Hi, Isn't this issue already in "RFC 9325 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"? (BCP 195)
https://www.rfc-editor.org/rfc/rfc9325.html#section-4.1 So, that's IETF consensus. It's easy to find things that still do this, but I don't think there's any need to name-and-shame. Maybe this draft is a little stronger than RFC 9325, but it should probably make the relation clear. They share a lot of references. For example, "Practical Invalid Curve Attacks on TLS-ECDH" (Jager, 2015). I think it's the same paper, but the ICA reference in draft-ietf-tls-deprecate-obsolete-kex is broken for me. I don't have any strong opinions on this one. I just find the paperwork confusing. thanks, Rob On Sun, Apr 21, 2024 at 2:27 PM Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote: > I see two possibilities: > > > > 1. Nobody in the real world employs static DH anymore – in which case > this draft is useless/pointless; or > 2. On private networks people employ static DH to implicitly > authenticate their peers (a-lá MQV) – in which case this draft is harmful. > > > > Overall, I’m amazed by drafts like this one. Is nothing constructive > remains out there to spend time and efforts on? > > -- > > V/R, > > Uri > > > > *There are two ways to design a system. One is to make it so simple there > are obviously no deficiencies.* > > *The other is to make it so complex there are no obvious deficiencies.* > > * > > - > C. A. R. Hoare* > > > > > > *From: *TLS <tls-boun...@ietf.org> on behalf of Viktor Dukhovni < > ietf-d...@dukhovni.org> > *Date: *Sunday, April 21, 2024 at 14:07 > *To: *tls@ietf.org <tls@ietf.org> > *Subject: *[EXT] Re: [TLS] Deprecating Static DH certificates in the > obsolete key exchange document > > !-------------------------------------------------------------------| > This Message Is From an External Sender > This message came from outside the Laboratory. > |-------------------------------------------------------------------! > > On Sat, Apr 20, 2024 at 04:12:48AM +0000, Peter Gutmann wrote: > > > I realise that absence of evidence != evidence of absence, but in > response to > > my previous request for anyone who has such a thing to comment on it, > and even > > better to send me a sample so I can see one, no-one has mentioned, or > > produced, even one example of "a legitimate CA-issued [static-epmeheral > DH > > certificate] rather than something someone ran up in their basement for > fun". > > > > So is the draft busy deprecating unicorns and jackalopes? Nothing > against > > that, but it's probably worth adding a note that such certificates are > > currently not known to exist so you probably don't have to worry about > it too > > much. > > Can't say I've seen any static DH certificates in the wild, but > I have seen code to support these, and perhaps the point is to > bless deprecating/disabling/removing such code? > > In any case, this feels like cosmetic cleanup, rather than an > effort to migrate a significant population of existing users > to better practice. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls