Ryan, I'm having trouble finding anything you suggest which isn't significantly inferior to what's in TLS 1.3 at best, or bewilderingly confused at worst.
On Thu, Nov 8, 2018 at 12:44 AM Ryan Carboni <rya...@gmail.com> wrote: > Hmm. TLS has gotten too complex. How does one create a new protocol? Maybe > we should ask Google. > The SSHFP DNS record exists. DNSSEC exists. > The cryptography employed by the X.509 PKI is substantially more modern than what's in DNSSEC. Much of DNSSEC's security comes down to 1024-bit or 1280-bit RSA ZSKs. Furthermore DNSSEC deployment in general lags behind the X.509 PKI significantly. In general attempts to bolster browser security with DNSSEC have failed due to DNSSEC misconfigurations or outages. Regardless, if your goal is to make TLS less complex, shifting from the X.509 PKI to a DNSSEC/X.509 hybrid seems diametrically opposed to that goal. And that's the best that you can do, as you can't just wish away the X.509 PKI. This might be a radical proposal, but maybe the certificate hash could be > placed in a DNS TXT record. > How about instead of that, DNS can be used to deliver a CT log inclusion proof? https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md Although, to be radical, all anyone needs is RSA-2048, ephemeral DH-3072, > and SHAKE-128 as AEAD. > Both RSA and traditional FFDH are difficult to implement in constant time due to their use of bignums, making both notorious for side channel attacks.. Due to its reliance on large random primes, RSA key generation is fraught with peril. BB'98 is a recurring problem, and affects not just key encipherment but, in conjunction with other bugs, also affects PKCS#1v1.5 signatures (e.g. BERserk). At least TLS 1.3 adds PSS support, I guess. Elliptic curve cryptography is faster, easier to implement in constant time, and has comparatively trivial key generation. For these reasons elliptic curve algorithms are preferred in modern protocols. By sheer volume, we see many, many more attacks on RSA than we do on ECC, and the attacks are mostly not novel, but the same sharp edges coming back to haunt us over and over again. The surest way to avoid BB'98 is to stop using RSA. > This isn’t rocket science. The state of cyber security is a horrible > disappointment. > Your suggestions are not improvements, they are regressions, or simply do not make sense. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
