On 23 March 2016 at 11:38, Timothy Jackson <tjack...@mobileiron.com> wrote: > How would this group feel about a proposal to address this by specifying in > the 1.3 specification that implementations must ensure that the strength of > the certificate must be >= strength of ECDHE/DHE >= strength of the cipher?
There are good reasons to make certain parts of the suite stronger than others. For example, record protection and ephemeral key exchange strength are tied to the potential lifetime of the ciphertext. If someone is scooping up sessions, that could be a long time (lifetime might actually need to be a lifetime). On the other hand, authentication keys need only be strong enough to resist a break until their expiration date. To given an example, in WebRTC, we used to use 1024-bit RSA keys; the lifetime of the keys was a single session (and it was still too slow). _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
