On Thu, Mar 10, 2016 at 07:41:58PM +0000, Stephen Farrell wrote:
> My question is: Should the WG take the opportunity to more
> tightly define the key exchange parameters for these
> ciphersuites?
>
> For example, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 could
> REQUIRE RSA keys with >=2048 bit moduli and one could go
> further and say that this also REQUIRES use of specific
> integer DH groups.
I think that enforcing such a requirement for just new cipher-suites
would be counterproductive.
If a server has a 1024-bit RSA certificate or is configured with
1024-bit DH parameters, should it not offer CHACHA20, and restrict
the client to AES or 3DES which don't have that contraint? What
does that achieve? Or should the server go ahead with CHACHA20
and then the client refuse?
I think it makes more sense to set such floors on a per-protocol
basis (TLS 1.3, ...) than a per-cipher-suite basis.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
