On Friday, 14 July 2023 09:01:30 CEST, Peter Gutmann wrote:
Viktor Dukhovni <ietf-d...@dukhovni.org> writes:
What benefit do we expect from forcing weaker security (RSA
key exchange or
cleartext in the case of SMTP) on the residual servers that
don't do either
TLS 1.3 or ECDHE?
This already happens a lot in wholesale banking, the admins have dutifully
disabled DH because someone said so and so all keyex falls back to RSA circa
1995, and worst possible situation to be in.
There needs to be clear text in there to say that if you can't
do ECC then do
DH but never RSA, or even just "keep using DH because it's
still vastly better
than the alternative of RSA". At the moment the blanket "don't do DH" is in
effect saying "use RSA keyex" to a chunk of the market.
Yes, what the text should say, is "MUST NOT use RSA key exchange, SHOULD
NOT
support ephemeral FFDHE, and if it does support FFDHE the key shares MUST
be
ephemeral and never reused."
There _needs_ to be a clear preference for FFDHE over RSA, as otherwise
people
will end up using RSA because "it's faster", or "it's more interoperable",
completely missing the part that it's also vastly less secure.
Frankly, I find the interoperability issues of TLS 1.2 FFDHE overblown,
the FIPS requires to support only well known groups (all of them 2048 bit
or
larger), and we've received hardly any customer issues after
implementing that as hard check (connection will fail if the key exchange
uses
custom DH parameters) good few years ago now.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
