> without further guidance they've chosen to go with literally the worst possible option instead of the perfectly-OK one. You are more than welcome to draft a document stating that, given two deprecated options, which is preferable.
> It seems the only real reason for deprecating DHE is that it's not fashionable. No one has made any statements about the fashionability or otherwise of DHE. As I stated in a different thread, this document leaves the presence of DHE in TLS 1.3 completely unscathed. As David Ben reiterated, the reasoning behind deprecation has been almost entirely based on the inability to negotiate groups. On Thu, Dec 15, 2022 at 4:26 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Carrick Bartle <cbartle...@gmail.com> writes: > > >In the situation you've described, they've been told they shouldn't use > RSA > >either, so clearly it doesn't matter to them what we've deprecated or > not. > > Yup, because if you give people the choice between not A but not B either > then > they have to ignore one of the two, and without further guidance they've > chosen to go with literally the worst possible option instead of the > perfectly-OK one. > > Piggybacking a reply to your other message, anything that's online is DoS- > able. If I want to DoS a web server, or anything at all for that matter, > I'll > hit it with a botnet, an attack that's effective on anything no matter what > algorithm it uses. > > It seems the only real reason for deprecating DHE is that it's not > fashionable. And as my earlier message pointed out, this WG fashion > statement > has real consequences in practice. > > Peter. > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
