Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> writes: >The formulation I would choose would be: > > - MUST prefer ECDHE key exchange, when supported, over FFDHE key exchange. > - MUST prefer FFDHE key exchange, when supported, over RSA key exchange.
I think there should also be some wording around avoiding falling back to RSA because of choices made elsewhere. In the cases I'm aware of the use of RSA wasn't because anyone chose to use it but because some (I assume) best- practices document somewhere told admins "herp derp, disable DH" and the result was use of RSA without them being aware of it (it's led to weird configs where what might be enabled on one or both sides is a few ECDH suites at the start followed by a large hole where FFDH is and then finally a bunch of RSA suites at the other end). I would hope no-one actually *chooses* to use RSA, it just ends up as the silent fallback when other things are unavailable. So perhaps a note wherever some form of "SHOULD NOT FFDHE" appears along the lines of: Note that disabling FFDHE may cause systems to silently fall back to the far less secure RSA instead. If choosing to disable FFDHE, users should ensure that this doesn't result in clients or servers silently falling back to RSA, as this is far less secure than FFDHE. I realise that "MUST prefer FFDHE" says this too, but since users have already fallen into this trap in the past it'd be worth emphasising how to avoid it. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls