On Tue, Dec 20, 2022 at 2:56 PM Martin Thomson <m...@lowentropy.net> wrote:
> On Tue, Dec 20, 2022, at 23:52, Hubert Kario wrote: > > use of FFDHE with large key sizes is the best protection against > > store-and-decrypt-later attacks > > This doesn't deprecate use of FFDHE in TLS 1.3, for which we have some > ludicrously large named groups. Is that not enough? > > > If anything, RSA key exchange should be deprecated first. > > RFC 8446 deprecated only the DSA ciphersuites, not RSA. > > This is an odd statement. TLS 1.3 ciphersuites no longer include the > concept of key exchange or signing. > Of course? The first part of this thread says "My understanding is that we're only discussing deprecating DHE for 1.2. 1.3 is out of scope for this document." What's the problem? IETF consensus for TLS 1.2 is recorded in RFC 9325. I guess one could say the current BCP says "SHOULD NOT", but the TLS WG has not deprecated these things. I don't know what that means, but it does sound like an extremely IETF thing to do. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
