On Tuesday, 20 December 2022 19:37:14 CET, Rob Sayre wrote:
On Tue, Dec 20, 2022 at 4:53 AM Hubert Kario <hka...@redhat.com> wrote:
Thus the deprecation of it is a matter of taste, not
cryptographic
necessity.
I'm sorry if I'm being dense here, but isn't all of this a
SHOULD NOT in RFC 9325?
https://www.rfc-editor.org/rfc/rfc9325.html#name-recommendations-cipher-suit
Maybe I'm misreading that RFC, but given that it's a BCP, it
seems like deprecation is a natural step that reflects IETF
consensus.
that RFC marks both TLS_RSA_* and TLS_DHE_* as "SHOULD NOT".
Given that the former is still being exploited close to 25 years after the
Bleichenbacher attack was discovered, while the latter is basically
unexploitable with properly behaving hosts in TLSv1.2, I don't think it's
correct to consider them at the same level.
Yes, if you have ECDHE available, you SHOULD NOT use DHE in TLSv1.2. But if
everything you have is either TLS_RSA_* and TLS_DHE_*, then you're far
better
of with TLS_DHE_*.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
