TLS_DHE is weak when used with interoperable key lengths. It also causes interop issues dues to several instances of under-specification (leading zeros, lack of group negotiation). I'm in favor of deprecating TLS_DHE.
Cheers, Andrei -----Original Message----- From: TLS <tls-boun...@ietf.org> On Behalf Of Martin Thomson Sent: Monday, March 8, 2021 10:09 AM To: David Benjamin <david...@chromium.org>; Carrick Bartle <cbartle891=40icloud....@dmarc.ietf.org> Cc: <tls@ietf.org> <tls@ietf.org> Subject: [EXTERNAL] Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe One thing at a time? On Tue, Mar 9, 2021, at 05:05, David Benjamin wrote: > I'd suggest we also deprecate TLS 1.2 TLS_DHE_*, even when ephemeral: > > - The construction is broken. The leak itself in the Raccoon attack > comes from TLS 1.2 removing leading zeros. We can't change the meaning > of the existing code points, so any fix there would involve dropping > them. > > - It lacks group negotiation, which makes it very difficult to migrate > away from small groups. At least in the web, it's already no longer > supported by most implementations. > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgrou > ps.google.com%2Fa%2Fchromium.org%2Fg%2Fblink-dev%2Fc%2FAAdv838-koo%2Fm > %2FbJv17voIBAAJ&data=04%7C01%7CAndrei.Popov%40microsoft.com%7C47c5 > f995fc7949dc806108d8e25d6a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C > 0%7C637508238161348087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ > QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=eb3SfPDYI > BMeqtBRlCwTB5U4kc4r9%2FkREnmrHN%2FAegc%3D&reserved=0 > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz > illa.mozilla.org%2Fshow_bug.cgi%3Fid%3D1496639&data=04%7C01%7CAndr > ei.Popov%40microsoft.com%7C47c5f995fc7949dc806108d8e25d6a80%7C72f988bf > 86f141af91ab2d7cd011db47%7C1%7C0%7C637508238161348087%7CUnknown%7CTWFp > bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn > 0%3D%7C2000&sdata=jQ0%2B%2Bh9q%2BSdHqIpeEyr9M08p8cAD6MG5U9OG4z9ybN > 4%3D&reserved=0 > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fweak > dh.org%2F&data=04%7C01%7CAndrei.Popov%40microsoft.com%7C47c5f995fc > 7949dc806108d8e25d6a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63 > 7508238161348087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV > 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=nyyFho5b73MVWuD > nV0uBdfZB2sUs4WUHox4q4aI3m9M%3D&reserved=0 > > On Mon, Mar 8, 2021 at 12:52 PM Carrick Bartle > <cbartle891=40icloud....@dmarc.ietf.org> wrote: > > Agreed. I'll change the title to reflect that. > > > > > On Mar 8, 2021, at 7:33 AM, Martin Thomson <m...@lowentropy.net> wrote: > > > > > > Well overdue. We should do this. > > > > > > The title "Deprecating FFDH(E) Ciphersuites in TLS" doesn't seem to match > > > the document content. I only see static or semi-static DH and ECDH key > > > exchange being deprecated (in the document as non-ephemeral). > > > > > > _______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F > > > www.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=04%7C01%7CAndrei. > > > Popov%40microsoft.com%7C47c5f995fc7949dc806108d8e25d6a80%7C72f988b > > > f86f141af91ab2d7cd011db47%7C1%7C0%7C637508238161348087%7CUnknown%7 > > > CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > > > CJXVCI6Mn0%3D%7C2000&sdata=b4N4EYeD9YENeDJ4JDBTtz19UdCoeb1AhJl > > > MxGrSHmk%3D&reserved=0 > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww > > w.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=04%7C01%7CAndrei.Popo > > v%40microsoft.com%7C47c5f995fc7949dc806108d8e25d6a80%7C72f988bf86f14 > > 1af91ab2d7cd011db47%7C1%7C0%7C637508238161348087%7CUnknown%7CTWFpbGZ > > sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0 > > %3D%7C2000&sdata=b4N4EYeD9YENeDJ4JDBTtz19UdCoeb1AhJlMxGrSHmk%3D& > > amp;reserved=0 _______________________________________________ TLS mailing list TLS@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=04%7C01%7CAndrei.Popov%40microsoft.com%7C47c5f995fc7949dc806108d8e25d6a80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637508238161348087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=b4N4EYeD9YENeDJ4JDBTtz19UdCoeb1AhJlMxGrSHmk%3D&reserved=0 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
