I oppose deprecation.
Given that we're still a ways off from standardised post-quantum key
exchanges,
use of FFDHE with large key sizes is the best protection against
store-and-decrypt-later attacks (buying likely years of additional
protection)
I think the deprecation is premature.
While FFDHE is far from perfect, in practical deployments none of the
proposed
attacks against it are practical (yes, static FFDH is vulnerable in TLSv1.2
but
it's still a harder attack than against static RSA with Bleichenbacher-like
attacks). Thus the deprecation of it is a matter of taste, not
cryptographic
necessity.
If anything, RSA key exchange should be deprecated first.
RFC 8446 deprecated only the DSA ciphersuites, not RSA.
On Tuesday, 13 December 2022 15:46:29 CET, Sean Turner wrote:
During the tls@IETF 115 session topic covering
draft-ietd-tls-deprecate-obsolete-kex, the sense of the room was
that there was support to deprecate all FFDHE cipher suites
including well-known groups. This message starts the process to
judge whether there is consensus to deprecate all FFDHE cipher
suites including those well-known groups. Please indicate
whether you do or do not support deprecation of FFDHE cipher
suites by 2359UTC on 6 January 2023. If do not support
deprecation, please indicate why.
NOTE: We had an earlier consensus call on this topic when
adopting draft-ietd-tls-deprecate-obsolete-kex, but the results
were inconclusive. If necessary, we will start consensus calls
on other issues in separate threads.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
