On Tue, Aug 17, 2021 at 10:41 AM Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote:
> > Regardless of the Raccoon attack, the static DH and ECDH ciphersuites > do not provide > > > forward secrecy, > > > > Unless you use semi-static exchange, which in many cases makes sense. > > > > > which is a main reason cited for deprecating RSA > in draft-aviram-tls-deprecate-obsolete-kex. > > > > Have the authors look at Post-Quantum KEMs? > FWIW I don't think we should use post-quantum KEMs in pure "static" modes (a la traditional static RSA). -Ekr > > > Do you object to just the citation of the Raccoon attack or do you also > feel that we > > > should keep these ciphersuites that do not provide forward secrecy > around? > > > > I think these suites should stay around. > > > > While static-static indeed do not provide forward secrecy (and many of us > – though not everybody! – carry for that), static-ephemeral DH and ECDH are > perfectly fine from that point of view. > > > > > > > > On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL < > u...@ll.mit.edu> wrote: > > I agree with Rene’s points. > > > > -- > > Regards, > > Uri > > > > > > *From: *TLS <tls-boun...@ietf.org> on behalf of Rene Struik < > rstruik....@gmail.com> > *Date: *Friday, August 13, 2021 at 09:58 > > Dear colleagues: > > > > I think this document should absolutely *not* be adopted, without > providing far more technical justification. The quoted Raccoon attack is an > easy to mitigate attack (which has nothing to do with finite field groups, > just with poor design choices of postprocessing, where one uses > variable-size integer representations for a key). There are also good > reasons to have key exchanges where one of the parties has a static key, > whether ecc-based or ff-based (e.g., sni, opaque), for which secure > implementations are known. No detail is provided and that alone should be > sufficient reason to not adopt. > > > > Rene > > > > On 2021-07-29 5:50 p.m., Joseph Salowey wrote: > > This is a working group call for adoption for Deprecating FFDH(E) > Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00 > <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>). We > had a presentation for this draft at the IETF 110 meeting and since it is > a similar topic to the key exchange deprecation draft the chairs want to > get a sense if the working group wants to adopt this draft (perhaps the > drafts could be merged if both move forward). Please review the draft and > post your comments to the list by Friday, August 13, 2021. > > > > Thanks, > > > > The TLS chairs > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > -- > > email: rstruik....@gmail.com | Skype: rstruik > > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
