I'm not opposed to expanding the scope of this document to include deprecating DHE. Is there a major advantage to that being its own draft?
> On Mar 8, 2021, at 10:09 AM, Martin Thomson <m...@lowentropy.net> wrote: > > One thing at a time? > > On Tue, Mar 9, 2021, at 05:05, David Benjamin wrote: >> I'd suggest we also deprecate TLS 1.2 TLS_DHE_*, even when ephemeral: >> >> - The construction is broken. The leak itself in the Raccoon attack >> comes from TLS 1.2 removing leading zeros. We can't change the meaning >> of the existing code points, so any fix there would involve dropping >> them. >> >> - It lacks group negotiation, which makes it very difficult to migrate >> away from small groups. At least in the web, it's already no longer >> supported by most implementations. >> https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ >> https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 >> https://weakdh.org/ >> >> On Mon, Mar 8, 2021 at 12:52 PM Carrick Bartle >> <cbartle891=40icloud....@dmarc.ietf.org> wrote: >>> Agreed. I'll change the title to reflect that. >>> >>>> On Mar 8, 2021, at 7:33 AM, Martin Thomson <m...@lowentropy.net> wrote: >>>> >>>> Well overdue. We should do this. >>>> >>>> The title "Deprecating FFDH(E) Ciphersuites in TLS" doesn't seem to match >>>> the document content. I only see static or semi-static DH and ECDH key >>>> exchange being deprecated (in the document as non-ephemeral). >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
