> > which is a main reason cited for deprecating RSA in > > draft-aviram-tls-deprecate-obsolete-kex. > > Have the authors look at Post-Quantum KEMs?
I'm not sure why PQ KEMs are relevant here. > On Aug 17, 2021, at 10:41 AM, Blumenthal, Uri - 0553 - MITLL > <u...@ll.mit.edu> wrote: > > > Regardless of the Raccoon attack, the static DH and ECDH ciphersuites do > > not provide > > forward secrecy, > > Unless you use semi-static exchange, which in many cases makes sense. > > > which is a main reason cited for deprecating RSA in > > draft-aviram-tls-deprecate-obsolete-kex. > > Have the authors look at Post-Quantum KEMs? > > > Do you object to just the citation of the Raccoon attack or do you also > > feel that we > > should keep these ciphersuites that do not provide forward secrecy around? > > I think these suites should stay around. > > While static-static indeed do not provide forward secrecy (and many of us – > though not everybody! – carry for that), static-ephemeral DH and ECDH are > perfectly fine from that point of view. > > > > On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL > <u...@ll.mit.edu <mailto:u...@ll.mit.edu>> wrote: >> I agree with Rene’s points. >> >> -- >> Regards, >> Uri >> >> >> From: TLS <tls-boun...@ietf.org <mailto:tls-boun...@ietf.org>> on behalf of >> Rene Struik <rstruik....@gmail.com <mailto:rstruik....@gmail.com>> >> Date: Friday, August 13, 2021 at 09:58 >> >> Dear colleagues: >> >> I think this document should absolutely *not* be adopted, without providing >> far more technical justification. The quoted Raccoon attack is an easy to >> mitigate attack (which has nothing to do with finite field groups, just with >> poor design choices of postprocessing, where one uses variable-size integer >> representations for a key). There are also good reasons to have key >> exchanges where one of the parties has a static key, whether ecc-based or >> ff-based (e.g., sni, opaque), for which secure implementations are known. No >> detail is provided and that alone should be sufficient reason to not adopt. >> >> Rene >> >> On 2021-07-29 5:50 p.m., Joseph Salowey wrote: >>> This is a working group call for adoption for Deprecating FFDH(E) >>> Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00 >>> <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>). We >>> had a presentation for this draft at the IETF 110 meeting and since it is a >>> similar topic to the key exchange deprecation draft the chairs want to get >>> a sense if the working group wants to adopt this draft (perhaps the drafts >>> could be merged if both move forward). Please review the draft and post >>> your comments to the list by Friday, August 13, 2021. >>> >>> Thanks, >>> >>> The TLS chairs >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org <mailto:TLS@ietf.org> >>> https://www.ietf.org/mailman/listinfo/tls >>> <https://www.ietf.org/mailman/listinfo/tls> >> >> -- >> email: rstruik....@gmail.com <mailto:rstruik....@gmail.com> | Skype: rstruik >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
