I oppose deprecation.
Given that we're still a ways off from standardised post-quantum key
exchanges,
use of FFDHE with large key sizes is the best protection against
store-and-decrypt-later attacks (buying likely years of additional
protection)
I think the deprecation is premature.
While FF
On Tue, Dec 20, 2022 at 4:53 AM Hubert Kario wrote:
> Thus the deprecation of it is a matter of taste, not
> cryptographic
> necessity.
>
I'm sorry if I'm being dense here, but isn't all of this a SHOULD NOT in
RFC 9325?
https://www.rfc-editor.org/rfc/rfc9325.html#name-recommendations-cipher-su
On Tue, Dec 20, 2022, at 23:52, Hubert Kario wrote:
> use of FFDHE with large key sizes is the best protection against
> store-and-decrypt-later attacks
This doesn't deprecate use of FFDHE in TLS 1.3, for which we have some
ludicrously large named groups. Is that not enough?
> If anything, RSA
On Tue, Dec 20, 2022 at 2:56 PM Martin Thomson wrote:
> On Tue, Dec 20, 2022, at 23:52, Hubert Kario wrote:
> > use of FFDHE with large key sizes is the best protection against
> > store-and-decrypt-later attacks
>
> This doesn't deprecate use of FFDHE in TLS 1.3, for which we have some
> ludicro
