Hi Everyone, Thank you for chiming in with comments and suggestions regarding draft-deprecate-obsolete-kex :-)
I've tried to summarize everyone's comments below, hopefully grouped by subject. Apologies in advance if I missed anything (or misspelled names...), please do reply to this thread :-) My intent here is only to make sure we have a good record of the comments made. I hope to follow up soon with a suggested way forward for the draft. thanks, Nimrod =============== Scott Fluhrer: We can only check for group structure if it's a safe prime, and even for a safe prime it's too expensive. Suggest limiting groups to a safelist. Mike Ounsworth: Automated scanning tools routinely flag standardized FFDHE groups. Daniel Kahn Gillmor and Thom Wiggers: This is because of the Logjam paper and precomputation. But they missed that the advice to generate your own DH params was for 1024 bit parameters for sofware that didn't support anything else. Daniel Kahn Gillmor: Would be good to discourage non-standard groups, while acknowledging the original argument for non-standard groups and explaining why it doesn't motivate non-standard groups today. Viktor Dukhovni: Postfix is far from the only one with non-standardized, built-in default groups. Even for Postfix there are several groups, depending on the version. Would be hard to build a list of widespread groups. Ben Kaduk: Can we start a registry for safe, widespread groups? Martin Thomson: We tried using a safelist (that included only 7919 groups? - Nimrod) but people use weird groups, and we couldn't turn that on. David Benjamin: Agree, better to turn off FFDHE entirely. The deployability issue with 7919 is also documented in https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo/ https://mailarchive.ietf.org/arch/msg/tls/DzazUXCUZDUpVgBPVHOwatb65dA/ Uri Blumenthal: We should neither recommend or discourage non-standard groups. Leave it to each operator to decide for themselves, they likely know what they're doing. Jonathan Hoyland and Martin Thomson: The pen-testing comment provides a counterargument. Uri Blumenthal: The draft is unnecessarily strict, from both deployment and security points of view. Examples of stuff that should be retained: RSA, FFDHE. PQ implications: all the NIST PQC winners and finalists are KEMs, not KA - aka, similar to RSA rather than DH.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
