On Nov 7, 2018, at 6:07 PM, Geoffrey Keating wrote:
>
> n general, though, what you're asking is "The CA signing this key has
> instructed that I do not accept signatures made with i
> On Nov 7, 2018, at 6:07 PM, Geoffrey Keating wrote:
>
> n general, though, what you're asking is "The CA signing this key has
> instructed that I do not accept signatures made with it. Is it OK to
> accept signatures made with it?" It's really hard to see how the
> answer to that could general
Viktor Dukhovni writes:
> [ Quoted text slightly reordered to put the RSA issue first, as that's
> the main thing I'm trying to get clarity on, and enabling keyUsage
> enforcement is causing some interoperability issues now... ]
>
> > On Nov 5, 2018, at 11:11 PM, Geoffrey Keating wrote:
> >
On Wed, Nov 7, 2018 at 1:12 AM Viktor Dukhovni
wrote:
> [ Quoted text slightly reordered to put the RSA issue first, as that's
> the main thing I'm trying to get clarity on, and enabling keyUsage
> enforcement is causing some interoperability issues now... ]
>
> > On Nov 5, 2018, at 11:11 PM,
Geoffrey Keating wrote:
> Viktor Dukhovni writes:
>>
>> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
>> certificate that *only* lists:
>>
>> X509v3 Key Usage:
>> Key Encipherment, Data Encipherment
>
> Yes, because in DHE-RSA, the RSA key is used
[ Quoted text slightly reordered to put the RSA issue first, as that's
the main thing I'm trying to get clarity on, and enabling keyUsage
enforcement is causing some interoperability issues now... ]
> On Nov 5, 2018, at 11:11 PM, Geoffrey Keating wrote:
>
>> TL;DR: Should TLS client abort D
Viktor Dukhovni writes:
> TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
> certificate that *only* lists:
>
> X509v3 Key Usage:
> Key Encipherment, Data Encipherment
Yes, because in DHE-RSA, the RSA key is used for signing, and this is
an encryption-
TL;DR: Should TLS client abort DHE-RSA handshakes with a peer
certificate that *only* lists:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
(which one might take to mean that only RSA key exchange is allowed,
and DHE-RSA is not, for lack of the DigitalSignatur
18 matches
Mail list logo